You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
And that was all the critical vulnerabilities! I didn't spent much into finding the vulns, and I'm not wasting time again on it. However, if there's any critical vulnerability you would like me to put here, just contact me and ill add it.
And that was all the critical vulnerabilities! I didn't spent much into finding the vulns, and I'm not wasting time again on it. However, if there's any critical vulnerability you would like me to put here, just contact me and ill add it.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This will include every way possible to abuse a Roblox Executor to cookie log accounts, steal robux, or even achieve Remote Code Execution.
I found all these vulnerabilities while testing the security of mobile executors and I found them in under an hour.
I wanted to show just how shit of a developer rexidtc is. Rexi contributed to most mobile executors (Codex, Hydrogen, Delta and more.)
I recommend you to avoid using the executors that I have mentioned above. Rexidtc was the owner of KittenMilk, which was known to be a malicious executor in the past. In the other hand, Furky, the owner of Codex, was suspected by the exploiting community to be using the user's device to mine cryptocurrency, resulting in a significant performance decrease. Oh and, a funny fact about Furky is that he once tried to argue that DLLs existed on mobile, and it shows how much of a script kiddie he is.
If you're on PC and use bluestacks to exploit, I recommend buying Electron. If you're on mobile, I recommend getting Fluxus.
## HttpRbxApiService
You can abuse the [HttpRbxApiService](https://robloxapi.github.io/ref/class/HttpRbxApiService.html) Service of Roblox that is normally only accessible by CoreScripts but since Executors have the thread level of 8, you have the permissions to use the service!
The LuaU code below will send an account authenticated request to the Roblox API to grab the amount of robux that the user has, and this can be also abused to steal robux, account and etc.
Roblox's [BrowserService](https://robloxapi.github.io/ref/class/BrowserService.html) was again, only meant to be accessed by CoreScripts. Using this service will open up a ton of critical vulnerabilities, such as cookie grabbing, auto downloading malicious files, executing JavaScript that may potentially be malicious, and more.
The code below uses the service to open a google url.
The service [MarketplaceService](https://robloxapi.github.io/ref/class/MarketplaceService.html) has alot of functions that can be used to steal a Roblox Account's Robux.
The code below shows all the functions that are used to steal an account's robux.
```lua
localm=game:GetService("MarketplaceService")
-- gets the account's balance and prints it
localr=m:GetRobuxBalance()
print(r)
-- below can be used to steal robux
-- if you wish to see the function's required parameters, check the docs: https://robloxapi.github.io/ref/class/MarketplaceService.html
m:PerformPurchase()
m:PerformPurchaseV2()
m:PromptNativePurchaseWithLocalPlayer()
m:PromptNativePurchase()
m:PromptCollectiblesPurchase()
m:PromptGamePassPurchase()
m:PromptBundlePurchase()
m:PromptThirdPartyPurchase()
m:PromptRobloxPurchase()
m:PromptProductPurchase()
m:PromptPurchase()
-- in the docs, there are also signals that could be potentially fired by an executor's firesignal function. if you have already done blocking the other functions above in your executor, consider blocking firesignal from firing those malicious signals.
```
## HttpService
You've probably already tried sending requests to the Roblox API with HttpService at one point, and it throws the error "HttpService can't access ROBLOX resources."
But did you know that there is an unrestricted function in HttpService, allowing you to send authenticated requests to the API, resulting in Robux Stealer Scripts? Introducing: RequestInternal!
[OpenCloudService](https://robloxapi.github.io/ref/class/OpenCloudService.html) is a new Service added to Roblox, and again, it allowed you to send authenticated requests to the Roblox API.
We can abuse MessageBusService to access the openUrlRequest messages which lets us escape the sandbox, resulting in an RCE or Remote Code Execution vulnerability.
In most Roblox loadstring scripts, you might've seen "game:HttpGet" after it. That's the function that sends the GET request to a specific url to grab a script, and loadstring is the one that looks for LuaU code in the url provided.
This can be abused by sending authenticated requests to the Roblox API, resulting in Robux Stealers, Account Stealers and more.
```lua
game:HttpGet('REPLACE THIS WITH ROBLOX API URL')
```
## request Function
The Roblox [Unified Naming Convention, aka UNC](https://github.com/unified-naming-convention/NamingStandard/blob/main/README.md) has a custom function called "request", it's alias can be http_request, http, syn.request and more. And since 99% of executors support UNC, this becomes critical.
This can be abused to send authenticated requests to the Roblox API.
```lua
request({
Url='https://google.com'
Method='GET' -- u can use post
})
-- for POST requests, add the application/json header
```
--------------
## Bypassing blocked functions with ScriptContext
CHECK [James Napora's Github Gist](https://gist.github.com/TheGreatSageEqualToHeaven/969422baa43854d717bb651f6edda4b3#roblox-and-exploit-fundamentals) FOR MORE INFORMATION
Basically, this uses ScriptContext to create a CoreScript and parent it to an actor and elevating it's thread identity to 8, allowing you to use the functions above even if they were blocked.
And that was all the critical vulnerabilities! I didn't spent much into finding the vulns, and I'm not wasting time again on it. However, if there's any critical vulnerability you would like me to put here, just contact me and ill add it.
fissurectomy revised this gist