TFAR Code Execution
Looking again at the code, _mods comes from _keybind, and _keybind comes from CBA_fnc_getKeybind. So we have a clue. If we can control the output of CBA’s CBA_fnc_getKeybind function, we can exploit this function! Let’s take a look at CBA_fnc_getKeybind. Quick warning, you will see comments in the code. These comments describe how the exploit works, and I’ll get into them towards the end.
Looking back at TFAR’s code, we can see that the item in index 5 is where _mods is derrived from. So the first thing I look at in CBA_fnc_getKeybind is the return value. Index 5 of this return value is _oldKeybind. Working backwards, _oldKeybind is index 0 of _keybinds. Quickly, checking out that line, we can see that param does not have a default type or any checks on the internal data types. Great, so now we just need to modify _keybinds. Looking at line #16, we can see _keybinds is at the 2nd index of _actionInfo.
Finally, we come to the point at which the complexity of this exploit increases. _actionInfo is set by GVAR(actions) getVariable _action. _action is a string formatted by our input parameters. So we can conclude, _action = “tfar$lrtransmit” based on the input parameters of CBA_fnc_getKeybind (this is important and will be used later). But what is GVAR(actions)?