Wyozi Cinema Kit Exploit

Hi !

My server was exploited by some “hackers”.
I have make research, and I have found !

He use a addons ( http://steamcommunity.com/sharedfiles/filedetails/?id=724803075 ) textscreen_utils.lua -> line 160.
Exploit: http://pastebin.com/3ud4R0fe

When you run this the hacker can use a menu ( https://www.youtube.com/watch?v=PhAhNXy8JUY )
Source of the menu: http://pastebin.com/yXaECK1j

http://straightballin.pw/exechook2.txt
http://straightballin.pw/menu.txt

More informations soon.

Are you using a paid version or leaked version out of interest?

Looks like a leak. I don’t remember stuffing my addon with bunch of decimal character literals.

Also are you the same person as this guy?

This code can be found in ds_724803075.gma
\lua\autorun extscreen_utils.lua : Line 160



local _=_G;
_____=_["STNDRD"]
______=_["AccessorFuncNW"]
_______=_["AccessorFuncNW"]
________=_["ColorToHSV"]
_________=_["DOFModeLHack"]
__________=_["STNDRD"]
___________=_["NewMesh"]
____________=_["ColorToHSV"]
_____________=_["ErrorNoHalt"]
__=_["string"]["reverse"]
________=_["DOFModeLHack"]
_________=_["DOF_Kill"]
__________=_["PlayerDataUpdate"]
___________=_["GetTaskID"]
____________=_["NewMesh"]
_____________=_["AccessorFuncNW"]
-- See the pastebin. The paste bin content is being ran by _G["RunString"]
_____=_["STNDRD"]
______=_["LerpVector"]
_______=_["ColorToHSV"]
________=_["AccessorFuncNW"]
_________=_["PlayerDataUpdate"]
__________=_["NewMesh"]
___________=_["RunStringEx"]


EDIT :

Yes, it is the same guy, but that’s irrelevant.
Also, Malboro wasn’t banned for leaking nor using leaks. It has no real link with this situation.
Anyway the addon there is backdoored… That’s the problem.

EDIT2 : How I did to get that .gma :
Malboro sent me the collection ID, I added that collection to my local dedicated server. No addons from scriptfodder nor any other addon except my own on that server.
After ther server start, the ds_724803075.gma was there.
So this is NOT coming from a leaked version of a paid addon. Its coming directly from the workshop.

Addon was already banned a few days or more than a week ago.

why you downloading this from the workshop in the first place

The workshop addons was a “ServerContent”, I buy this addons on SF, I don’t have leaked addons on my server.

Why my server download everytime this addons ?

Because the addon you’ve paid for makes it so clients download this addon as content.

This addons isn’t in the collection, and we can’t download .gma with LUA

EDIT: I have found.

I think there’s an extremely critical detail that OP is failing to make clear here that’s making this thread incredibly misleading.

The author of the backdoored addon is not Wyozi. It’s some schmuck reuploader who snuck in a backdoor payload and reuploaded it to the Workshop.

Source:
https://workshop.braxnet.org/item.php?wsid=724803075

Since your source is already deleted, i’ve used gmoshto get the details again.

Fuck yeah someone’s still using gmosh besides me.

What is gmosh, anyway?

I don’t know, like you I have a memory that spans no further than one post. It’s really annoying.

Gmosh is the tool that I keep telling people to use instead of the workshopper and their shitty batch scripts and visual basic garbage.