ESCAPING THE LUA 5.2 SANDBOX WITH UNTRUSTED BYTECODE

Recommendations

Info

Digression: Lua tagged values (TValues) Each value in Lua is 12 bytes * local a = "hello, world" local b = 1337 * Typically, as we'll see soon First field: union between several different datatypes (8 bytes/64 bits, because numbers in Lua are doubles) Heap TString "hello, world" Second field: type tag to identify how to read the union (4 bytes/32 bits) Each function's local variable stack is just an array of TValues, which grows up Lua stack (TString *)0xdeadbeef (double)1337 0x04 0x03 Value Tag
What you probably want to do You probably want to call os.execute or another os.execute("/bin/sh") interesting function with some Text Would be nice if we could craft arbitrary TValues, because we can point one anywhere in the Lua stack (lua_CFunction *) 0x16 0xdeadbeef binary if we can defeat ASLR, and then call it
Page 1 and 2: ESCAPING THE LUA 5.2 SANDBOX WITH U
Page 3 and 4: A quick introduction to the Lua 5.2
Page 5 and 6: Why Lua bytecode can be unsafe Form
Page 7 and 8: Building tools to escape the sandbo
Page 9: Defeating ASLR: Hard mode What if:
Page 13 and 14: Unexpected defense: LUA_NANTRICK Ea
Page 15 and 16: Type confusion in the Lua VM: SETLI
Page 17 and 18: Reading from arbitrary memory Can j
Page 19 and 20: The nuclear option: Breadth-first s
Page 21 and 22: Useful tools LuaAssemblyTools (LAT)
Page 23 and 24: Takeaways Don't load untrusted byte
Page 25: THANK YOU!

ESCAPING THE LUA 5.2 SANDBOX WITH UNTRUSTED BYTECODE

Create successful ePaper yourself

Delete template?

Save as template?