search

azerothcore / azerothcore-wotlk

Complete Open Source and Modular solution for MMO
http://www.azerothcore.org
GNU Affero General Public License v3.0
6.5k stars 2.61k forks source link

Core/Instance : Fix instance resetting exploit [$35 awarded] #2073

Closed wowmane closed 5 years ago

wowmane commented 5 years ago

Description: There is a way to leave players in any position inside a instance and keep them there even after an instance reset, you can exploit this to, for example, get to the last boss in the instance only one time and keep farming him without the need to clear the whole instance in order to get there, or to farm a chest/herb/etc.

Current behaviour: Offline players are kept in the same place even after a instance reset is done.

Expected behaviour: Can't say if it used to work in the same way during wotlk, but now, the player is teleported to the entrance (inside the instance) and each player get a separate instance cooldown.

Steps to reproduce the problem:

  1. Get 2 players, use player A to invite player B to a group and convert it to a raid group.
  2. Set dungeon difficulty to Normal.
  3. .go xyz 5334.45 2512.45 679.064 632 with both players
  4. Kill boss Bronjahm
  5. Logout player B
  6. With player A, leave the instance (.go xyz 5670 2004.58 798.04 571) and reset the instance, either by using the "Reset all instances" option or by changing Dungeon difficulty to heroic and back to normal.
  7. Enter the instance with player A
  8. Login with player B Player B will be in the same position he was before, by the first boss, in a new instance cooldown

Fix:

https://github.com/Aokromes/TrinityCore/commit/c2c47fc9699ee82ba0455ad5da5477cc6b20aad8

AC HASH/COMMIT: https://github.com/azerothcore/azerothcore-wotlk/commit/6db0a438d9dff3d1fab5f904657ed281f5dee6c7

OS: windows 2017

MODULES: Anticheat

--- The **[$35 bounty](https://www.bountysource.com/issues/76598852-core-instance-fix-instance-resetting-exploit?utm_campaign=plugin&utm_content=tracker%2F40032087&utm_medium=issues&utm_source=github)** on this issue has been claimed at [Bountysource](https://www.bountysource.com/?utm_campaign=plugin&utm_content=tracker%2F40032087&utm_medium=issues&utm_source=github).
ELdoBA commented 5 years ago

hmm, are you sure you can do this on AC? :)

wowmane commented 5 years ago

yes, this exploit is new, and you can check cods

this committed is for 16 days ago trinitycore, fixed

FrancescoBorzi commented 5 years ago

@wowmane can you please open PR with the fix?

talamortis commented 5 years ago

@wowmane are you able to test the current PR