ESCAPING THE LUA 5.2 SANDBOX WITH UNTRUSTED BYTECODE

Recommendations

Info

Defeating ASLR: Hard mode The FORLOOP technique causes you to end up with a very strange value in IEEE 754 double precision Split it into two double-precision values, each holding 32 bits, and find the integral representation of each with some math – doubles can hold any unique 32-bit value If we can find a reference to any C function, we can now defeat ASLR Original work by @corsix: https://gist.github.com/corsix/6575486
Type confusion in the Lua VM: SETLIST Another instruction of interest: SETLIST Used in table initializers with a list of values local arr = {1, 2, 3, 4} Critically, assumes that its argument is actually a pointer to a table Scary "runtime check" macros in the source that say otherwise, but they all go away if you preprocess the source in release mode gcc -E | clang-format is your friend when looking at open-source software
Page 1 and 2: ESCAPING THE LUA 5.2 SANDBOX WITH U
Page 3 and 4: A quick introduction to the Lua 5.2
Page 5 and 6: Why Lua bytecode can be unsafe Form
Page 7 and 8: Building tools to escape the sandbo
Page 9 and 10: Defeating ASLR: Hard mode What if:
Page 11 and 12: What you probably want to do You pr
Page 13: Unexpected defense: LUA_NANTRICK Ea
Page 17 and 18: Reading from arbitrary memory Can j
Page 19 and 20: The nuclear option: Breadth-first s
Page 21 and 22: Useful tools LuaAssemblyTools (LAT)
Page 23 and 24: Takeaways Don't load untrusted byte
Page 25: THANK YOU!

ESCAPING THE LUA 5.2 SANDBOX WITH UNTRUSTED BYTECODE

Create successful ePaper yourself

Delete template?

Save as template?