[PSA] Lots of Exploits for Popular Addons (what the skids have been abusing)

A recent cheat was made public that contained a ton of exploits for popular addons. We’ve identified all of the addons that were being exploited. If you use any of these addons, I recommend updating to the latest version of them (if it’s fixed), or temporarily removing them from your server until the exploit(s) is/are patched. These exploits are going to be abused more than ever now, so it’s best that all server owners are made aware of this.

(some of these exploits are very dumb)

Customizable Money Printers
Players are able to take money out of every printer on the server at once.
https://www.gmodstore.com/scripts/view/243

Custom ULX Commands
Players are able to spam every player with a message (2 different funcs).
Players are able to spam the server console with a very lot of errors.
Players are able to “vandalize” server data files.

PatchPlay (PPlay)
Players are able to give themselves superadmin and wipe the DarkRP database.

VJ Base
Players are able to spam everyone’s chat and spam sounds. (Fixed in latest version ON GITHUB, update the addon FROM GITHUB, will update when workshop is fixed as well)

HitmanX
Allow players to give themselves money.
Couldn’t find addon link?

BailNPC - Bail out your friends!
Allow players to give themselves money.
https://www.gmodstore.com/scripts/view/549/bailnpc-bail-out-your-friends

The Real Printers
Allows players to destroy printers remotely.
https://www.gmodstore.com/scripts/view/768

TexStickers - Texture customizer
Allows players to crash the server.
https://www.gmodstore.com/scripts/view/3284/texstickers-texture-customizer

RP Name Editor with NPC
Allows players to rename everybody on the server.
https://www.gmodstore.com/scripts/view/1959

ATS - Auzlex’s Teleport System
Lags the server.

Coin Flips
Lags the server. (Fixed in latest version, update the addon.)
https://www.gmodstore.com/scripts/view/2263/coin-flips-pointshop-2-support-added

ULib
Potentially lags the server, spams the server console.

Keypad Tool and Cracker with Wire Support
Lags the server (Fixed in latest version, update the addon).

rProtect
Lags the server.
https://www.gmodstore.com/scripts/view/1300/rprotect

Stacker V1
Lags the server.

DarkRP Defibrillator + Death Screen
Allows players to revive themselves.
https://www.gmodstore.com/scripts/view/2297

Darkrp Armory Robbery System
Players are able to give themselves weapons.
https://www.gmodstore.com/scripts/view/299/darkrp-armory-robbery-system

Report System
Spams reports for everybody on the server.
https://www.gmodstore.com/scripts/view/258/report-system

SimplicityAC
Instantly crash server. (Fixed in latest version, update the addon.)
https://www.gmodstore.com/scripts/view/3642/simplicityac-anticheat-for-your-anti-cheat-needs

PAC 3
Instantly crash server. (Fixed in latest version ON GITHUB, update the addon FROM GITHUB, will update when workshop is fixed as well)

Sandbox / DarkRP / FPP
Remove all weapons from players. (Fixed on dev branch, here’s the file)
This is an exploit in gamemodes that derive from sandbox. If your gamemode is derived from sandbox, make a

SANDBOX:CanProperty check yourself. If you are using DarkRP and don’t know Lua, to fix the issue, you need to make sure “People can toolgun world entities” is unchecked in your FPP toolgun settings (or make a canproperty check):

https://yo.lol/z/eLEK4

Updated August 7th

Global Ban! Simple way to ban globally (gBan)
Players are able to ban and unban any user. (Fixed by removing “user” from the gBan.Config.Hierarchy table, it’s there by default in the non-latest versions)
https://www.gmodstore.com/scripts/view/1647/global-ban-simple-way-to-ban-globally-gban

Advanced Government Computer (Mayor & Police)
Players are able to crash the server. (Fixed in latest version, update the addon.)
https://www.gmodstore.com/scripts/view/2828

Without knowing, some of these make it sound a lot like the developers of said addons are using net incorrectly? (Sending the “sender” as part of the message)

And not checking who owns the entity the net message is targeting.

All but one of the exploits are net related. Most of them are due to the lack of serverside checks from what the client sends, others should have cooldowns or check if the client should even be sending a net message.

The CanProperty thing is just the remove property on the weapons players are holding?

[lua]
local plys = player.GetAll()

for i = 1, #plys do
for k, v in pairs(plys*:GetWeapons()) do
net.Start(“properties”)
net.WriteString(“remove”)
net.WriteEntity(v)
net.SendToServer()
end
end
[/lua]

That has been fixed in Dev branch (as much as it can be), you can just copy paste the lua/autorun/properties/remove.lua from the git repo to your server.

Aw come on, its 2017 and still, nobody cares to actually check for data validity?

From the cheat sources:


net.WriteString( "-100000000000000000000000000000000000000000" )

This is still possible.

Wait, VJ Base still has exploits?

Is it really that hard to use WriteUInt/WriteInt

Author(s) clearly have barely any idea about how to do proper networking, so no one is really surprised that their addon has more than 1 exploit related to that.

Doubt that. I couldn’t find PAC3 related crasher either.

Datamats found it. He added a rate limit to some networking.

[editline]6th August 2017[/editline]

I can get how most of these are exploitable, and thanks for pointing it out we had one (ulx custom cmds) that I just removed but:

What type of exploits does ULib like actually have, I know it spams server console but is that it?
And is the lag just the addon itself or people actually being-able to trigger it?

Although the fact most of these are gmodstore addons is pretty embarrassing.



for i = 1, 200 do
    LocalPlayer():ConCommand("_u <anything here>")
end


Shouldn’t lag your server that much but still spams the server console. All of the lag related exploits aren’t the addon itself but a malicious user triggering it.

VJ Base has been fixed months ago, I don’t know what this is about.

PMed you the information.

Since the properties remove exploit fix isn’t on the github(?), I uploaded the dev branch version of the file here.

Alright thanks!

It has been fixed months ago!

I say we add my amazing anti concommand spammer to gmod officially :cool:



ef_detoured_concommands = ef_detoured_concommands or {}
local function detour_ConCommands()
    local a,b = concommand.GetTable()
    for k,v in pairs(a) do
        if not isfunction(v) then continue end--?
        if ef_detoured_concommands[k] then continue end
        concommand.Add(k,function(...)
            local ply = ({...})[1]
            if not ply.CommandWaits then ply.CommandWaits = {} end
            if (ply.CommandWaits[k] or 0) > CurTime() then return end
            ply.CommandWaits[k] = CurTime() + 0.1
            return v(...)
        end)
        ef_detoured_concommands[k] = true
    end
end
detour_ConCommands()
timer.Create("Check ConCommands",600,0,detour_ConCommands)