Exploit able to shutdown server immediately upon connecting, without a character

This probably is occurring without either of those admin systems in my game.

1 Like

I don’t know much about how backdoors work in this day and age, but this is an RCC crash.

1 Like

We’ve identified that this is a player instance creation issue already, however either way my game doesn’t use a free modeled admin system and still experiences this crashing issue.

Edit: I’m guessing you’re referring to :clean spam?

Alright, I just thought it may of been a lead because it’s only been happening for me when those admins are put in.

It’s likely because they put a bunch of spam commands.

No, there isn’t. Imagine trying to stop something that literally loads before any of your scripts or the server loads. It’s not possible, and once it could be possibly detected the server has already crashed. Only roblox is capable of solving this issue.

19 Likes

This is true, even if you developed a detection script it wouldn’t have time to load and execute before the server is already crashed and frozen. Roblox indeed does need to fix this.

Even LocalScripts in ReplicatedFirst didn’t have time to execute before the server crashed.

8 Likes

The exploiters can also use FE as an advantage, to use “server ban”.
And Auto report to roblox feature (The script below can only be done manually, as it requires name). Such as the script below.

while wait() do
game.Players:ReportAbuse(game.Players.NAME, “Exploiting”, “This user is exploiting, ban this user!”)
end

I’m having this happen in one of my games aswell, had to make it group only and change the group to join request only to get this guy to go away. Is there another way I can stop this?

@Raspy_Pi is this the issue you were experiencing with Phantom Forces? perhaps you could post the info you have

I got a report from a staff member a streamer keeps getting someone joining and crashing his servers on phantom forces.

1 Like

SynapseX can do that. My friend has a stream sniper feature as well as a server crasher that you can’t do much about. I don’t know how the crash works, but it does null the character and uses a tool.
image

I’ll reverse engineer it when he wakes up and I’ll update this post accordingly if I can.

2 Likes

This can be reproduced in Studio by editing a CoreScript (e.g. %localappdata%\Roblox\Versions\version-dea4928194014ca7\ExtraContent\scripts\CoreScripts\StarterScript.lua) to create a Player before one exists:

if game:GetService"RunService":IsClient() then
	print("Creating player client-side")
	game:GetService"Players":CreateLocalPlayer()
end

The Player will replicate to the server (excluding any properties set on client?) before the server is meant to create it and PlayerAdded is fired. Immediately after, though, the server crashes due to some engine code expecting the player to exist in a hash map (?) where it does not.

Technical info for any engineers who don’t already know the cause:
Some instances created before/during join get sent to the server via a JoinData item packet. As far as I’m aware, this is meant for the client to receive only (to stream server objects in) but the server accepts it anyway. Only the Player instance seems to replicate, though (?). In the JoinData packet deserializer/processor, on the server, after the Player has been created, the Player is used for a lookup inside of a hash map (?) inside ServerReplicator. The map is empty or the key doesn’t exist, and a null pointer access occurs as a result.

Disclaimer: My explanation makes some assumptions and should be considered an educated guess.

25 Likes

If this were the case, wouldn’t core scripts still be calling CreateLocalPlayer() themselves to connect to the server? I don’t think this would crash the server. I’m thinking maybe this method is being spammed because there should already be in place precautions for a local player being created multiple times due to either internet or multiple devices.

If I’m wrong however, this should still be an easy fix if the server is the one that creates it as it should be able to just reject client created connections.

I’m pretty sure the server creates the player now (although it didn’t used to be this way, hence the existence of CreateLocalPlayer) which replicates to the client upon join. Not sure why the API still exists.

3 Likes

Hiding this topic because apparently repro steps are shared in multiple replies. This is not how you are meant to handle sensitive details related to exploits, in the future please send them to @Exploit_Reports.

Staff have seen this topic so you don’t have to worry about them not seeing it now that it is unlisted. It will probably be relisted once this is fixed.

I vouch for this, this needs IMMEDIATE attention!

2 Likes

We are aware of the issue. Our team is currently working on a fix.

35 Likes

This one doesn’t require a backdoor, I’m fairly sure any game is vulnerable.

Hopefully we get an update on the situation soon!

This should now be fixed. Thanks for bringing it to our attention!

55 Likes