This House is Haunted a decade old RCE in the AION client

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://appsec.space/posts/aion-housing-exploit/
• Blog Title: This House is Haunted: a decade old RCE in the AION client
• Suggested Section: Generic Hacking -> Sandbox Escapes -> Lua VM (Game Clients)

🎯 Content Summary

Client-side RCE in AION via Butler Housing Scripting (Lua)

Post date: 2025-08-23 (updated 2025-08-27). Researcher shows client-side Remote Code Execution (RCE) in the AION MMO game client via the Housing scripting system introduced in v3.0 (2011). The feature lets players script a house “Butler” NPC using a Lua-based sandbox. Despite sandboxing, dangerous globals remain exposed, including bytecode loaders and the full io package, enabling arbitr...

🔧 Technical Details

Abusing in‑game chat as stdout to map a sandboxed Lua VM. When direct output is blocked, call an audio method first and then speak via chat: H.PlaySound(0, "r[1]"); H.Say(1, ...). Iterate _G to inventory reachable functions/tables: for k,v in pairs(_G) do H.Say(1, k.." = "..tostring(v)) end. This yields a live capability map without a debugger.

Client-side command execution via exposed io.popen()....

🤖 Agent Actions

I analyzed the blog and repository, searched for existing Lua sandbox content, and confirmed there was no dedicated page for Lua VM sandbox escapes. The most relevant existing content was the Python sandbox bypass section under generic-methodologies-and-resources, so I created a sibling Lua page there and linked it from the Python page for discoverability.

What I added/updated

1. New page: Bypass Lua sandboxes (embedded VMs, game clients)

• Path: src/generic-methodologies-and-resources/lua/bypass-lua-sandboxes/README.md
• Content includes:
  • Recon in sandboxed Lua: enumerating _G with pairs(_G) and using a generic out() abstraction for printing.
  • Technique to repurpose in-VM UI as output (e.g., AION Butler quirk requiring H.PlaySound before H.Say), generalized as a pattern.
  • Direc...

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

🗑️ File Cleanup

• searchindex.js removed: This auto-generated file has been removed to prevent conflicts

The searchindex.js file is automatically generated and should not be included in manual commits.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://appsec.space/posts/aion-housing-exploit/

Content Categories: Based on the analysis, this content was categorized under "Generic Hacking -> Sandbox Escapes -> Lua VM (Game Clients)".

Repository Maintenance:

• MD Files Formatting: 876 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0