• [DarkRP] Exploit to spawn blacklisted props [Fix]
    9 replies, posted
Hello guys, Recently there has been a exploit which lets you spawn blacklisted props, this can get very bad very quickly. This is a black listed prop: [QUOTE]models/props_c17/oildrum001_explosive.mdl[/QUOTE] replace it with: [QUOTE]models/props_c17/../props_c17/oildrum001_explosive.mdl[/QUOTE] Use the command to be able to spawn it: [QUOTE]gm_spawn models/props_c17/../props_c17/oildrum001_explosive.mdl[/QUOTE] Fix for this exploit: [QUOTE]function SpawnedProp(ply, model, ent) if string.match(model, ".+%/../") and IsValid(ent) then ent:Remove() ply:PrintMessage( HUD_PRINTTALK, '[FPP] blacklist bypass detected' ) end end hook.Add("PlayerSpawnedProp", "playerSpawnedProp", SpawnedProp)[/QUOTE] Note: I only explained the exploit just in case someone wanted to fix it another way, if people think this is me releasing the exploit then I will remove how to do it. [U][B]This exploit is fixed in 2.5.0 however most servers run on 2.4.X[/B][/U] Credit to Rainbow Dash for creating a fix and possibly finding this exploit.
yeah dude it's not like there's a way to bypass the patch implemented in 2.5.0 or anything
Hey. Kinda a newb to this, but where would I put the fix?
[QUOTE=SilentChaos;42848893]Hey. Kinda a newb to this, but where would I put the fix?[/QUOTE] Just update your DarkRP.
Figured it out - if anyone doesn't want to update there dark rp just drop it in the init.lua file and it should work.
I'm kinda a noob at this, and How do you spawn the large_gate thing? I really would appreciate it if someone would help me. :D [editline]18th November 2013[/editline] [QUOTE=Stormerno;42906406]I'm kinda a noob at this, and How do you spawn the large_gate thing? I really would appreciate it if someone would help me. :D[/QUOTE] OK NVM.
I'm very sorry to bump this thread, but I believe I do deserve credit considering it's my code... [URL="http://www.hackforums.net/showthread.php?tid=3856697"]http://www.hackforums.net/showthread.php?tid=3856697[/URL]
[QUOTE=rainbow-dash;43021917]I'm very sorry to bump this thread, but I believe I do deserve credit considering it's my code... [URL="http://www.hackforums.net/showthread.php?tid=3856697"]http://www.hackforums.net/showthread.php?tid=3856697[/URL][/QUOTE] What is really the point of giving credit? I understand you did fix this but I was simply just spreading it to this forum I never claimed saying I was the creator and I should get all the credit. Just for the sake of it I'll give you credit. Even though it's quite pointless.
[QUOTE=aaronuk12;43029803]What is really the point of giving credit? I understand you did fix this but I was simply just spreading it to this forum I never claimed saying I was the creator and I should get all the credit. Just for the sake of it I'll give you credit. Even though it's quite pointless.[/QUOTE] Sorry, I just feel like you were claiming it as your own, it's quite frustrating because a lot of communities have been doing it, the code is actually part of my anti-cheat and I was nice enough to share it! Lets take this 13 year old admin for example: [IMG]http://gyazo.com/302cfdf7210ec26e0911bd76ead68039.png[/IMG]
A better fix would actually have been to check if the model is valid via [URL="http://wiki.garrysmod.com/page/util/IsValidModel"]util.IsValidModel[/URL]. Prevents any possible further string exploits. Edit: Are you sure that it's fixed in 2.5.0? I've done a quick swoop over it and I can't see anything that would prevent such a case either. In fact I can actually replicate it no problem on a local server. Edit: Nevermind, I see what's done.
Sorry, you need to Log In to post a reply to this thread.