Bytecode abuse in Lua 5.2 (-work4)

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Bytecode abuse in Lua 5.2 (-work4)
From: Peter Cawley <lua@...>
Date: Sat, 21 Aug 2010 23:22:51 +0100

As anyone who has tracked Lua 5.2's development will likely know, the
bytecode verifier was removed, and the responsibility shifted to the
end-developer to ensure that bytecode from untrusted sources couldn't
be loaded. To show just how important this responsibility is, I've
written up a pure Lua module for the default Lua 5.2 (-work4)
interpreter which can read and write arbitrary memory locations. The
only thing standing between this and a generic
arbitrary-code-execution exploit is DEP (hardware/OS level memory page
protection preventing where code can be executed from).

The code is available at:
http://www.corsix.org/lua/bytecode_abuse_0_1.lua

Follow-Ups:
- Re: Bytecode abuse in Lua 5.2 (-work4), Majic

Prev by Date: Re: Rerun of the same chunk via lua_pcall
Next by Date: Re: Bytecode abuse in Lua 5.2 (-work4)
Previous by thread: Re: Rerun of the same chunk via lua_pcall
Next by thread: Re: Bytecode abuse in Lua 5.2 (-work4)
Index(es):
- Date
- Thread