HHH Hitman System Money Exploit

Hey,
The last few weeks I started joining darkrp servers again. While most of the blatantly obvious exploits are fixed there are still many not as critical ones.
One thing I found is that almost all custom hitman plugins have money exploits. One of which is HHH - A decent hitman system:

Code (Modified, can’t be used like that…):



function Person:Request( hitData )
	hitData.requester:addMoney( -hitData.amount )
	[...]
end

function Person:checkHit( hitData )
	if hitData.target == self or hitData.target == hitData.hitman then
		[...]
	end
	if hitData.target.hhh.lastHit + hhh.config.killDelay > CurTime() then
		[...]
	end
	if hitData.amount > self.DarkRPVars.money then
		[...]
	end
	for i, req in pairs ( hitData.hitman.hhh.requests ) do
		if req.target == hitData.target then
			[...]
		end
	end
	for i, hit in pairs ( hitData.hitman.hhh.currentHits ) do
		if hit.target == hitData.target then
			[...]
		end
	end

	return true
end

function Person:DoHit( hitData, requester )
	if hitData.requester ~= requester then
		[...]
	end
	if requester:checkHit( hitData ) then
		hitData.hitman:Request( hitData )
	end
end
net.Receive( 'some_net_message', function( len, requester )
	local hitData = net.ReadTable()
	hitData.hitman:DoHit( hitData, requester )
end )


Again, this is simple to exploit:



local tbl = {
	requester = LocalPlayer(),
	target = player.GetAll()[1],
	amount = -9999999999 --This is the important line
}
net.Start("some_net_message")
net.WriteTable(tbl)
net.SendToServer()


Really simple, you can just use a negative reward for the hitman.
Now this is nothing special. Almost all hitman plugins have it and it’s almost not worthy to make a thread about.

But with this plugin, I contacted the author and told him that I believe that his addon has a money exploit.
He of course immediately denied it and told me that his addon is super secure and none of his addons ever had a backdoor/exploit.
That is what you would expect from the features of the addon :

Now after telling him multiple times to try and help me sort this out (wasn’t sure if it had an exploit yet) he sent me the checkHit() function over steam.
After taking a look at it I told him that it doesn’t check for a negative amount for the reward.
Now so far this isn’t a huge deal, I would deny that my script had exploit as well, but this is where it becomes problematic.
After checking his code and realizing that it does in fact have an exploit he sent me this over steam:

The thing is, this piece of code is not in the actual coderhire script, so he probably just completely made it up.
I asked him politely to send me the full serverside code, he rejected that immediately though.
After telling him that I am going to buy the script to see if it really did have an exploit he removed me from steam.
So I ended up buying this shitty addon (for $10!!) to prove him wrong. And as expected I was right.

I really hate stuff like that. I don’t even know if he’s going to fix it or not because he seemed quite delusional about it.

syl0r

looks fine to me on scriptfodder.

That might be the case.
But I asked him specifically if it was patched already and he just kept insisting it never existed.

Yeah but what you didn’t notice is the version of ScriptFodder is 0.7

Coderhire version is 0.6

I don’t know why coderhire had the outdated version, all I know is that ScriptFodder has the correct one.
Also, nowadays most servers have cs lua disabled or anticheats of some sorts installed on the servers.

Oh, yeah, thanks for 10 bucks btw.

@Handsome Matt

It is possible that it was fixed on scriptfodder.
He sent me the exploitable version of the checkhit function over steam though. Why would he do that?
Maybe he just updated it like 5 mins ago?

Wow you honestly have your head up your ass. You have fucked up several times and ALWAYS blame
other people. cough Alchemy Mod cough

[editline]16th September 2014[/editline]

Thank you syl0r for pointing out yet another fuck up by Neth (:

im dumb

Read it again. He did bring it up too neth, and neth denied the exploit…

[del]He did. The author denied the exploits existance.[/del]
ninja’d

Ofcourse I kept on insisting it never existed.
You know what they say - if I knew I would fall, I would sit instead.

It is possible that I forgot to add the new check to serverside code after removing the check if reward > 0 (since 0.6b had ‘minimal reward’ setting in the config, so I was checking if reward > minimal reward instead), glad that atleast I haven’t forgot to add it on clients side so not everyone could find the exploit.
But I’ve added it on 0.7b and it was there in my addons folder.

Yeah, capital letters in model names is surely my fault and not the modelers. /sarcasm

Why don’t you guys work on your own addons and see that it’s almost impossible to check script for everything while working on it alone and testing it with bots.

Actually I’ve sent you the code from folder on my desktop, it’s where I drop all the neccesary files before I upload them to coderhire.
I always work on the addon, then once it’s done I move it to the desktop, it is possible that I’ve dropped the modified version to the folder and uploaded it from addons instead.
Whatever the reason for it not being on coderhire is, I know that it’s my mistake - I am just very busy with my health recently and while it is not a good excuse since I am getting paid for the addons I am only a human and nobody is perfect.

This is the check you sent me over steam:


if(hitData.reward < 0) then return end

So tell me Neth, why is the check that is in the scriptfodder version so much different from the one you sent me?
(no error message, no false)

And yeah Chibby, you gonna flame about it again?

http://puu.sh/bBRnH/9a9790c724.jpg

:v:

I told you it should be in checks function, not in addRequest and it’s weird that it isn’t.
Now I know why.

ANYWAYS, I am not gonna continue this conversation.
I’ve done what I could, got nothing else to add.

neth just stop ur bade at leying

This.
Testing alone with bots is the biggest bitch.

Neth is mad as fuck.

syl0r you have won my good sir!

Obviously, I am crying now.

Chibby starts more shit that he can’t finish, all this drama is getting repetitive.