[Date Prev][Date Next][Thread Prev][Thread Next]
- Subject: Re: tostring userdata
- From: Sean Conner <sean@...>
- Date: Wed, 3 Jul 2019 02:11:40 -0400
It was thus said that the Great Patrick Donnelly once stated:
> On Tue, Jul 2, 2019, 6:03 PM Sean Conner <email@example.com> wrote:
> > I'd like to see a proof-of-concept before I worry about that. I mean, I
> > can always do
> > x = 0xcbc5c0
> > which *is* a valid address on a running instance of Lua on my system. Or
> > 0xb7d7f000 or 0x00cbe040 or any number of other values.
> I'm not talking about numbers of course. If you have knowledge ... then
> you can use that to write assembly code ... to execute code. That's
> assuming you can write arbitrary data ... and that you have an attack
> vector to cause that code to be executed (maybe possible with poorly
> written libraries).
I personally don't believe that just knowing an address is dangerous in
and of itself. Just like a virus can't spread via images .
> I nearly got far enough to do this in WoW back in the
> day when I was breaking any sandbox I could find. At the time, I was trying
> to exploit getting access to the Lua registry  which gave access to some
> interesting WoW internals. I don't recall exact details.
>  https://www.lua.org/bugs.html#5.1.3-1
Wow! You were busy.
> -spc (And no, loading a special C module to exploit this won't cut it)
> Why not? A Lua sandbox in some application presumably has some C modules
> which may be quite... special. :)
Yeah, but a module specifically written to be exploited is not the same
thing as exploiting a module *not* written to be exploited (or expected to
be exploited). It's like shooting fish in a barrel---not much sport in it,
-spc (Now, the commonly used method of mixing parameters with return
addresses on the same stack is a dumb idea, but I can see why
it was done ... )
 Oh wait ... you can on Windows, becaue MICROSOFT EXPLICITELY CHECKED
FOR CODE IN IMAGES TO EXECUTE! There's little hope when MBAs
 Did I just counter my own argument? I don't know.