search

Exiled-Team / EXILED

A high-level plugin framework for SCP: Secret Laboratory servers. It offers an event system for developers to hook in order to manipulate or change game code, or implement their own functions.
https://www.exiled.to/
Other
275 stars 180 forks source link

[BUG] Consumable custom item duplication exploit #933

Closed SebasCapo closed 2 years ago

SebasCapo commented 2 years ago

Describe the bug I've seen this happen ever since Parabellum beta released, but didn't receive much reports of it happening again, just recently I decided to investigate and it seems like it still occurs. (Thought I'd clarify all of this before anyone jumps into the conclusion that 11.1 broke this)

Essentially, what happens is that players can duplicate custom items by consuming them and then dying (It happens on escape too, from what I've been told). CustomItems will spawn the item back at the player's location.

To Reproduce Steps to reproduce the behavior:

  1. Create a CustomItem of any consumable ItemType. (Such as SCP-500 or Adrenaline)
  2. Pick up the custom item. (THIS ONE IS OBLIGATORY, IF YOU GIVE YOURSELF IT THROUGH COMMANDS, DROP IT AND PICK IT UP)
  3. Consume the item.
  4. Die through whatever means necessary or escape. (Haven't tested the escape thing, but I've been shown through screenshots that it does happen)
  5. Go back to your corpse, the item will be there even if successfully consumed.

Expected behavior The item should be able to be consumed, but shouldn't spawn back on death/escape.

Server logs Not necessary.

EXILED Version ("latest" is not a version): Any version since Parabellum beta, to today's current version, 4.1.2.

Results of show plugins command in console: Not necessary.

Additional context None.

SebasCapo commented 2 years ago

Just tested this one in 4.1.6, this still happens even with #935.

Forgot to attach videos on the issue showcasing this, hope these help! (These were recorded in 4.1.2, but it behaves exactly the same in 4.1.6)

https://www.youtube.com/watch?v=ea-Lox6oe6A https://www.youtube.com/watch?v=3wHRPXzhMOI

SebasCapo commented 2 years ago

image

Just tested 4.1.7, still continues to happen!

joker-119 commented 2 years ago

Could you please provide a LocalAdmin log file so I can check for any hidden exceptions, because it doesn't really make sense to still be happening.

SebasCapo commented 2 years ago

Sorry, been away for a few days 😅

Here's the logs of my testing, in my previous tests I was using my own custom items, I've decided for this test I'd use your CustomItems plugin (The version Michal compiled in #testing-releases), and it also seems to happen with the Adrenaline custom item, so this seems to happen to any custom consumables? Since that custom item instantly kills you, it's perfect for testing this one.

Having reviewed CustomItem.cs, I didn't see anything that clearly indicated where an exception could be caused, but given this only happens when you picked up the custom item, could the issue be in here? Will give it a test in a few mins!

LocalAdmin Log 2021-12-30 18.04.42.txt

SebasCapo commented 2 years ago

Copy pasted & modified the entire AdrenalineInjection.cs custom item to include the following code:

image

My theory might be correct? The player's inventory, although it only shows it has 1 custom item when looking at it client-side, it shows as if it had more server-side:

[2021-12-30 19:04:42] [INFO] [CTEST] OnUsingItem:
[2021-12-30 19:04:42] [DEBUG] [CTEST] Adrenaline (200) [0.5] *(1.0, 1.0, 1.0)* [Check(item): True]
[2021-12-30 19:04:42] [DEBUG] [CTEST] Adrenaline (200) [0.5] *(1.0, 1.0, 1.0)* [Check(item): True]
[2021-12-30 19:04:44] [INFO] [CTEST] OnOwnerDying:
[2021-12-30 19:04:44] [DEBUG] [CTEST] Adrenaline (200) [0.5] *(1.0, 1.0, 1.0)* [Check(item): True]
joker-119 commented 2 years ago

Fixed from 93346a6