en6
|
  |
| Joined: 24 Jul 2012 |
| Total Posts: 14 |
|
|
| 02 Aug 2012 06:04 PM |
This thread explains everything about the new exploit. It is aimed at scripters. If you're not a scripter, you won't understand anything here and that's not my problem.
First, you need to know that, about 8 months ago, NecroBumpist found a Lua bytecode exploit that used a flaw in the Lua bytecode verifier. It was able to access any upvalue of any Lua or C function. He used bytecode for this. He was able to do this by breaking the Lua calling conventions and making a function that was put at the end of the stack, making it possible for that function to steal the values of any other function.
He reported it about a year ago to ROBLOX, but the ROBLOX team seemingly didn't care much, so he decided to release it to all of us.
Please read this thread before continuing (note: an explanation of the bytecode is included in it on the second page):
http://www.roblox.com/Forum/ShowPost.aspx?PostID=57817090
As you obviously know if you are a scripter, the default environment doesn't contain the global functions, instead, its metatable does. However, that metatable is locked, meaning you can't usually access these. Because of this, ROBLOX decided to make that metatable be the same for all scripts, to save memory.
However, with NecroBumpist's magical bytecode exploit, you can steal values from the getmetatable function, meaning you can actually get the metatable of the environment... and edit it.
This means you can, for example, edit the 'print' function or the 'script' variable in every script. And by "every script", I mean EVERY script, including the CoreScripts...
Then, some user (apparently, it was RenderSettings, though I can't confirm this) found out that some CoreScript used the print function when a player leaves (judging it's when a player leaves, I'd say it's the player list CoreScript).
This means that, by using NecroBumpist's exploit, you can edit the print function to make CoreScripts run anything. And, as you should know, CoreScripts can do much more than normal scripts...
If you know how to script, then I do not need to explain anything else, and I will not give you the code because you can obviously re-create it yourself easily, since you have read that other thread I gave you a link to and since you have read my explanation.
Of course, 95% of the credit for this exploit goes to NecroBumpist. The rest of it goes to the user who thought about using it to modify the print function. |
|
|
| Report Abuse |
|
|
|
| 02 Aug 2012 06:07 PM |
10/10
well done.
If anyone can list specific usages of the bytecode exploit, I'd love to see them. |
|
|
| Report Abuse |
|
|
en6
|
  |
| Joined: 24 Jul 2012 |
| Total Posts: 14 |
|
|
| 02 Aug 2012 06:08 PM |
@NecroBumpist
Stealing the metatable of stuff is pretty much the most useful thing you can do. |
|
|
| Report Abuse |
|
|
|
| 02 Aug 2012 06:08 PM |
@Necro
- RobloxLocked no longer applies - Level 7 access - Able to use any function implemented - Do pretty much anything that the corescripts are allowed to do |
|
|
| Report Abuse |
|
|
Seranok
|
  |
| Joined: 12 Dec 2009 |
| Total Posts: 11083 |
|
|
| 02 Aug 2012 06:08 PM |
As far as the print function goes: - using it to change the Player.Name to something else - using it to change Player.userId to something else - muting a Player with Player:SetSuperSafeChat(true) |
|
|
| Report Abuse |
|
|
en6
|
  |
| Joined: 24 Jul 2012 |
| Total Posts: 14 |
|
|
| 02 Aug 2012 06:09 PM |
I have a favor to ask to whoever reads this...
Can anyone make a library of all the upvalues used by most of the common methods in ROBLOX?
You see, I'm asking this because I think these could be useful for knowing better how these methods actually work. Knowledge is always useful, and considering ROBLOX isn't open source, who knows, this might be useful one day... |
|
|
| Report Abuse |
|
|
|
| 02 Aug 2012 06:11 PM |
@Seranok
You can do much, much more...
You can edit locked properties. So you can change your character appearance. Want to use HttpGet/HttpPost? No problem. Add guests in a forever loop? It's been done. Make other players chat bad things? You betcha.
Basically, you can do anything that is available in the object browser...and more. |
|
|
| Report Abuse |
|
|
Seranok
|
  |
| Joined: 12 Dec 2009 |
| Total Posts: 11083 |
|
|
| 02 Aug 2012 06:12 PM |
| Hmm I tried to do game:HttpGet but it didn't seem to work. |
|
|
| Report Abuse |
|
|
en6
|
  |
| Joined: 24 Jul 2012 |
| Total Posts: 14 |
|
|
| 02 Aug 2012 06:14 PM |
" So you can change your character appearance."
