Alexis Lecam AstonishedLiker

bypassing blocked function protections using corescripts

author: James Napora.

roblox and exploit fundamentals

corescripts have RobloxScript permissions on Roblox.
exploit function protections do not run on any threads except exploit threads.
roblox has several permission levels: None, Plugin, LocalUser, RobloxScript and Roblox.
actors on Roblox run whenever a script under it has a client run context, e.g local scripts, scripts with RunContext.Client and corescripts.
scripts under actors share the same global state

Ultimate Beginner's Guide to Proxmox GPU Passthrough

mirror of The Ultimate Beginner's Guide to GPU Passthrough (Proxmox, Windows 10) by /u/cjalas

>Welcome all, to the first installment of my Idiot Friendly tutorial series! I'll be guiding you through the process of configuring GPU Passthrough for your Proxmox Virtual Machine Guests. This guide is aimed at beginners to virtualization, particularly for Proxmox users. It is intended as an overall guide for passing through a GPU (or multiple GPUs) to your Virtual Machine(s). It is not intended as an all-exhaustive how-to guide; however, I will do my best to provide you with all the necessary resources and sources for the passthrough process, from start to finish. If something doesn't work properly, please check /r/Proxmox, /r/Homelab, /r/VFIO, or

EternalBlue Exploit | MS17-010 PoC

Description

The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability."

You can read more about the exploit Wikipedia or Avast's Blog

Lab

Exploiting Lua 5.1 on x86_64

The following Lua program generates a Lua bytecode program called lua-sandbox-rce.luac, which in turn spawns a shell from within Lua 5.1 sandbox. The remainder of this document attempts to explain how this program works by a whirlwind tour of relevent bits of the Lua 5.1 virtual machine.

function outer()
  local magic -- In bytecode, the stack slot corresponding to this local is changed
  local function middle()
    local co, upval
    local ub1 = {[0] = -- Convert uint8_t to char[1]

	-- Original from https://devforum.roblox.com/t/getextentssize-of-one-part-without-model/404945/7
	-- 300% faster than original

	--!native
	--!optimize 2
	--!strict

	local function GetPartExtentsSize(Part: BasePart): Vector3
	local Size: Vector3 = Part.Size
	local SX: number, SY: number, SZ: number = Size.X, Size.Y, Size.Z

	local Seed = 568182
	local RNGState = Random.new(Seed)
	-- The seed is unknown to the exploiter at this point

	local function Advance(Seed)
	math.randomseed(Seed or math.random(1, 1000))

	for i = 1, math.random(1, 3) do
	if math.random() > 0.5 then
	continue

	-- load

	local math = math -- GETGLOBAL
	local newproxy = newproxy -- GETGLOBAL
	local ipairs = ipairs -- GETGLOBAL
	local floor = math.floor -- GETTABLE KST(C)
	local pi = math.pi -- GETTABLE KST(C)
	local _nil = nil -- LOADNIL B -> C (1)
	local _true = true -- LOADBOOL B(1)
	local _false = false -- LOADBOOL B(0)

	Set-Location "C:\Program Files\NVIDIA Corporation\NVIDIA GeForce Experience\www"
	Copy-Item app.js app.js.bak
	$js = Get-Content app.js
	$js = $js -replace "`"choose`"===\w\.nvActiveAuthView[\D]*\)\}", `
	'"choose"===this.nvActiveAuthView)};this.handleLoggedIn({sessionToken:"",userToken:"",user: {core:{displayName:"Anonymous",primaryEmailVerified: true}}});'
	$js = $js -replace "\w\.selectView\(\)\},\w\.selectView=function\(\)\{", "return;"
	$js > app.js

	#include <stdio.h>
	#include <windows.h>
	#include <winternl.h>

	#define dwAllowDllCount 1
	CHAR cAllowDlls[dwAllowDllCount][MAX_PATH] = {
	"W:\\allowed.dll"
	};

	VOID HookLoadDll(LPVOID lpAddr);