12packkid
|
  |
| Joined: 24 Jun 2011 |
| Total Posts: 1418 |
|
|
| 30 Oct 2014 09:01 AM |
Okay, so I was busy trying to escape some script builder sandboxes, dunno why. I went to test this on some other weak sandboxes, and this actually escaped them. But yeah, would this be an ideal approach to escaping a sandbox?
local oxSandbox1,oxSandbox2,oxSandbox3 = getfenv(),getfenv(0),getfenv(1) -- their metatables are locked, but still gonna print them anyway print(getmetatable(oxSandbox1),getmetatable(oxSandbox2),getmetatable(oxSandbox3)) local s1,s2,s3 = oxSandbox1,oxSandbox2,oxSandbox3 coroutine.wrap(function() setfenv(s1,{}) setfenv(s2,{}) end)() rawset(s1,"testKey","1") rawset(s2,"testKey","2") if rawget(s1,"testKey") then print"Bypassed sandbox" else error"Sandbox not bypassed!" end if rawget(s2,"testKey") then print"Bypassed sandbox2" else error"Sandbox not bypassed" end setmetatable(0,{__index=function()error"noPls"end,__newindex=function()error"noPls"end,__metatable="Locked"}) setmetatable(1,{__index=function()error"noPls"end,__newindex=function()error"noPls"end,__metatable="Locked"}) print(getmetatable(s1),getmetatable(s2))
|
|
|
| Report Abuse |
|
|
12packkid
|
  |
| Joined: 24 Jun 2011 |
| Total Posts: 1418 |
|
|
| 30 Oct 2014 09:02 AM |
Ooops, sorry, that one is broken. This is the correct one:
local oxSandbox1,oxSandbox2,oxSandbox3 = getfenv(),getfenv(0),getfenv(1) -- their metatables are locked, but still gonna print them anyway print(getmetatable(oxSandbox1),getmetatable(oxSandbox2),getmetatable(oxSandbox3)) local s1,s2,s3 = oxSandbox1,oxSandbox2,oxSandbox3 coroutine.wrap(function() setfenv(0,{}) end)() rawset(s1,"testKey","1") rawset(s2,"testKey","2") if rawget(s1,"testKey") then print"Bypassed sandbox" else error"Sandbox not bypassed!" end if rawget(s2,"testKey") then print"Bypassed sandbox2" else error"Sandbox not bypassed" end setmetatable(0,{__index=function()error"noPls"end,__newindex=function()error"noPls"end,__metatable="Locked"}) setmetatable(1,{__index=function()error"noPls"end,__newindex=function()error"noPls"end,__metatable="Locked"}) print(getmetatable(s1),getmetatable(s2))
|
|
|
| Report Abuse |
|
|
Procellus
|
  |
| Joined: 28 Oct 2014 |
| Total Posts: 1525 |
|
|
| 30 Oct 2014 01:33 PM |
God, what sandboxes could you bypass with this?
|
|
|
| Report Abuse |
|
|
12packkid
|
  |
| Joined: 24 Jun 2011 |
| Total Posts: 1418 |
|
|
| 30 Oct 2014 01:52 PM |
idk, i went to a couple of script builders. it broke them for sure, though. |
|
|
| Report Abuse |
|
|
qzok
|
  |
| Joined: 27 Oct 2014 |
| Total Posts: 39 |
|
| |
|
anaIyzes
|
  |
| Joined: 27 Oct 2014 |
| Total Posts: 5 |
|
| |
|
morash
|
  |
| Joined: 22 May 2010 |
| Total Posts: 5834 |
|
|
| 31 Oct 2014 02:38 PM |
| There's always a good reason to set setfenv and getfenv to nil when your trying to sandbox something. :P |
|
|
| Report Abuse |
|
|
Seranok
|
  |
| Joined: 12 Dec 2009 |
| Total Posts: 11083 |
|
|
| 31 Oct 2014 04:42 PM |
> would this be an ideal approach to escaping a sandbox?
No because any strong sandbox won't be vulnerable to this. |
|
|
| Report Abuse |
|
|
12packkid
|
  |
| Joined: 24 Jun 2011 |
| Total Posts: 1418 |
|
|
| 31 Oct 2014 04:59 PM |
| How would you escape one then? I'm trying to break oxcool1's script builder sandbox, but that is probably the strongest one I've seen. |
|
|
| Report Abuse |
|
|
|
| 31 Oct 2014 05:36 PM |
| But it won't work if you use something like Anaminus's SB, which is different. |
|
|
| Report Abuse |
|
|
qzok
|
  |
| Joined: 27 Oct 2014 |
| Total Posts: 39 |
|
|
| 31 Oct 2014 06:20 PM |
| If you can't break a sandbox then ur a script kiddie Lol |
|
|
| Report Abuse |
|
|
rtrn
|
  |
| Joined: 15 Jun 2015 |
| Total Posts: 1601 |
|
| |
|
rtrn
|
  |
| Joined: 15 Jun 2015 |
| Total Posts: 1601 |
|
| |
|
| |
|
rtrn
|
  |
| Joined: 15 Jun 2015 |
| Total Posts: 1601 |
|
| |
|
|
| 01 Apr 2016 09:53 PM |
when i did it all i really needed to do was rawget(getfenv(require()),'require')(332153003) but i forget exactly how i did it all i know is i was able to do it with something simalar to rawget(getfenv(require()),'require')(332153003) |
|
|
| Report Abuse |
|
|