GitHub - AliensToEarth/litematica-rce: Proof of Concept for the recent Litematica path traversal bug which leads to RCE · GitHub
/" data-turbo-transient="true" />
Skip to content
Search or jump to...
Search code, repositories, users, issues, pull requests...
-->
Search
Clear
Search syntax tips
Provide feedback
--><br>We read every piece of feedback, and take your input very seriously.
Include my email address so I can be contacted
Cancel
Submit feedback
Saved searches
Use saved searches to filter your results more quickly
-->
Name
Query
To see all available qualifiers, see our documentation.
Cancel
Create saved search
Sign in
/;ref_cta:Sign up;ref_loc:header logged out"}"<br>Sign up
Appearance settings
Resetting focus
You signed in with another tab or window. Reload to refresh your session.<br>You signed out in another tab or window. Reload to refresh your session.<br>You switched accounts on another tab or window. Reload to refresh your session.
Dismiss alert
{{ message }}
AliensToEarth
litematica-rce
Public
Notifications<br>You must be signed in to change notification settings
Fork
Star
main
BranchesTags
Go to file
CodeOpen more actions menu
Folders and files<br>NameNameLast commit message<br>Last commit date<br>Latest commit
History<br>6 Commits<br>6 Commits
gradle/wrapper
gradle/wrapper
src/main
src/main
.gitignore
.gitignore
LICENSE
LICENSE
README.md
README.md
build.gradle
build.gradle
embed_payload.sh
embed_payload.sh
gradle.properties
gradle.properties
gradlew
gradlew
gradlew.bat
gradlew.bat
settings.gradle
settings.gradle
View all files
Repository files navigation
Litematica RCE PoC
This project is for educational and research purposes only.<br>Do not use this against systems you do not own or have explicit permission to test.
Information about this vulnerability has already spread widely across the<br>Minecraft modding community. Litematica has released a patch. I'm publishing<br>this PoC so the community can study the mechanism and understand how it works.
This Proof of concept is exploiting a directory traversal vulnerability in Litematica's<br>schematic file transmission protocol.
The Vulnerability
Litematica has a schematic sharing feature that<br>uses a custom network protocol via the servux:litematics channel. The protocol<br>allows a server to send schematic files to clients. The schematic is written to<br>schematics/transmit/ on the client filesystem.
The vulnerability is that the filename is not sanitized . By supplying a<br>filename like ../../mods/evil.litematic.jar, the path resolves outside the<br>schematics/transmit/ directory and into the mods/ folder. Since the file is<br>written as-is (not validated as a real schematic), any arbitrary JAR file can be<br>deployed and loaded as a Fabric mod on the next client restart.
Litematica has already posted patches in version 0.26.11 for Minecraft 1.21.x.<br>Clients running patched versions are not vulnerable. I found the message about<br>the existence of this vulnerability in the DupersUnited Discord server and<br>started digging into Litematica's source code, comparing the patched version<br>against the unpatched one to understand the exact mechanism.
How the Exploit Works
Server-side Fabric mod registers a payload on channel servux:litematics.
When a client connects, the server fabricates three NBT-compound packets<br>matching Litematica's schematic transmission protocol (TransmitStart,<br>TransmitData, TransmitEnd):
TransmitStart : declares the filename, file type, total size, and<br>slice count. The filename is ../../mods/.litematic.jar.
TransmitData : contains the raw bytes of the payload JAR.
TransmitEnd : signals completion so Litematica writes the file to disk.
Litematica receives these packets, resolves the filename against<br>schematics/transmit/, and writes the payload to<br>.minecraft/mods/.litematic.jar.
On the next client restart, the payload JAR is loaded as a mod.
Each message is sent as its own PacketSplitter session with 2-tick delays<br>between them to ensure the client processes them sequentially.
Files
File<br>Purpose
src/main/java/.../LitematicaRceFabric.java<br>Server-side mod that sends the crafted packets
src/main/java/.../PayloadJar.java<br>Loads the payload JAR from bundled resource
src/main/resources/payload.jar<br>The actual payload JAR embedded in the mod
embed_payload.sh<br>Script to replace the payload with any JAR
Usage
Embed your jar and build:
./embed_payload.sh path/to/your-mod.jar [output-name]<br>./gradlew build
This copies the JAR into the mod's resources and generates PayloadJar.java<br>referencing it. The output-name becomes the filename written to the<br>victim's mods/ folder (defaults to poc.litematic.jar).
Start the Minecraft Fabric 1.21.11 server, have a client (running Litematica mods/ and is<br>loaded on next launch.
Protocol Details
Wire format for each ServuxLitematicaPacket (type 11):
VarInt(11) + VarInt(msgSize) + VarInt(1) + writeNbt(compound)
Where compound contains:
TransmitStart : {Task:...