This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## Redis Lua 5.1 sandbox escape 32-bit Linux exploit | |
## Original exploit by corsix and sghctoma | |
## Author: @c3c | |
## It's possible to abuse the Lua 5.1 sandbox to obtain RCE by loading modified bytecode | |
## This concept is fully explained on corsix' gist at https://gist.github.com/corsix/6575486 | |
## This version uses pieces of the 32-bit Windows exploit made by corsix and the 64-bit Linux exploit made by sghctoma; as expected, a few offsets were different | |
## sghctoma's exploit uses the arbitrary memory read to leak pointers to libc and find the address of "system" http://paper.seebug.org/papers/Security%20Conf/Defcon/2015/DEFCON-23-Tamas-Szakaly-Shall-We-Play-A-Game.pdf | |
## This code is much the same, except the process is done using pwntools' DynELF | |
## Furthermore, attempting to leak addresses in libc appears to cause segfaults on my 32-bit Linux, in which case, you will need to obtain the remote libc version |