This repo serves as a collection of possible ways how to execute potentially malicious code on Windows with various Lua implementations and possible ways how to mitigate them at the source-code-level, or Lua-level. If you are trying to sandbox your Lua implementation, then this repository may serve you as a primer to see what types of behaviour to protect against. The list of exploits and mitigations is certainly not complete.
Contributions of new exploit types, mitigations, or Lua implementations are definitely welcome.
The type of exploit considered in this benchmark so far is writing a file to a path predefined in the settings. All the "exploits" included here are
harmless in the sense their only behaviour is to try to write to that file using various methods. However, arming these exploits with malicious payloads
is quite easy, as most of them try to spawn an instance of cmd.exe to write to the file.
This benchmark only runs on Windows. You need to have Git and a recent version of Python installed before running the software. Internet access is required to download the other dependencies for this benchmark (the Python code does this automatically):
- w64devkit to compile the Lua implementations and exploits
- source code tarballs of different PUC-Lua versions
- After getting a copy of this repository, clone the submodules of this repository (which are the LuaJIT and Luau implementations).
git submodule update --init --recursive- Install Python dependencies from the
requirements.txtusing any Python workflow you are already using, recommend using a virtual environment.
pip install -r requirements.txt- Run the benchmark. From the root directory of this benchmark, run the
benchmodule.
python -m bench --helpShows the help and all possible command-line options with their descriptions.
python -m bench --helpTests a single Lua implementation, single exploit and single mitigation.
python -m bench --interpreter lua-5.4.6 --exploit std_os_execute --mitigation stdlibrary_sandboxTests all Lua implementations, all exploits and all mitigations implemented. This takes around 10 minutes to complete.
python -m bench --all-interpreters --all-exploits --all-mitigationsThese are the supported Lua implementations of this benchmark:
- PUC-Lua
- 5.1.5 (
lua-5.1.5) - 5.2.4 (
lua-5.2.4) - 5.3.6 (
lua-5.3.6) - 5.4.6 (
lua-5.4.6)
- 5.1.5 (
- LuaJIT
- 4f8736 (
luajit-4f8736) - v2.1.0-beta3 (
luajit-v2.1.0-beta3) - v2.1-ROLLING (
luajit-rolling)
- 4f8736 (
- Luau
- 0.606 (
luau)
- 0.606 (
- Bytecode Exploits
- LuaJIT-4f8736 bytecode exploit by corsix (
bytecode_corsix)
- LuaJIT-4f8736 bytecode exploit by corsix (
- FFI Exploits
- Spawning a process using the CreateProcess function from Win32 API (
ffi_createprocess) - Loading a DLL using the
ffi.loadfunction (ffi_load) - Running Windows shellcode from an area of memory made executable by the VirtualAlloc Win32 API (
ffi_virtualalloc)
- Spawning a process using the CreateProcess function from Win32 API (
- Standard Library Exploits
- Using Lua
io.writefunction to write to an arbitrary file (std_io_write) - Using Lua
os.executefunction to run arbitrary process (std_os_execute)
- Using Lua
Keep in mind these mitigations are proofs of concepts and there is no guarantee they will make your Lua implementation secure.
- Source code patches
- disabling bytecode (
disable_bytecode) - disabling FFI for LuaJIT interpreters (
disable_ffi) - replacing some C Standard Library functions with "safe" variants (
stdlibrary_sandbox)- just a simple POC, only
fwriteandsystemare replaced
- just a simple POC, only
- disabling bytecode (
- Lua-level mitigations
- kikito's sandbox.lua (
kikito_sandbox)
- kikito's sandbox.lua (
This project has been financially supported by a Red Hat scholarship for open-source projects. Thank you for the support!