Forum

> > CS2D > General > CS2D - Lua Exploits
ForenübersichtCS2D-ÜbersichtGeneral-ÜbersichtEinloggen, um zu antworten

Englisch CS2D - Lua Exploits

22 Antworten
Seite
Zum Anfang Vorherige 1 2 Nächste Zum Anfang

alt CS2D - Lua Exploits

mafia_man
User Off Offline

Zitieren
Recently I found few Lua Exploits which can allow hacker to execute any command server. It's something like Lua Injection.

I will show here few examples.
First Example:
1
2
3
4
addhook("team", "onTeam")
function onTeam(id)
	parse('hudtxt2 '.. id ..' 1 "'.. player(id, "name") ..'" 0 0 0');
end
Looks like it's not possible to execute command serverside with this, right? But no, it's possible. Let's take a look on how command will be executed:
1
hudtxt2 1 1 "NAME" 0 0 0

Now let's try to something better as name:
1
" 0 0 0; exit;

Now it will look like this:
1
hudtxt2 1 1 "" 0 0 0; exit;" 0 0 0

After player joining team, server will shutdown, because it executed command exit
http://screenshooter.net/8536295/sjkkyxs
You should filter the name first.

Second Example:
Saving player data as lua script. I tested it on weiwen's script. Even when he has used string.format I could fuck up players database.

This is how saved database looks like:
1
2
3
4
5
6
7
8
9
-- PLAYERCACHE --

PLAYERCACHE[9102] = {Inventory={}, Tutorial={}, MP=100, Money=300, name="mafia_man", y=51, Equipment={}, x=60, Experience=0, tmp={usgn=9102, atk=1, def=1, equip={{}, {}, {}, {}, {}, {}, {}, {}, {}}, exhaust={talk=true}, hp=100, spd=0}, Info={}, Level=1, HP=200, Spawn={1936, 1648}}


-- GLOBAL STORAGES --

GLOBAL["TIME"] = 285
GLOBAL["RAIN"] = 0
So what's wrong here? Cuz weiwen uses string.format to save player name.
I tried "--[[ as name and what happened?
1
PLAYERCACHE[9102] = {Inventory={}, Tutorial={}, MP=100, Money=300, name='"--[['
Lua itself changed quotes types.
Let's try both '" now - '"--[[
1
PLAYERCACHE[9102] = {Inventory={}, Tutorial={}, MP=100, Money=300, name="'\"--[["
The quote character has been fixed with escape character.
Now let's try this using escape character: \''\""--
1
PLAYERCACHE[9102] = {Inventory={}, Tutorial={}, MP=100, Money=300, y=51, x=60, name="\''\\"\"--",
http://screenshooter.net/8536295/uuqcnku
This one \ character will fuck up whole database.

I tested both of these examples and they work. Please fix your lua scripts!

alt Re: CS2D - Lua Exploits

Jynxxx
User Off Offline

Zitieren
Time to mess up some Tibia servers

Admin/Mod Kommentar

This is not funny and you will be punished if you do that. /DC

alt Re: CS2D - Lua Exploits

Reaper
User Off Offline

Zitieren
Why do you post exploits on an official forum, which is full of trolls and kids? Just send the information to DC via PM or contact the writers of the lua script.

alt Re: CS2D - Lua Exploits

Reaper
User Off Offline

Zitieren
I am not familar with the lua scripting language, but I'm pretty sure that there is something like custom exception handling. Or adding a simple if-query with a list of possibly dangerous player names, and if the name of the player is included in the list, the script isn't executed. To be honest, I'm pretty tired at the moment so I didnÄt read you whole start post.

But I think you agree, that posting it on this forum won't help either, it's more likely that some kids will use this information to shut down servers. And yes, DC can't do much about it, besides deactivating lua support But maybe the writers of the lua scripts could optimise their code.

alt Re: CS2D - Lua Exploits

mafia_man
User Off Offline

Zitieren
Using this name isn't possible without memory editing so, not all kids can use this. Player name memory is dynamic, and DC could fix this by checking player name serverside (this also can be done with lua script).

