Skip to content

Instantly share code, notes, and snippets.

@GaryKnegrowGNAA
Created Nov 10, 2022
Embed
What would you like to do?
TeleportService Buffer Overflow

Buffer Overflow Exploit in TeleportService

GNAA International: Documentation of existing Buffer Overflow exploit

This exploit relies on a memory allocation error in TeleportService. When firing TeleportService to a game ID that does't exist (e.g. Sexland) and using a memory inspector you will find that the error callback has a much more longer error without much given context. Given that TPService is paired with normal operable code, it is possible to use memcpy() to evalulate shellcode to replace normal working code, and therefore achieve code execution.

This exploit only works with exploiters as normal people are not able to and should not be able to fire TPS. However, a working POC will be developed for games soon.

POC 1:

local shellcode = 'ENCODED SHELLCODE HERE'

game:GetService('TeleportService'):Teleport('Ambatukam', setmetatable({}, {__gc = function() 
	local sex = require'sex'
	sex.C.memcpy(nil, shellcode, #shellcode) -- evalulate shellcode var by calling a Lua-C function
end}))

It is possible to abuse this by obfuscating a small snippet and achieving RCE firing commands such as wget.

Output of POC 1:

$ ls -l
total 40
-rw-rw-r-- 1 User User  6228 Oct 29 10:10 gayniggerib
-rw-rw-r-- 1 User User  4567 Oct 29 19:18 library.lua
-rw-rw-r-- 1 User User   255 Oct 29 21:29 funny.lua

$ ./funny.lua
$

How to Exploit

Edit and change components of POC 1 and write or use shellcode encoder, then spread the virus on forums. Enjoy.

GNAA International

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment