Rust GSP Server Exploit - Rust

This video shows how I retrieve unaccessible rust server files from nitrous networks. In the example i get oxide.dll files from them. I have also tried the exploit on hfb multiplay and other hosts. [URL="http://vidd.me/OFL"]VIDEO LINK FOR TUT[/URL]

"For discussion and bitching about hacks, glitches, exploits, and the people that use them, go here: [url]http://facepunch.com/showthread.php?t=1279498[/url] " Wrong Section.

This isn't a report, xbloodmax. This is a boast.

You remind me of one of those five year olds from 2008 that made San Andreas tutorial videos with notepad.

so you exploit it by a lua script that Oxide loads? lol.

You're trying to blame something on Oxide which isn't Oxides fault. You got access to way more folders than a host should allow - to be exact, you should only have access to a "public" folder (called datadir in rust) You could basically cause more harm, even without Oxide on the server. Hosts need to learn to restrict the FTP and File Access to only what people need - not the full server files. A security advisory was already released to the GSP mailing list, so it should be fixed soon... PlayRustEU locked down such stuff right from the beginning. Edit: Yet hard to believe that huge gameserver hosting companies make such mistakes. [editline]9th January 2014[/editline] [QUOTE=xEnt22;43471171]so you exploit it by a lua script that Oxide loads? lol.[/QUOTE] No. As you can see, he is modifying files he shouldn't have access to in first place.

[QUOTE=Ideal-Hosting;43471218]You're trying to blame something on Oxide which isn't Oxides fault. You got access to way more folders than a host should allow - to be exact, you should only have access to a "public" folder (called datadir in rust) You could basically cause more harm, even without Oxide on the server. Hosts need to learn to restrict the FTP and File Access to only what people need - not the full server files. A security advisory was already released to the GSP mailing list, so it should be fixed soon... PlayRustEU locked down such stuff right from the beginning. Edit: Yet hard to believe that huge gameserver hosting companies make such mistakes. [editline]9th January 2014[/editline] No. As you can see, he is modifying files he shouldn't have access to in first place.[/QUOTE] your exactly right in saying that it's the GSP's that need to lock down security so potential mods can't break things. i don't appreciate Leather getting called an exploit loader when everything essentially comes down to the GSP and their security/permissions.

No, the problem with leather is th[SUB]at it allows compiled dynamic link libs... a) you can't look into them,[/SUB] (this statement was false, sorry, see below) b) you can't trust the users with uploading those. There are things leather could do against those .dlls causing harm, but they didn't yet. When they asked us if we would support leather, I told them we will not put leather on until they're at least trying to add some "protection" to it. Oxides lua files can be read by the hoster at any time + they are not able to cause harm (unless an exploit is found)

[QUOTE=Ideal-Hosting;43471276]No, the problem with leather is that it allows compiled dynamic link libs... [B]a) you can't look into them,[/B] b) you can't trust the users with uploading those. There are things leather could do against those .dlls causing harm, but they didn't yet. When they asked us if we would support leather, I told them we will not put leather on until they're at least trying to add some "protection" to it. Oxides lua files can be read by the hoster at any time + they are not able to cause harm (unless an exploit is found)[/QUOTE] Wow, it's like you know absolutely nothing about C# or how easy it is to decompile and inspect with free tools like ILSpy, yet you're still talking anyhow. Please, go on about the wonders of Oxide like you aren't trying to defend something you paid for.

[QUOTE=Ideal-Hosting;43471276]No, the problem with leather is that it allows compiled dynamic link libs... a) you can't look into them, b) you can't trust the users with uploading those. [/quote] This is just flat false- Leather can only load .NET (Mono) assemblies, not any dynamic-link lib. The source code for these assemblies can be easily read with dotPeek or ILSpy. The Assemblies cannot perform any action that the user running Rust_server.exe is not able to, and largely the only thing preventing an Oxide user from going on the same hard drive exploration adventure featured in the other thread is the "security by obscurity" of not releasing Oxide's binaries. As this thread illustrates, any security by obscurity is ultimately a temporary matter.

