Roblox RCE exploit (2022) - TypeID-based Remote/Arbitrary Code Execution
USED FOR SUBMISSION TO ROBLOX VULNERABILITY REPORT. DISCLOSED FOR EDUCATIONAL PURPOSES. - AMBER SINGH
GNAA International: Documentation and Tutorial on ROBLOX Studio RCE exploit
The exploit relies and uses the RBXM binary format's signed
CHUNKS, a corresponding
PROP (a file chunk that contains roblox properties itself) after it which indicates usage of the binary file, and
TypeID, a 1-byte integer which allows for the RCE via different file indications.
This vulnerability allows for any plugin in the ROBLOX marketplace to remotely execute arbitrary shell code, inject reverse shells, and do anything (gain machine-instruction level access) with the LuaU VM.
What is a RCE
A remote code execution (RCE) vulnerability allows for malicious users to run and install:
- Reverse Shells
- Run commands and shell scripts
- Gain machine-instruction access
and a lot more
In every roblox binary format (.rbxm/.rbxl) file, a file header is present that corresponds with the later chunks (
SIGN), including TypeID, opcodes, etc.
TypeID indicates the usage of the file. For example,
__index, etc. Each TypeID corresponds with a hexadecimal address. In one instance however,
a certain TypeID seems to return a file header
SIGN once called. By disassembling TypeID
0x1D you can realize that by changing some properties (extremely extensively too) you will be able to
load Lua-U VM bytecode directly, not into the workspace character, but in the computer itself.
This can allow for actors to directly grab the Chrome Passwords.csv file, read, store and inject new keys in regedit, do basically anything
HOW TO EXPLOIT
- Use a Hex Editor or get a RBXM file
Script.Sourcefrom 0x01 to 0x1D
- Append any bytecode to it
It will be a bit hard to do it at runtime (changing and tampering with instructions directly) but if you're skilled enough good luck lol
If you have a Luau bytecode explorer, you can write a simple script that injects a python reverse shell and gain full access.
If you are interested in backdooring games, you can now backdoor many games en masse.
If you are interested in sociopathy, you can propose a Github commit to a roblox plugin with the RCE payload and launch a supply chain attack
the world is your oyster