[Date Prev][Date Next][Thread Prev][Thread Next]
- Subject: Re: tostring userdata
- From: Sean Conner <sean@...>
- Date: Fri, 5 Jul 2019 19:50:51 -0400
It was thus said that the Great Coda Highland once stated:
> On Fri, Jul 5, 2019 at 4:56 PM Sean Conner <email@example.com> wrote:
> > It was thus said that the Great Patrick Donnelly once stated:
> > > But, ASLR can't help if the scripting language voluntarily
> > > gives away this information (the address location of the heap or
> > > strings) to scripts.
> > Please, I implore you, *give a proof-of-concept* here, because otherwise
> > it's a pointless change because of cargo cult understanding of attacks.
[ Mention of Webkit exploits deleted because it's Webkit, NOT Lua]
[ Mention of ROP and ASLR deleted because it's been mentioned before]
> This means that one of the first things that an exploit is going to need to
> do is discover an address to a known data structure, and then it can start
> computing offsets from there. In Lua, one of the best options available
> would be the string metatable, because it contains pointers to native-code
> functions baked into the binary.
> On any reasonably secure platform, this is difficult. Usually you have to
> exploit a buffer overflow or a use-after-free or some similar technique in
> order to trick the program into writing the address somewhere you can
> access. But if you can just say "hey, interpreter, could you please tell me
> the address of string.concat?" and it comes back with "you seem like a fine
> gentleprogram, here you go!" then you've just skipped the hardest part of
> kicking off an exploit chain.
Okay, how about a proof-of-concept *written in Lua*, text only (because
precompiled Lua code is dangerous, there are proof-of-concepts of that) that
will execute arbitrary code, just from an address one can get from
tostring() or string.format("%p") (both will return an address, so obviously
tostring() must go, right?).
-spc (I keep asking for a "proof-of-concept" but I keep getting "here's
how it *could* be done". I'm sorry, I want to "see it" being done.
It should be trivial in Lua given an actual address, right?)