[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: tostring userdata
- From: v <v19930312@...>
- Date: Sat, 06 Jul 2019 01:50:35 +0300
On Fri, 2019-07-05 at 17:28 -0500, Coda Highland wrote:
> If you want to run native code without permission, you have to trick
> the CPU into jumping to memory you control. The typical procedure
> these days is to use what's called "return-oriented programming"
> because the return stack is the only thing that can arbitrarily
> impact program flow that's also writable memory. It's easy enough to
> trigger a crash this way, but if you want a ROP to do anything
> useful, you need to know the address of useful code, and ASLR thwarts
> the obvious ways of doing this.
>
> /s/ Adam
Crashing is also major problem and according to your idea is possible
even without known address (thing you're complaining about). Sounds
like part which allows to either trigger crash or exploit vulnerability
is a real problem here.
So go on and show POC exploit which can crash Lua this way (we'll thank
you). Only plaintext does count as bytecode is unprotected by design
and already have been proven to be able to be able to do arbitrary
jumps: https://saelo.github.io/posts/pwning-lua-through-load.html.
If I'm not mistaken, that exploit is based on what you're talking
about. But good luck doing so in non-precompiled Lua.
--
v <v19930312@gmail.com>