Not only name affects this. Making custom colored chat using sv_msg instead of lua function msg, and messaging
1
"; exit;
will work the same way.

alt Re: CS2D - Lua Exploits

Reaper
User Off Offline

Zitieren
Yes, you are right about that, but you don't have to know how a car works, to just drive it.

alt Re: CS2D - Lua Exploits

Alistaire
User Off Offline

Zitieren
user Reaper hat geschrieben
Blahblahblah I look so smart blahblahblah


Oh so we gotta optimize Lua scripts for EVERY SINGLE KIND OF EXPLOIT someone could use? You know how stupid that sounds?

alt Re: CS2D - Lua Exploits

DC
Admin Off Offline

Zitieren
Thank you for pointing this out. I never thought about that. I'll change two things to handle this:

√ I'll disallow ";" in player names (with server-sided check of course)
√ I'll add an optional parameter to the parse command "stop at semicolon" which defaults to 1

The solution for parse doesn't completely stop people from messing around with scripts (they can then cut parameters away by using ";") but it will at least stop people from being able to execute commands.

So scripters should always check user input before using it with cs2d lua cmd parse!
1× editiert, zuletzt 31.08.12 16:00:15

alt Re: CS2D - Lua Exploits

maPmaKer
User Off Offline

Zitieren
This is quite a good thread, and it should be read by anyone who's planning to use Lua scripts on their server(s). Good job, sir.

alt Re: CS2D - Lua Exploits

Infinite Rain
Reviewer Off Offline

Zitieren
Yep, mafia_man warned me before lol. Now I will use this to prevent Lua Injection by name in my RPGx: IMG:https://img217.imageshack.us/img217/876/rpmap00004.jpg


It is with RPG style and Lua Injection free

alt Re: CS2D - Lua Exploits

Infinite Rain
Reviewer Off Offline

Zitieren
user Suprise hat geschrieben
Woah, Factis nice, nice. Atleast its works?
And how you can press shift+2 for @? xd

It is working perfectly. And you will see it when my server will be online.

alt Re: CS2D - Lua Exploits

Yates
Reviewer Off Offline

Zitieren
user eXpLoit hat geschrieben
@user mafia_man: Thank You, for posting this cause its big helpful!

No need to act tough Laurence, you are 8 and probably won't be able to succeed in abusing this.

Have a nice whatever time of day it is in Philippines.

alt Re: CS2D - Lua Exploits

Blunt
User Off Offline

Zitieren
mafia_man hat geschrieben
I tested both of these examples and they work. Please fix your lua scripts!


please give the owner the server back..
you tell us the error in the lua scripts, and what are you doing??
you hack some tibia server. its so funny wa? im not a admin or mod, i think you will ignore my post, or just troll me. have fun... (when you hacked the server, i think your sig say all.)

its false was i say? when yes, a big sorry to user mafia_man .

alt Re: CS2D - Lua Exploits

EngiN33R
Moderator Off Offline

Zitieren
First of all, there was no reason to revive the thread with a scornful post.

user Blunt hat geschrieben
i think your sig say all.

He doesn't have a sig as of 08.10.2012.

user Blunt hat geschrieben
please give the owner the server back..

This thread would not exist if his intention was keeping the servers that he could use those exploits on, would it?

user Blunt hat geschrieben
you tell us the error in the lua scripts, and what are you doing??

He's contributing to the overall security of CS2D by finding those exploits.

user Blunt hat geschrieben
you hack some tibia server. its so funny wa?

I don't know if the process of finding and applying exploits is an enjoyable one, but if it wasn't for him, much more servers would have been overrun by hackers. A few of them temporarily disabled for a short time is certainly better than waves of hackers endlessly assaulting servers with the exploits mentioned above.
Zum Anfang Vorherige 1 2 Nächste Zum Anfang
Einloggen, um zu antwortenGeneral-ÜbersichtCS2D-ÜbersichtForenübersicht