SMAC by-pass hack?
 

Just had the following play on our server:

http://steamcommunity.com/id/suckmygoddamnpenis/

For some reason, we were not able to ban him, and he was using the name " SourceMod Anit-Cheat bypass".

I was able to go and ban him manually via web, but this was really strange.

EDIT: I should also note that his Steam ID was being repoted by the system as:

"STEAM_ID_STOP_IGNORING_RETVALS"

Re: SMAC by-pass hack?
 

Added:

Saw this in the SM log after we kicked him from the server (again, we were unable to ban):

L 02/16/2017 - 15:47:15: [basecommands.smx] "XXXXXX<105><[U:1:XXXXXXX]><>" kicked "SourceMod Anit-Cheat bypass<103><STEAM_ID_PENDING><>" (reason "")

Note: These are all VAC-secured servers, etc....so somehow he is able to join/block his Steam ID from appearing in the system? (If so, why doesn't the system prevent him from joining a VAC server to begin with?)

Re: SMAC by-pass hack?
 

You are using plugins that aren't doing their "Steam ID" checks properly. In other words, plugins created by lazy people.

Searching for the string that you posted above (either Google or forum search) should give you a better perspective on that issue.

Re: SMAC by-pass hack?
 

So, I guess that includes Sourcebans 1.4.11 - since that plugin is the one we use to ban, and it would not ban that player (?)

Re: SMAC by-pass hack?
 

It is quite old, so without looking into if that had the right things or not - it might also be doing it.

The plugin causing the output of the place where you see "STEAM_ID_STOP_IGNORING_RETVALS" is falling into the category above.


In previous SM versions, you could do like:

and in newer:

Both GetClientAuthString and GetClientAuthId have been returning the "true" boolean for a long while to indicate it retrieved a valid Steam ID, and the "false" boolean to indicate that it didn't retrieve a proper Steam ID.

It has been quite common for not just a few - but many "lazy" people to do code like:

This basically means you are requesting some data, you don't really care what you get in return, and then try to use it for your purpose anyway.

If you do that, you might end up on seeing "STEAM_ID_STOP_IGNORING_RETVALS" as Steam ID on recent versions of SourceMod.

You should do like:

This way you will only do things with the Steam ID if GetClientAuthId returns "true: I have a valid Steam ID".

SourceBans 1.4.11 does seem to use the old way, however, the latest code on GitHub seem to be using a mix of checking the return value and not checking the return value around the code.

Re: SMAC by-pass hack?
 

New guy

"STEAM_ID_STOP_IGNORING_RETVALS"

http://steamcommunity.com/id/poon_destroyer/

I dont think it is him at all, just using someone elses steam_id

Btw hacker had connect bot too, autoreconnecting and also coming from different countries at same time.

This is a new hack i guess and should be looked into.

Re: SMAC by-pass hack?
 

Ensure you are running the latest available version of SM, and its base plugins (important). Shouldn't have this issue on a legitimate Steam-connected game server.

Re: SMAC by-pass hack?
 

smac_validate_auth "0"

^^ I had this set to 0

And i run classic Steam servers , not non-steam.

I changed it to smac_validate_auth "1" now and lets see.

But he was coming from different countries too and yelling on my admins "you cant do shit you faggots, i rule here"

PS. I never had this happen before and my mods retreive steam_id properly...i checked.

Re: SMAC by-pass hack?
 

Hi.
What game? And what part from the SMAC bypassed that player?
If CS:S and autotrigger bypass, the solution are very easy.
If you running a normal server (not surf, not zombie) you can setting these values in your server.cfg and the speedhack, bunny hop will be ended. :D
If he try using that shit, you will see. Thats all.

sv_enablebunnyhopping 0
sv_airaccelerate 1
sv_max_usercmd_future_ticks 1

Re: SMAC by-pass hack?
 

Aww man. I really hate to bump threads like this, but since it's on the first page, I may as well.

I was that guy in the OP, /id/suckmygoddamnpenis/

It's really simple, really. Set your steam to offline mode and join a community server via connect [ip here] in console

No one can ban you, and I'm pretty sure the server I was on was neonheights.

This exploit has apparently been around for 4 years? It works on tf2, but not on csgo.

Re: SMAC by-pass hack?
 

Sounds like a pain in the ass to guard against.
What should the plugins do, kick players that don't validate?
Can this method ever return "STEAM_ID_STOP_IGNORING_RETVALS" after the player has already connected and has previously stored his steamid?
Some gameplay factors require retrieving the steamid, so should we continuously keep trying to get the player's steamid and force them in spectator until it returns true?
I have never really encountered this but if it were to happen i'd rather just kick the player then trying to figure out a way to retrieve player stats after they have already been playing for a given period of time.
Any other documentation when this will be returned?

Re: SMAC by-pass hack?
 

When I decide to do it again.

Re: SMAC by-pass hack?
 

Had a fun run-in with ya @bobotov. The whole time I was trying to block the IP through ufw or IPTables, that didn't work for whatever reason.

I feel like Sourcebans++'s SourceSleuth should have done a bit of checking (since sm_banip does work and your IP was correctly added to the DB) and at least kicked. addip from the server console didn't work, that might just be me rusty with it though.

