game designer,
MAKER OF RANDOM

Personal Project Site of Mark Willett

WoW: GM LUA Exploit Tooling

As an enthusiastic player of World of Warcraft, I have frequently encountered situations where I desired additional functionalities beyond what the game’s default toolset provides. This need for customization led me to discover LUA, a programming language often used for developing custom addons in WoW.

During my endeavors in creating addons, back in 2013, I inadvertently stumbled upon an exploit that enabled the sending of fake message flags through chat channels. In WoW, addons utilize private hidden channels to exchange data, enabling synchronization of events, timers, and the execution of functions. In this particular instance, the exploit allowed me to emulate the role of a Game Master within the World of Warcraft.

Please note that discovering and exploiting such vulnerabilities is against the terms of service and ethical guidelines set forth by the game’s developers. It is important to emphasize the importance of respecting the integrity of the game and adhering to its rules and regulations to ensure fair play and a positive gaming experience for all players.

While the experience served as a testament to the flexibility and potential of addons and LUA scripting, it is essential to utilize these tools responsibly and within the bounds established by the game’s developers. Exploiting vulnerabilities can have serious consequences and may result in penalties or account suspension.

Ultimately, the use of addons and LUA scripting in World of Warcraft can greatly enhance gameplay, but it is vital to approach them with integrity, respect, and adherence to the guidelines set by the game’s creators.

Original image showcasing exploit. Reported to Blizzard Hacks Team (Circa 2014)

How it was done:

  • GM chat frame introduced to World of Warcraft API
  • Secure templates were only placed on Blizzard Frames
  • GM chat was channel due to support always available in global access (Read/Write)
  • Sanitation wasn’t being done in addon private channels.
  • Players using similar addons could send REGISTER events via private messages
  • Addons that did not properly sanitize would execute code on whisper event update
  • Attacker could send fake “Official” chat to Victims chat overwriting victims chat

After finding the exploit, I quickly wrote a small proof of concept addon with an interface to help prove the simplicity of the exploit. It was emailed to hacks@blizzard.com in early 2014.
The exploit was fixed mid-2014 with new GM Chat window and secure frames adjustment. Additionally Blizzard revoked the /~/ console access without exclusively breaking ToS and using a binary edit.