Forum

> > CS2D > General > CS2D - Lua Exploits
Forums overviewCS2D overviewGeneral overviewLog in to reply

English CS2D - Lua Exploits

22 replies
Page
To the start Previous 1 2 Next To the start

old CS2D - Lua Exploits

mafia_man
User Off Offline

Quote
Recently I found few Lua Exploits which can allow hacker to execute any command server. It's something like Lua Injection.

I will show here few examples.
First Example:
1
2
3
4
addhook("team", "onTeam")
function onTeam(id)
	parse('hudtxt2 '.. id ..' 1 "'.. player(id, "name") ..'" 0 0 0');
end
Looks like it's not possible to execute command serverside with this, right? But no, it's possible. Let's take a look on how command will be executed:
1
hudtxt2 1 1 "NAME" 0 0 0

Now let's try to something better as name:
1
" 0 0 0; exit;

Now it will look like this:
1
hudtxt2 1 1 "" 0 0 0; exit;" 0 0 0

After player joining team, server will shutdown, because it executed command exit
http://screenshooter.net/8536295/sjkkyxs
You should filter the name first.

Second Example:
Saving player data as lua script. I tested it on weiwen's script. Even when he has used string.format I could fuck up players database.

This is how saved database looks like:
1
2
3
4
5
6
7
8
9
-- PLAYERCACHE --

PLAYERCACHE[9102] = {Inventory={}, Tutorial={}, MP=100, Money=300, name="mafia_man", y=51, Equipment={}, x=60, Experience=0, tmp={usgn=9102, atk=1, def=1, equip={{}, {}, {}, {}, {}, {}, {}, {}, {}}, exhaust={talk=true}, hp=100, spd=0}, Info={}, Level=1, HP=200, Spawn={1936, 1648}}


-- GLOBAL STORAGES --

GLOBAL["TIME"] = 285
GLOBAL["RAIN"] = 0
So what's wrong here? Cuz weiwen uses string.format to save player name.
I tried "--[[ as name and what happened?
1
PLAYERCACHE[9102] = {Inventory={}, Tutorial={}, MP=100, Money=300, name='"--[['
Lua itself changed quotes types.
Let's try both '" now - '"--[[
1
PLAYERCACHE[9102] = {Inventory={}, Tutorial={}, MP=100, Money=300, name="'\"--[["
The quote character has been fixed with escape character.
Now let's try this using escape character: \''\""--
1
PLAYERCACHE[9102] = {Inventory={}, Tutorial={}, MP=100, Money=300, y=51, x=60, name="\''\\"\"--",
http://screenshooter.net/8536295/uuqcnku
This one \ character will fuck up whole database.

I tested both of these examples and they work. Please fix your lua scripts!

old Re: CS2D - Lua Exploits

Jynxxx
User Off Offline

Quote
Time to mess up some Tibia servers

Admin/mod comment

This is not funny and you will be punished if you do that. /DC

old Re: CS2D - Lua Exploits

Reaper
User Off Offline

Quote
Why do you post exploits on an official forum, which is full of trolls and kids? Just send the information to DC via PM or contact the writers of the lua script.

old Re: CS2D - Lua Exploits

Reaper
User Off Offline

Quote
I am not familar with the lua scripting language, but I'm pretty sure that there is something like custom exception handling. Or adding a simple if-query with a list of possibly dangerous player names, and if the name of the player is included in the list, the script isn't executed. To be honest, I'm pretty tired at the moment so I didnÄt read you whole start post.

But I think you agree, that posting it on this forum won't help either, it's more likely that some kids will use this information to shut down servers. And yes, DC can't do much about it, besides deactivating lua support But maybe the writers of the lua scripts could optimise their code.

old Re: CS2D - Lua Exploits

mafia_man
User Off Offline

Quote
Using this name isn't possible without memory editing so, not all kids can use this. Player name memory is dynamic, and DC could fix this by checking player name serverside (this also can be done with lua script).

Not only name affects this. Making custom colored chat using sv_msg instead of lua function msg, and messaging
1
"; exit;
will work the same way.

old Re: CS2D - Lua Exploits

Reaper
User Off Offline

Quote
Yes, you are right about that, but you don't have to know how a car works, to just drive it.

old Re: CS2D - Lua Exploits

Alistaire
User Off Offline

Quote
user Reaper has written
Blahblahblah I look so smart blahblahblah


Oh so we gotta optimize Lua scripts for EVERY SINGLE KIND OF EXPLOIT someone could use? You know how stupid that sounds?

old Re: CS2D - Lua Exploits

DC
Admin Off Offline

Quote
Thank you for pointing this out. I never thought about that. I'll change two things to handle this:

√ I'll disallow ";" in player names (with server-sided check of course)
√ I'll add an optional parameter to the parse command "stop at semicolon" which defaults to 1

The solution for parse doesn't completely stop people from messing around with scripts (they can then cut parameters away by using ";") but it will at least stop people from being able to execute commands.

So scripters should always check user input before using it with cs2d lua cmd parse!
edited 1×, last 31.08.12 04:00:15 pm

old Re: CS2D - Lua Exploits

maPmaKer
User Off Offline

Quote
This is quite a good thread, and it should be read by anyone who's planning to use Lua scripts on their server(s). Good job, sir.

old Re: CS2D - Lua Exploits

Infinite Rain
Reviewer Off Offline

Quote
Yep, mafia_man warned me before lol. Now I will use this to prevent Lua Injection by name in my RPGx: IMG:https://img217.imageshack.us/img217/876/rpmap00004.jpg


It is with RPG style and Lua Injection free

old Re: CS2D - Lua Exploits

Infinite Rain
Reviewer Off Offline

Quote
user Suprise has written
Woah, Factis nice, nice. Atleast its works?
And how you can press shift+2 for @? xd

It is working perfectly. And you will see it when my server will be online.

old Re: CS2D - Lua Exploits

Yates
Reviewer Off Offline

Quote
user eXpLoit has written
@user mafia_man: Thank You, for posting this cause its big helpful!

No need to act tough Laurence, you are 8 and probably won't be able to succeed in abusing this.

Have a nice whatever time of day it is in Philippines.

old Re: CS2D - Lua Exploits

Blunt
User Off Offline

Quote
mafia_man has written
I tested both of these examples and they work. Please fix your lua scripts!


please give the owner the server back..
you tell us the error in the lua scripts, and what are you doing??
you hack some tibia server. its so funny wa? im not a admin or mod, i think you will ignore my post, or just troll me. have fun... (when you hacked the server, i think your sig say all.)

its false was i say? when yes, a big sorry to user mafia_man .

old Re: CS2D - Lua Exploits

EngiN33R
Moderator Off Offline

Quote
First of all, there was no reason to revive the thread with a scornful post.

user Blunt has written
i think your sig say all.

He doesn't have a sig as of 08.10.2012.

user Blunt has written
please give the owner the server back..

This thread would not exist if his intention was keeping the servers that he could use those exploits on, would it?

user Blunt has written
you tell us the error in the lua scripts, and what are you doing??

He's contributing to the overall security of CS2D by finding those exploits.

user Blunt has written
you hack some tibia server. its so funny wa?

I don't know if the process of finding and applying exploits is an enjoyable one, but if it wasn't for him, much more servers would have been overrun by hackers. A few of them temporarily disabled for a short time is certainly better than waves of hackers endlessly assaulting servers with the exploits mentioned above.
To the start Previous 1 2 Next To the start
Log in to replyGeneral overviewCS2D overviewForums overview