Skip to content

Instantly share code, notes, and snippets.

@GaryKnegrowGNAA

GaryKnegrowGNAA/RCE.md Secret

Created November 10, 2022 09:22
Star
Embed
What would you like to do?
Learn more about clone URLs
Download ZIP
Roblox Studio RCE
Raw
RCE.md

Roblox RCE exploit (2022) - TypeID-based Remote/Arbitrary Code Execution

USED FOR SUBMISSION TO ROBLOX VULNERABILITY REPORT. DISCLOSED FOR EDUCATIONAL PURPOSES. - AMBER SINGH

GNAA International: Documentation and Tutorial on ROBLOX Studio RCE exploit

TL;DR

The exploit relies and uses the RBXM binary format's signed CHUNKS, a corresponding PROP (a file chunk that contains roblox properties itself) after it which indicates usage of the binary file, and the TypeID, a 1-byte integer which allows for the RCE via different file indications. This vulnerability allows for any plugin in the ROBLOX marketplace to remotely execute arbitrary shell code, inject reverse shells, and do anything (gain machine-instruction level access) with the LuaU VM.

What is a RCE

A remote code execution (RCE) vulnerability allows for malicious users to run and install:

  • Reverse Shells
  • RATs
  • Run commands and shell scripts
  • Gain machine-instruction access

and a lot more

INTRO

In every roblox binary format (.rbxm/.rbxl) file, a file header is present that corresponds with the later chunks (PROP, SIGN), including TypeID, opcodes, etc. A TypeID indicates the usage of the file. For example, UDim, Vector3,__index, etc. Each TypeID corresponds with a hexadecimal address. In one instance however, a certain TypeID seems to return a file header SIGN once called. By disassembling TypeID 0x1D you can realize that by changing some properties (extremely extensively too) you will be able to load Lua-U VM bytecode directly, not into the workspace character, but in the computer itself.

This can allow for actors to directly grab the Chrome Passwords.csv file, read, store and inject new keys in regedit, do basically anything

HOW TO EXPLOIT

  1. Use a Hex Editor or get a RBXM file
  2. Change Script.Source from 0x01 to 0x1D
  3. Append any bytecode to it
  4. Enjoy!

It will be a bit hard to do it at runtime (changing and tampering with instructions directly) but if you're skilled enough good luck lol

If you have a Luau bytecode explorer, you can write a simple script that injects a python reverse shell and gain full access.

If you are interested in backdooring games, you can now backdoor many games en masse.

If you are interested in sociopathy, you can propose a Github commit to a roblox plugin with the RCE payload and launch a supply chain attack

the world is your oyster

GNAA INTERNATIONAL

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment