Proof of Concept for the recent Litematica path traversal bug which leads to RCE

Cider99861 pts0 comments

GitHub - AliensToEarth/litematica-rce: Proof of Concept for the recent Litematica path traversal bug which leads to RCE · GitHub

/" data-turbo-transient="true" />

Skip to content

Search or jump to...

Search code, repositories, users, issues, pull requests...

-->

Search

Clear

Search syntax tips

Provide feedback

--><br>We read every piece of feedback, and take your input very seriously.

Include my email address so I can be contacted

Cancel

Submit feedback

Saved searches

Use saved searches to filter your results more quickly

-->

Name

Query

To see all available qualifiers, see our documentation.

Cancel

Create saved search

Sign in

/;ref_cta:Sign up;ref_loc:header logged out"}"<br>Sign up

Appearance settings

Resetting focus

You signed in with another tab or window. Reload to refresh your session.<br>You signed out in another tab or window. Reload to refresh your session.<br>You switched accounts on another tab or window. Reload to refresh your session.

Dismiss alert

{{ message }}

AliensToEarth

litematica-rce

Public

Notifications<br>You must be signed in to change notification settings

Fork

Star

main

BranchesTags

Go to file

CodeOpen more actions menu

Folders and files<br>NameNameLast commit message<br>Last commit date<br>Latest commit

History<br>6 Commits<br>6 Commits

gradle/wrapper

gradle/wrapper

src/main

src/main

.gitignore

.gitignore

LICENSE

LICENSE

README.md

README.md

build.gradle

build.gradle

embed_payload.sh

embed_payload.sh

gradle.properties

gradle.properties

gradlew

gradlew

gradlew.bat

gradlew.bat

settings.gradle

settings.gradle

View all files

Repository files navigation

Litematica RCE PoC

This project is for educational and research purposes only.<br>Do not use this against systems you do not own or have explicit permission to test.

Information about this vulnerability has already spread widely across the<br>Minecraft modding community. Litematica has released a patch. I'm publishing<br>this PoC so the community can study the mechanism and understand how it works.

This Proof of concept is exploiting a directory traversal vulnerability in Litematica's<br>schematic file transmission protocol.

The Vulnerability

Litematica has a schematic sharing feature that<br>uses a custom network protocol via the servux:litematics channel. The protocol<br>allows a server to send schematic files to clients. The schematic is written to<br>schematics/transmit/ on the client filesystem.

The vulnerability is that the filename is not sanitized . By supplying a<br>filename like ../../mods/evil.litematic.jar, the path resolves outside the<br>schematics/transmit/ directory and into the mods/ folder. Since the file is<br>written as-is (not validated as a real schematic), any arbitrary JAR file can be<br>deployed and loaded as a Fabric mod on the next client restart.

Litematica has already posted patches in version 0.26.11 for Minecraft 1.21.x.<br>Clients running patched versions are not vulnerable. I found the message about<br>the existence of this vulnerability in the DupersUnited Discord server and<br>started digging into Litematica's source code, comparing the patched version<br>against the unpatched one to understand the exact mechanism.

How the Exploit Works

Server-side Fabric mod registers a payload on channel servux:litematics.

When a client connects, the server fabricates three NBT-compound packets<br>matching Litematica's schematic transmission protocol (TransmitStart,<br>TransmitData, TransmitEnd):

TransmitStart : declares the filename, file type, total size, and<br>slice count. The filename is ../../mods/.litematic.jar.

TransmitData : contains the raw bytes of the payload JAR.

TransmitEnd : signals completion so Litematica writes the file to disk.

Litematica receives these packets, resolves the filename against<br>schematics/transmit/, and writes the payload to<br>.minecraft/mods/.litematic.jar.

On the next client restart, the payload JAR is loaded as a mod.

Each message is sent as its own PacketSplitter session with 2-tick delays<br>between them to ensure the client processes them sequentially.

Files

File<br>Purpose

src/main/java/.../LitematicaRceFabric.java<br>Server-side mod that sends the crafted packets

src/main/java/.../PayloadJar.java<br>Loads the payload JAR from bundled resource

src/main/resources/payload.jar<br>The actual payload JAR embedded in the mod

embed_payload.sh<br>Script to replace the payload with any JAR

Usage

Embed your jar and build:

./embed_payload.sh path/to/your-mod.jar [output-name]<br>./gradlew build

This copies the JAR into the mod's resources and generates PayloadJar.java<br>referencing it. The output-name becomes the filename written to the<br>victim's mods/ folder (defaults to poc.litematic.jar).

Start the Minecraft Fabric 1.21.11 server, have a client (running Litematica mods/ and is<br>loaded on next launch.

Protocol Details

Wire format for each ServuxLitematicaPacket (type 11):

VarInt(11) + VarInt(msgSize) + VarInt(1) + writeNbt(compound)

Where compound contains:

TransmitStart : {Task:...

litematica gradle payload file main schematic

Related Articles