Okay, it can not load "any" dynamic link lib - sorry for posting this above. Oxide's not doing security trough obsecurity, it's not released in source because the rust server itself isn't. (See statement in the oxide forums)

[QUOTE=Ideal-Hosting;43471276]No, the problem with leather is that it allows compiled dynamic link libs... a) you can't look into them, b) you can't trust the users with uploading those. There are things leather could do against those .dlls causing harm, but they didn't yet. When they asked us if we would support leather, I told them we will not put leather on until they're at least trying to add some "protection" to it. Oxides lua files can be read by the hoster at any time + they are not able to cause harm (unless an exploit is found)[/QUOTE] Why hasn't BMRF been added to the GSP mailing list yet? We've sent emails asking twice with no response for a week, and I spent 3 hours getting kicked back to the queue on your live support. I sincerely hope this isn't the kind of support you give your clients. On a side note that's a flat out lie. All currently available Leatherloader mods can easily be read using DotPeek or ILSpy, you're just putting it down because you have a vested interest in Oxide. Really uncool. Especially when all of them have published source as well.

By the way, Unity3d's own sandboxing prevents LeatherLoader and its subsidiaries from doing certain dangerous activities such as loading COM objects, because LeatherLoader and all mod assemblies are loaded as "non-platform" assemblies. Without knowing the technical details of Oxide, I cannot guarantee that Oxide only injects IL into non-platform assemblies, or that its implementation details prevent the loading of COM objects & interop in .NET via Lua scripts. Now I trust thomasfn as a developer that he wouldn't allow anything so silly, but considering that neither Oxide nor its source code has been released, who can say? (This is a joke. Oxide is fine. But the Fear Uncertainty & Death that have been thrown Leather's way over the last 24 hours are truly silly considering that we're the open-source alternative.)

[QUOTE=Ideal-Hosting;43471322]Okay, it can not load "any" dynamic link lib - sorry for posting this above. Oxide's not doing security trough obsecurity,[B] it's not released in source because the rust server itself isn't.[/B] (See statement in the oxide forums)[/QUOTE] This statement makes no sense. Yes, I realize that that is the reason Oxide gives for not releasing its source, but I guarantee you cannot give me a real reason other than 'because Rust isnt open source', which has no logical explanation within it other than saying because Thing A is closed source, Thing B must be too. Oxide is not the Rust server. They have no relation. This is not a real reason, it is blowing smoke up peoples asses and expecting them not to question it.

[IMG]http://i.yt.gl/get/a74eb/phipo.png[/IMG]

I'm not sure why this video included us in it. We've haven't launched Oxide yet. But I guess I'll take the free advertising! :dance: Kind Regards FPSplayers.com

[QUOTE=CodeCompiler;43470706]This video shows how I retrieve unaccessible rust server files from nitrous networks. In the example i get oxide.dll files from them. I have also tried the exploit on hfb multiplay and other hosts. [URL="http://vidd.me/OFL"]VIDEO LINK FOR TUT[/URL][/QUOTE] Are you going to be releasing these exploits to the public anytime soon.

[QUOTE=BARKx4;43471345]Oxide is not the Rust server. They have no relation.[/QUOTE] I fail to see the logic here? Oxide will not work without the Rust server because Oxide alters the behavior of the Rust server. I'd call this a relation.

[QUOTE=thomasfn;43473725]I fail to see the logic here? Oxide will not work without the Rust server because Oxide alters the behavior of the Rust server. I'd call this a relation.[/QUOTE] Just because one is closed source doesn't mean the other has to be. You're not fooling anyone with your kindergarten logic loops. It's not a valid reason. You're closed source because you're charging GSPs for use, plain and simple.

We are not charging them a penny. That is a myth.