Skip to content

Instantly share code, notes, and snippets.

@GaryKnegrowGNAA

GaryKnegrowGNAA/UAF.md Secret

Created November 10, 2022 09:23
Star
Embed
What would you like to do?
Learn more about clone URLs
Download ZIP
Roblox UAF/Danging Pointer exploit
Raw
UAF.md

ROBLOX Studio Use-After-Free Pointer Vulnerability

Disclosed.

GNAA International: Documentation and Tutorial on Use-After-Free Pointer vulnerability exploit

A UAF (Use-After-Free) exploit allows for a malicious attacker to trace the callstack of an ongoing process with interception programs. For example, a memory address such as 0x1FB591K902F that points to const 20, a 1-byte integer when traced can reveal an OPCODE, which when disassembled or decompiled can reveal instructions, listed in Assembly for further attack(s).

Explanation

In a RBXM Binary file, when decompiled it reveals a .exml file that contains widgets, and File Headers. Explained in the RCE vulnerability, proceeding from all headers are file chunks, such as

  • PROP

which proceeded with TypeID. The TypeID, an integer that spans one byte. Assuming the declaration of const 10 in the instruction is 16 bytes, the callstack can be traced back with Intel's PTRACE feature.

PTrace - Intel, allows for tracing CPU based BPs and FUNCs.

By using PTrace to track the callstack of an the model's callings, you can notice that a dangling pointer is present when you delete a RBXM file from game.Workspace.

CALLSTACK 1

memadd func args
0x1 foo() 1
0x2 bar() 2
0x3 *0x2 (pointer) inherit bar.arg()

Notice that in address 0x3, a pointer when deleted, calling the RBXM call function bar() will also still contain the freed up arguments and memory, leaving a dangling pointer that can be accelerated to code subsitution.

By placing an interrupt function to start a breakpoint on 0x3 you will notice the callstack can be easily traced back similar to a tree.

Now you can simply enter in new data and wait for the system to allocate memory from the object you entered data in, and cause code subsitution. The freed up allocated memory is now used as a payload for an attack.

Payloads usually can be interpreted and used similar to a XSS payload, such as

) \n end os.execute('calc')

How to Exploit

The UAF Vulnerability allows for the malicious actor to inject arbitrary memory address and chunks that allows for a completely remote based vector for achieving RCE. Install something like Radare2 or Ghidra, then start reverse engineering a RBXM and see if you can achieve code execution (ACE)

Then follow the instructions in the documentation above and you should be able to craft a malicious RBXM.

GNAA INT

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment