[Xalphox]

Hey there,
I've been working on a project in order to create the most largest vulnerabilities in servers using AMXX, in what you might call "bluehatting", so that they can be resolved. This is more of a "I was bored" project, so there's probably yet even more possible vulnerabilities yet to be discovered (and hopefully not, used).

My work has lead to me creating this monstrosity, a script that will not compile (unless you're not a total noob and are able to work out how I sabotaged it so it couldn't be used and abused, but if you are able to you're likely not to be nooby enough not to try abuse this) but would be able to, if I hadn't purposely sabotaged it, follow out the following activities:

• An experimental Distributed Denial of Service system (socket-based), which uses a MySQL table in order to communicate and synchronize attacks against a certain IP address or hostmask and a port. I've tested it, and although most of the time it seemed to fail, it did work 3 or 4 times (I tested it by launching attacks against my own IP).
• A system allowing exploiters to access files within the server folder in which you can overwrite and delete files. You could also make up a system to read files, too, but I was too lazy to write a streaming system in order to stop buffer overflows.
• A system allowing exploiters to access the MySQL server and databases, and also the possibility to access other MySQL servers (masking the exploiter's IP and incriminating the server it was executed from), and can bypass restrictions on localhost such as disallowing remote connections and blacklisting.
• A system in which you can cause BSODs (Blue Screen of Death) on clients and servers.
• A few sneaky commands, such as removing the flags of admins.

Attached is the SMA. Once again, I'll state that it will not compile as I have purposely sabotaged it so that noobs can't fuck up servers. I've put it here over other forums as I didn't know an appropiate place to put it. Hopefully, the developers can fix these issues which I think is an accident waiting to happen.

Happy to help with the security of such a brilliant mod,
Xalphox

[Xalphox]

I'll mention that the BSODing works by creating an infinite loop in, creating a new file on every instance (with a generated string as the name). I realize that I could've done this better by having a counter and converting it to string, as it'd then have infinite possibilities.

Quote:

Hawk: how do you BSoD clients? Lord Xalphox: Infinite loop, using writecfg() Lord Xalphox: the operating system automatically bsods Lord Xalphox: otherwise you'd be forced to boot from disk Lord Xalphox: I used it on myself Lord Xalphox: Had to reinstall TS Hawk: lol Hawk: that's pretty badass Lord Xalphox: indee Lord Xalphox: d Lord Xalphox: It's the only thing I'm good at Lord Xalphox: being nasty Lord Xalphox: but maybe I can be nasty in order to do some good Hawk: I noticed Lord Xalphox: How badly am I going to get flamed? Hawk: probably pretty badly Hawk: possibly banned, too Lord Xalphox shrugs Lord Xalphox: once again Lord Xalphox: I've had e-battles with you Lord Xalphox: AND survived to live thet ale Lord Xalphox: so yeah Lord Xalphox: fuck everyone Lord Xalphox: I'm a dragon

[Styles]

I don't think this is allowed, I'll have to talk with somebody this thread is possibly deleted.

[Xalphox]

Quote:

Originally Posted by styles I don't think this is allowed, I'll have to talk with somebody this thread is possibly deleted.

I don't mind. As long as the developers are aware of these. The BSODing client's is pretty much the ultimate slowhack. You'd have to be an idiot, after all, to upload a back door to your server.


Hey, wait a minute, are you that guy that hosts ApolloRP.org?

[Hawk552]

I LIVE IN A GIANT BUCKET

[Xalphox]

Quote:

Originally Posted by Hawk552 I LIVE IN A GIANT BUCKET

that'd explain your problems with people.

[Styles]

Yes hawk but slow hacking scripts are not allowed. Why should this be?

[TheNewt]

I feel like a troll coming back just to post this, thanks Styles.

Xalphox, what is the actual purpose of this plugin? If all it does is CREATE security holes, it doesn't help with anything! If you are referring to teaching current plugin writers to be aware of these security flaws, write a FAQ/Document about it, not a plugin.

Nice job, just focus your security talent there to fix any possible security flaws in plugins that are already released.

[Styles]

Quote:

Originally Posted by TheNewt I feel like a troll coming back just to post this, thanks Styles. Xalphox, what is the actual purpose of this plugin? If all it does is CREATE security holes, it doesn't help with anything! If you are referring to teaching current plugin writers to be aware of these security flaws, write a FAQ/Document about it, not a plugin. Nice job, just focus your security talent there to fix any possible security flaws in plugins that are already released.

No it doesn't create anything it exploits the user in the most ultimate way o.0.

But this is considered a slow hack, if you can't make it normally why should this be allowed?

This thread is nuked.

[YamiKaitou]

Quote:

Originally Posted by styles No it doesn't create anything it exploits the user in the most ultimate way o.0. But this is considered a slow hack, if you can't make it normally why should this be allowed? This thread is nuked.

At least make the attachment downloadable only to mods. Nuking again