Re: tostring userdata

[Sean Conner <sean@...>]

It was thus said that the Great Patrick Donnelly once stated:
> On Tue, Jul 2, 2019, 6:03 PM Sean Conner <sean@conman.org> wrote:
> 
> >   I'd like to see a proof-of-concept before I worry about that.  I mean, I
> > can always do
> >
> >         x = 0xcbc5c0
> >
> > which *is* a valid address on a running instance of Lua on my system.  Or
> > 0xb7d7f000 or 0x00cbe040 or any number of other values.
> 
> I'm not talking about numbers of course. If you have knowledge ... then
> you can use that to write assembly code ... to execute code. That's
> assuming you can write arbitrary data ... and that you have an attack
> vector to cause that code to be executed (maybe possible with poorly
> written libraries).

  I personally don't believe that just knowing an address is dangerous in
and of itself.  Just like a virus can't spread via images [2][3].

> I nearly got far enough to do this in WoW back in the
> day when I was breaking any sandbox I could find. At the time, I was trying
> to exploit getting access to the Lua registry [1] which gave access to some
> interesting WoW internals. I don't recall exact details.
> 
> [1] https://www.lua.org/bugs.html#5.1.3-1

  Wow!  You were busy.

>   -spc (And no, loading a special C module to exploit this won't cut it)
> 
> Why not? A Lua sandbox in some application presumably has some C modules
> which may be quite... special. :)

  Yeah, but a module specifically written to be exploited is not the same   
thing as exploiting a module *not* written to be exploited (or expected to  
be exploited).  It's like shooting fish in a barrel---not much sport in it,

  -spc (Now, the commonly used method of mixing parameters with return
	addresses on the same stack is a dumb idea, but I can see why
	it was done ... )

[2]	Oh wait ... you can on Windows, becaue MICROSOFT EXPLICITELY CHECKED
	FOR CODE IN IMAGES TO EXECUTE!  There's little hope when MBAs
	override engineers.

[3]	Did I just counter my own argument?  I don't know.