The CharacterAppearance property isn't and has never been locked. |
|
|
| Report Abuse |
|
|
| |
|
Tarabukka
|
  |
| Joined: 18 Jan 2011 |
| Total Posts: 394 |
|
| |
|
|
| 02 Aug 2012 06:44 PM |
| Any DLL nub can easilly give himself a teapot turret if they manage to find an ID that has it on ATM (xSCENEx) |
|
|
| Report Abuse |
|
|
axle5657
|
  |
| Joined: 01 Jul 2011 |
| Total Posts: 25 |
|
| |
|
|
| 02 Aug 2012 07:52 PM |
I wasn't actually using Necro's bytecode. I actually didn't even know he found the same exploit I did...I was actually talking on ##codelab on FreeNode (Camoy, tiffany, and Madoka) and Madoka made me that simple stack-clean-up function which I used to rawaccess the metatable without invoking the __metatable metamethod. 2)I'm sorry for accidently leaking the exploit, many people stole it from me on a SB. While I'm at it, I should mention that I didn't *just* use it on an SB, and also used it to award the first 20k users the Last Egg hat, random SB'ers most of the rare eggs, along with this account, Shedletsky, and a couple others the End Of Days egg. I also kinda used it to steal the serverscript's accesskey to friend request Roblox, and started that entire shenanigan on RT with Roblox's Friends a month or so ago, along with steal the anti-exploit from SFoTH (Nice anti-exploit btw, telemon!) ...Pl0x don't ban admins?
Anyways, they unlinked the Eggs and the badges, so thats no longer a problem, and also broke the Friend Request system in game, and now script kiddies are running around with level 6 server-sided code that can steal places and do direct httpgets. Basically, roblox, fix yo gaem. |
|
|
| Report Abuse |
|
|
|
| 02 Aug 2012 07:57 PM |
| Also, more clarification, the script I am hooking into is actually /Game/ServerScript.ashx so it has direct access to the badge-awarding system and such, and it is triggered when a player joins, leaves, or dies which is why its the easiest. I was BEFORE hooking into game by creating a proxy functioner, but the problem with that was I couldn't use Game:HttpGet without incurring a feedback loop =P |
|
|
| Report Abuse |
|
|
| |
|
|
| 02 Aug 2012 08:00 PM |
"Also, more clarification, the script I am hooking into is actually /Game/ServerScript.ashx"
I did think about that, but I thought it was actually completely separate from the rest and wouldn't be affected by the change...
I guess I was wrong. |
|
|
| Report Abuse |
|
|
Sorcus
|
  |
 |
| Joined: 29 Nov 2010 |
| Total Posts: 3775 |
|
|
| 02 Aug 2012 08:02 PM |
Well that's cool. Bytecode go bai bai. Easiest fix. Next is removing all the other exploits which is happening like real soon.
~Sorcus |
|
|
| Report Abuse |
|
|
|
| 02 Aug 2012 08:03 PM |
| @Julien I'm not entirely sure the CoreScripts have either 1)Access to HttpGet 2)A call to an object that is stored in the metatable enviorment, so I didn't try to hook those. I actually did accidently hook into the Visit:SetPing function, since it sends a httpget ping to some logging service every 60 seconds, but that is local only and doesn't have access to the badgeservice or anything server-sided. |
|
|
| Report Abuse |
|
|
Legend26
|
  |
| Joined: 08 Sep 2008 |
| Total Posts: 10586 |
|
|
| 02 Aug 2012 08:03 PM |
@Sorcus,
Could you at least tell us what has identity levels 3, 6 and 7? |
|
|
| Report Abuse |
|
|
|
| 02 Aug 2012 08:03 PM |
@Sorcus
Please tell me you're separating studio and player. |
|
|
| Report Abuse |
|
|
|
| 02 Aug 2012 08:03 PM |
@§orcus
So all this exploiting is finally going to be fixed? YAY! |
|
|
| Report Abuse |
|
|
|
| 02 Aug 2012 08:05 PM |
| @Sorcus Ok, silly question time: Was that actually you at Oxcool's SB when I changed your name to 'I'm stupid' and set my name to 'Shedletsky', along with a couple people to 'ROBLOX', 'Sorcus', etc.? If so, we should do that again sometime =P Either way, you really should do that patch quickly, since more and more script kiddies are stealing it from oxcool, and the mods don't seem to like people messing with the servers judging from the warning I got to cut out spawning 1000 roblox clones. |
|
|
| Report Abuse |
|
|
|
| 02 Aug 2012 08:06 PM |
| So, to clarify, bytecode no longer works? |
|
|
| Report Abuse |
|
|
|
| 02 Aug 2012 08:08 PM |
| Wait, if using Game:HttpGet and the bytecode exploit, wouldn't you be able to alter the html of a page? I know a certain use (can't remember their name) did this, and changed the player who joined the game's status to the id of their game... I just can't remember their name, anyone? |
|
|
| Report Abuse |
|
|