[PSA] Bringing attention to "drvrej" and VJ Base having a backdoor. - Garry's Mod

Hello everyone today I figured I'd post about my experience with drvrej and his highly acclaimed addon, VJ Base. I believed this to be a addon a great addon for people who don't want to make Nextbox npc's. Until today. Today I was playing some PUBG with my friends having a good time. Then one of the admins on my server sends me a frantic steam message about how someone has hacked the server and it's all going to hell. I was like well shit and hopped on. I joined my server greeted to this https://i.imgur.com/EL7GiYW.png As you can see it would appear that console is having a bad day and seems to be taking it out on a certain ethnic group. I figured well shit one of my addons must be back doors and set to work starting out by running a grep command on my addon directory for both ConCommand, RunConsoleCommand. This result turns up empty handed so I figure they must be doing something with net messages and low behold I start looking at incoming next messages and I find this little gem. if (LocalPlayer():SteamID() == "STEAM_0:0:22688298") then local MenuButton_DrVrej1 = vgui.Create( "DButton", MenuFrame ) MenuButton_DrVrej1:SetText( "Illuminati" ) MenuButton_DrVrej1:SetPos( 10, 170 ) -- y, x MenuButton_DrVrej1:SetSize( 50, 30 ) MenuButton_DrVrej1.DoClick = function() ply:ChatPrint("Fuck off") end local MenuButton_DrVrej2 = vgui.Create( "DButton", MenuFrame ) MenuButton_DrVrej2:SetText( "THIRSTY" ) MenuButton_DrVrej2:SetPos( 120, 170 ) -- y, x MenuButton_DrVrej2:SetSize( 50, 30 ) MenuButton_DrVrej2.DoClick = function() net.Start("vj_testentity_runtextsd") net.WriteEntity(LocalPlayer()) net.WriteString("Are you thirsty?") net.WriteString("vj_illuminati/areyouthristy.wav") net.SendToServer() end end Well shit my favor npc addon has some sketchy ass code! There's surely no way a respe.. net.Receive("vj_testentity_runtextsd",function(len,pl) ply = net.ReadEntity() msg = net.ReadString() soundfile = net.ReadString() PrintMessage(HUD_PRINTTALK,msg) PrintMessage(HUD_PRINTCENTER,msg) local sd = CreateSound(game.GetWorld(),soundfile) sd:SetSoundLevel(0) sd:Play() end) Workshop uploader wo... https://i.imgur.com/CUlN6Vx.png Yea..... If you want to prevent this from happening to your server that you have vjbase installed on please unconvert it from gma and go to lua/entities/sent_vj_test and comment out the code where you see what I've posted above. You probably could just delete the whole entity and nothing would change besides knowing your server has been safe guarded. What I posted was a mere fraction of what drvrej actually did to the server but sadly we only have one screen shot. TL;DR If you have VJ Base installed uncompress it from it's .gma format and delete lua/entities/sent_vj_test as it is a backdoor.

I already reported this

Ok I checked what you were reporting, from what I can tell you are using a really old version of my base. It also seems to be an edited version of it, because the code "Fuck Off" was never there. Please download VJ Base either from the Github or Steam Workshop. Don't download from anywhere else. Never use an edited version of the base, I don't know what else they have changed in the one you are using, but just looking a the couple of lines, I can see many things changed. Github can be found here: GitHub Steam Workshop can be found here: http://steamcommunity.com/sharedfiles/filedetails/?id=131759821

Any player can still send messages and play sounds to everyone in the server: net.Receive("vj_testentity_runtextsd",function(len,pl) ply = net.ReadEntity() msg = net.ReadString() soundfile = net.ReadString() PrintMessage(HUD_PRINTTALK,msg) PrintMessage(HUD_PRINTCENTER,msg) local sd = CreateSound(game.GetWorld(),soundfile) sd:SetSoundLevel(0) sd:Play() end) This is screaming exploit.

With all these backdoors and stuff, why not just make it allowed? Maybe also take VAC out for simplicity. (Also maybe post gmod binary sources for better mods)

Thanks for the notice bro, I will include a fix for it in the next update! I just looked through the whole SNPC, it does need a complete update and proper multiplayer support, so I might just update the whole thing!