search

xzxADIxzx / Join-and-kill-em-together

Multikill is still in development, so I created my own multiplayer mod for Ultrakill
GNU Affero General Public License v3.0
139 stars 26 forks source link

Exploits (server crashing, cheats bypass, mods bypass, partial ban bypass) #119

Open ilia-21 opened 3 weeks ago

ilia-21 commented 3 weeks ago

First of all, I want to thank you for this amazing project.

SEVERE: Crash exploit

People with forks can bypass the cheats restriction, and I talked with one of them. That person said that you can enable cheats, spam the screwdriver (green railcannon) into some and this is very likely to crash host and server with them because of amount of particles. This is happening as of writing this on multiple servers, and it's really hard to identify who does that unless you are a host. In case of a host: it probably receives the packets that are crashing their game, but not sending to everyone due to crash (my theory, I don't know anything about networking). Last thing the host sees is the frame with a lot of particles. But most importantly on the playerlist in the bottom right host can see whoever has zero railcannon charge, that player is the one who crashed server

Cheats bypass exploit

Already said in the previous paragraph: forked users can also use cheats (from the words of a forked user), even the debug cheats that allow spawning a lot of oil and killing everyone with fire.

Mods bypass

I tried it myself just because im tired of people who disable mods, like cmon, everyone has mods. It's really easy by removing this line: https://github.com/xzxADIxzx/Join-and-kill-em-together/blob/c0014258271d37c561d5ad292b21fffb75f8898b/src/Jaket/World/Movement.cs#L270 This allows joining lobbies even if you have mods expect jaket installed I assume making the mod check server-side is gonna solve this, but again I don't know will you make this so people just can't spoof the amount of mods

Partial ban bypass

I heard this from fork user, and also tried myself (in a controlled environment, I did not ruin any games with it). Removing this line allows user to keep the connection, however all they can do is read chat. https://github.com/xzxADIxzx/Join-and-kill-em-together/blob/c0014258271d37c561d5ad292b21fffb75f8898b/src/Jaket/Net/Endpoints/Client.cs#L31 The reason why this is important is that people that are on server have no way of knowing that the person that got banned can still read the chat. This is probably can be fixed, since it's already not sending any packets other than chat ones: no level change, no movement, no shooting, only chat

off topic

Not sure how to properly report this so I made into the single issue, if you think that I should split them into separate ones, say so, I will do

xzxADIxzx commented 3 weeks ago
  1. I see, gonna try to fix it in one of the updates, but don't expect it soon (I'm on a vocation from code + I still have to study in university)
  2. No fucking way to fix it, though, I'll try

  3. No fucking way to fix it

    making the mod check server-side

    Tell me how? How am I supposed to do it? Clients can always simply LIE. It's PHYSICALLY impossible unless I add a core-level-anti-fucking-cheat.

  4. No fucking way to fix it, Valve simply haven't added a ban feature to their lobbies, there is nothing I can do... or what if I...

    people that are on server have no way of knowing that the person that got banned can still read the chat

    No, they do, they can always press f2 to see who is in the lobby

  5. Not sure how to properly report this so I made into the single issue, if you think that I should split them into separate ones, say so, I will do

    Everything is fine, tbh, I've never seen a better issue in my life :3 Thanks for your efforts!

ilia-21 commented 3 weeks ago

Thank you for your response

Tell me how? How am I supposed to do it? Clients can always simply LIE. It's PHYSICALLY impossible unless I add a core-level-anti-fucking-cheat.

That was a shot in the dark, as I said "I don't know will you make this so people just can't spoof the amount of mods", and "I don't know anything about networking", so don't take it too seriously, I did not work with languages harder than freaking JavaScript

Happy vacation and thank you for putting effort into that :)

xzxADIxzx commented 3 weeks ago

Okay, I'll try to do my best (maybe count the amount of all kinds of bullets and simply ban ppl instead of ignoring their packets) (and I can try to transfer chat messages via sockets rather then through the lobby)

Theoyeah commented 3 weeks ago

@xzxADIxzx i have an idea, you should put some secret key only present in compiled builds you made and make it that server side asks the client for that key, if the client gives the wrong one the host would automaticly kick that client

xzxADIxzx commented 3 weeks ago

You really think that this key is hard to hack? You just need to modify the code a bit to simply print this key, no decompilation needed.

xzxADIxzx commented 3 weeks ago

But thanks for your passion

Theoyeah commented 3 weeks ago

You really think that this key is hard to hack? You just need to modify the code a bit to simply print this key, no decompilation needed.

To modify the code you gotta use the source code right?

xzxADIxzx commented 3 weeks ago

Wdym? There is no way a key might be useful, because it's distributed over the network. Anyone can modify the server's code to print that key, join to that server with a valid jaket client, and, therefore, know the key

whyis2plus2 commented 3 weeks ago

also dnspy exists, so even if you couldnt get the key in the way adi's saying, the key would just be in the decompiled version of the dll, which makes a key useless