EDIT: The whole time it was STEAM_ID_STOP_IGNORING_RETVALS. I feel like trying to get people's auth every few seconds might be a bit much, thing below is proof-of-concept and working(?)

EDIT 2: THIS DOESNT WORK, USE https://forums.alliedmods.net/showpo...2&postcount=25

Re: SMAC by-pass hack?
 

Was the server I was on Wonderland?

And hi. :D

Re: SMAC by-pass hack?
 

Care to help me test out the pseudofix? No, you weren't on Wonderland XD

Re: SMAC by-pass hack?
 

Yea sure. Give me the ip.

Re: SMAC by-pass hack?
 

~sig or url on proof-of-concept?

Re: SMAC by-pass hack?
 

What do you mean?

Re: SMAC by-pass hack?
 

IP: neogenesisnetwork.net or 104.153.106.174, guess my signature isn't showing up.

Re: SMAC by-pass hack?
 

Huh. It's not letting me connect. This tends to happen sometimes while I'm doing this method. Let me restart stuff and try again.

Re: SMAC by-pass hack?
 

Don't tell me ufw and iptables feel like working now ://////

Re: SMAC by-pass hack?
 

Connected.

Re: SMAC by-pass hack?
 

We had a talk and he tested some stuff on me.

Looks like it ain't working. The only servers who have been able to successfully ban me was Team Cream servers.

That was long ago, though.

Edit: I tested on them again. They were able to ban me.

Re: SMAC by-pass hack?
 

Ok so this also works on skial

When I trigger an SMAC ban on myself, the sourcebans page shows

STEAM_ID_STOP_IGNORING_RETVALS

STEAM_0:0:0

76561197960265728 <---- profile link, but it leads to nothing



https://puu.sh/xLy18/a5ddcc561f.png

Oh, and I can still join their other servers. I believe after a while I can join the one I was banned from.

Admins also try to manually ban me from the server via the Sourcebans page, but it doesn't do crap because I have no steamid in the server!

Re: SMAC by-pass hack?
 

EDIT 2018-04-12:
This hack of a method has been fixed and optimized, integrated into an auto-updating central plugin:
Source
Download Link

Re: SMAC by-pass hack?
 

The weird thing is, and I guess this is expected behavior, but Connect can get the SteamIDs just fine. I guess now we just need to figure out a way to force it on a client or something, iunno. An extension or native that would force IDs would fix a bunch of other problems too.

Re: SMAC by-pass hack?
 

If returns FALSE, then should return FALSE too according to my experiments in the past, though that was with CS:S.

If GetClientAuthId returns FALSE, and you're still using the contents of "auth", that is when when you're getting "STEAM_ID_STOP_IGNORING_RETVALS", it should not be returning TRUE at the same time as providing "STEAM_ID_STOP_IGNORING_RETVALS".

Even the very old GetClientAuthString, says the same as the newer GetClientAuthId:

&&

• core.cfg: Keep "SteamAuthstringValidation" to "yes", as the default value is set to!
• Check return value of "GetClientAuthId" EVERY time you use it.
• Use GetSteamAccountID, if you need a more simple check, as that one returns 0, if the Steam ID of the user isn't or not yet validated, or something else is wrong. And always the Steam Account ID (the "12345678" from Steam3 "[U:1:12345678]") when successful.
• ... etc.

Many years ago, I started out with some plugins here from AM, then I changed to my own plugins, and/or re-built them to suit my needs better.

Many of them was using like the above example I made in POST #5.

I ended up on having a lot of issues, sometimes with empty or invalid Steam ID's, and when I finally saw the documentaiton, I found that the plugins wasn't doing things according to the API (checking TRUE vs FALSE return value)

I then changed things from:

to

Since then, there was NEVER any problems retrieving the correct Steam ID any more on those third party plugins after they were re-built this way.

I don't intend to be rude, but for plugin creators, the thing is very simple - make sure to follow the documentation 100%. That worked for me when creating my plugins, as well as when fixing broken plugins created by others.

For the above "temp fix", I would rather suggest kicking people, like SMAC does, if the player hasn't validated within like 15, 30, 45 or 60 seconds - depending on what you prefer. 15 seconds should usually be enough, unless the Steam network is down.

OnClientPostAdminCheck will never be called, if Steam network is down (or STEAM_ID_PENDING / STEAM_ID_STOP_IGNORING_RETVALS), and therefore I usually suggest using that one for "on-connect" things when you need to know who they really are.

Re: SMAC by-pass hack?
 

Look nice. Wanna test today?

Re: SMAC by-pass hack?
 

Makes sense. Just did a bit of checking with below:


and it seemed to reach 3 consecutively. Do you know if downned Steam servers might trip up GetClientAuthId? If it does, then would kicking also false-positive?

Re: SMAC by-pass hack?
 

Go for it. It's been live and worked for me all last night. I just am really unsure about false-positives if Steam servers are down.

Re: SMAC by-pass hack?
 

Yep. It works. I get kicked with this message

Disconnect: Your client has failed to authorize in time. Please reconnect or restart your game.

:D

Now I'm starting to get bored of this for now. I'll do this again when I feel like it. You should release the plugin you made.