http://www.1337day.com/exploits/17064
Fixed... but i don't count that as exploit. From Lua is possible to read and execute everything :P
its not exploit! :)
https://devilteam.pl/ptokax0.4.2.0.txt
The first two PoC's contain:
Quotenow go to Settings "Scripts" tab
which requires access to the GUI itself. If you have access to the GUI, you have access to the whole OS, then why try via PtokaX? :)
Lua code execution (PoC3) also requires that you place the 'malicious' Lua code to the machine running PtokaX, which also requires privileges.
Quote from: bastya_elvtars on 15 October, 2011, 17:40:19
The first two PoC's contain:
which requires access to the GUI itself. If you have access to the GUI, you have access to the whole OS, then why try via PtokaX? :)
Lua code execution (PoC3) also requires that you place the 'malicious' Lua code to the machine running PtokaX, which also requires privileges.
Yes but can be used to privileges escalation in local machine, PoC3: if you have apache in server and some www/forum can upload evil lua code into server and run, or in linux run any file from /tmp