AlliedModders
Page 1 of 5 1 23 Last »
Show 40 post(s) from this thread on one page

AlliedModders (https://forums.alliedmods.net/index.php)
-   Plugins (https://forums.alliedmods.net/forumdisplay.php?f=108)
-   -   [ANY] Fake VAC Ban (https://forums.alliedmods.net/showthread.php?t=259350)

Brrdy 03-05-2015 16:34
[ANY] Fake VAC Ban
 
1 Attachment(s)
FakeVAC by Brrdy

Features:
Releases a fake VAC message acting as if the person got banned

Commands:
fv_kick
Usage: fv_kick <player>
fv_version

Changelog:
Quote:
2015-03-05 (v0.0)

* Initial Release

2015-04-05 (v1.0.2)

* Update plugin fixing bugs mentioned below Thanks Mitchell.
*Fixed double letters I think.....
Off-Topic: Thanks r3dw3r3w0lf for posting a fix while I was away ^_^ I haven't looked at your code but I have a feeling it works as you seem more experienced than me :P

Mitchell 03-05-2015 17:02
Re: Fake VAC Ban
 
Things wrong:
No version cvar, in fact some may argue that version 0.0.0 isn't a valid version, as that means there was no release, but you are releasing it right now...
For some reason you require an include for one print to chat message, which could just use the corresponding \x07 color.
You include <cstrike> and dont use it.
You include clientprefs and dont use that either.
You include sdkhooks for no reason.
You shouldn't even need sdktools either... especially including it twice, jesus.
YES BY ALL MEANS KICK A CLIENT BY NAME. You should never need to use ServerCommand to fire a SM command. KickClient() would work just fine, and wouldnt fire the "[SM]" logged command.
Why does the player have to be alive to target him?

WildCard65 03-05-2015 20:15
Re: Fake VAC Ban
 
Read about SQL injection to learn why passing client names to ServerCommand IS A VERY BAD IDEA!

Brrdy 03-05-2015 20:35
Re: Fake VAC Ban
 
Quote:
Originally Posted by Mitchell (Post 2270011)
Things wrong:
No version cvar, in fact some may argue that version 0.0.0 isn't a valid version, as that means there was no release, but you are releasing it right now...
For some reason you require an include for one print to chat message, which could just use the corresponding \x07 color.
You include <cstrike> and dont use it.
You include clientprefs and dont use that either.
You include sdkhooks for no reason.
You shouldn't even need sdktools either... especially including it twice, jesus.
YES BY ALL MEANS KICK A CLIENT BY NAME. You should never need to use ServerCommand to fire a SM command. KickClient() would work just fine, and wouldnt fire the "[SM]" logged command.
Why does the player have to be alive to target him?
Ill clean it up in a bit ^_^ this is just a beta :P

WildCard65 03-05-2015 20:38
Re: Fake VAC Ban
 
Quote:
Originally Posted by Brrdy (Post 2270078)
Ill clean it up in a bit ^_^ this is just a beta :P
ya, atm I would recommend pushing a hotfix to the whole servercommand thing as it put servers that decide to use this plugin at risk of command injection. I would recommend IMMEDIATELY change from using servercommand to kickclient as sm_kick uses that native.

Edit: Example of command injection with your plugin: sm_fakevac lol;quit would turn into this: sm_kick lol;quit which in turn turns into these commands(as ; in source is a delimeter to serperate commands in console which is where servercommand executes things): sm_kick lol then it runs quit
Quit in a server console shuts the server down.

Edit2: Your using an indeterminate loop to do a what for can do(which for is determinate)

Darkness_ 03-05-2015 20:52
Re: Fake VAC Ban
 
PHP Code:
ServerCommand("sm_kick %N"target_list[i]); 
to
PHP Code:
KickClient(target_list[i], "kick reason); 

Brrdy 03-05-2015 21:23
Re: Fake VAC Ban
 
Quote:
Originally Posted by WildCard65 (Post 2270079)
ya, atm I would recommend pushing a hotfix to the whole servercommand thing as it put servers that decide to use this plugin at risk of command injection. I would recommend IMMEDIATELY change from using servercommand to kickclient as sm_kick uses that native.

Edit: Example of command injection with your plugin: sm_fakevac lol;quit would turn into this: sm_kick lol;quit which in turn turns into these commands(as ; in source is a delimeter to serperate commands in console which is where servercommand executes things): sm_kick lol then it runs quit
Quit in a server console shuts the server down.

Edit2: Your using an indeterminate loop to do a what for can do(which for is determinate)
Only admins can run the cmd but anyways when I tried using KickClient it wouldn't work idk why but Ill try it again in a bit not on pc atm

Mitchell 03-05-2015 22:03
Re: Fake VAC Ban
 
Quote:
Originally Posted by Brrdy (Post 2270102)
Only admins can run the cmd but anyways when I tried using KickClient it wouldn't work idk why but Ill try it again in a bit not on pc atm
It wouldnt matter if only an admin can run it, what if you did the command on a player with the name "baddie;rcon_password hi" the server command will do
ServerCommand("sm_kick baddie;rcon_password hi"), setting the server's rcon_password to what ever he wants.

Drixevel 03-06-2015 02:50
Re: Fake VAC Ban
 
1 Attachment(s)
For those wanting a cleaned up version with the exploit fixed, download the following version:

Pohearts 03-06-2015 06:15
Re: Fake VAC Ban
 
looks like c+p code..

also, shouldn't you use \x07 instead of {red} so it require less dependency for such a simple plugin?


All times are GMT -4. The time now is 13:44.
Page 1 of 5 1 23 Last »
Show 40 post(s) from this thread on one page

Powered by vBulletin®
Copyright ©2000 - 2024, vBulletin Solutions, Inc.