Load wrapper loophole [CC1.8 and some earl...
EveryOS 24 Mar 2018
local fenv = getfenv(load) fenv._G = fenv fenv.error = function() end setfenv(load, fenv) load(string.dump(function() print("HI") end), "X", "b", _G)()
See "more correct" revision of code below. It does not affect _G, unlike this version
This shouldnt work...
Edited by EveryOS, 26 March 2018 - 03:13 PM.
Lupus590 24 Mar 2018
b flag in load function is for binary chunks, which should be blocked by the bios
What version of CC is this, have you replicated the issue on latest?
Edited by Lupus590, 24 March 2018 - 12:59 PM.
What version of CC is this, have you replicated the issue on latest?
Edited by Lupus590, 24 March 2018 - 12:59 PM.
SquidDev 24 Mar 2018
EveryOS 24 Mar 2018
Lupus590, on 24 March 2018 - 12:58 PM, said:
should be blocked by the bios
Though I cannot show you that I have not modified the environment, you can try it for yourself.
BTW,
SquidDev, on 24 March 2018 - 03:03 PM, said:
you can't actually exploit bytecode at all.
Lyqyd, on 19 August 2015 - 12:10 AM, said:
Obfuscated downloads are not allowed.
Edited by EveryOS, 25 March 2018 - 01:20 AM.
EveryOS 25 Mar 2018
More "correct" version of the code that will not override the global env. The previous code still shows the point, but was not 100% correct.
Previously _G.error would be overrided, this still shows the point without doing that.
Edited by EveryOS, 25 March 2018 - 12:02 AM.
local fenv = {} for k, v in pairs(getfenv(load)) do fenv[k] = v end fenv._G = fenv fenv.error = function() end setfenv(load, fenv) load(string.dump(function() print("HI") end), "X", "b", _G)()
Previously _G.error would be overrided, this still shows the point without doing that.
Edited by EveryOS, 25 March 2018 - 12:02 AM.
apemanzilla 26 Mar 2018
EveryOS, on 24 March 2018 - 09:53 PM, said:
SquidDev, on 24 March 2018 - 03:03 PM, said:
you can't actually exploit bytecode at all.
Lyqyd, on 19 August 2015 - 12:10 AM, said:
Obfuscated downloads are not allowed.
That's not really an exploit, and regardless, you can do that with source code to the same effect.
EveryOS 26 Mar 2018
But still, I would think there would be a point to the (rather badly coded) load wrapper
Also, bytecode is still further from readable then source code. Plus, if you convert the hard-to-read source code to bytecode, it's even harder to read.
Edited by EveryOS, 26 March 2018 - 03:20 PM.
Also, bytecode is still further from readable then source code. Plus, if you convert the hard-to-read source code to bytecode, it's even harder to read.
Edited by EveryOS, 26 March 2018 - 03:20 PM.
ardera 30 Mar 2018
EveryOS, on 24 March 2018 - 09:53 PM, said:
Bytecode exploit: write a script that deletes all files, compile it to bytecode, base64 it, write what appears to be an installer, de-base64 it at runtime, and pass the result into the hacked load.
That's way sneakier than de-base64-ing some string and loading it.