Exploit able to shutdown server immediately upon connecting, without a character

Duckzye · April 14, 2020, 6:30am

This probably is occurring without either of those admin systems in my game.

iceblade112 · April 14, 2020, 6:30am

I don’t know much about how backdoors work in this day and age, but this is an RCC crash.

Radiakk · April 14, 2020, 6:30am

We’ve identified that this is a player instance creation issue already, however either way my game doesn’t use a free modeled admin system and still experiences this crashing issue.

Edit: I’m guessing you’re referring to :clean spam?

namesriley · April 14, 2020, 6:31am

Alright, I just thought it may of been a lead because it’s only been happening for me when those admins are put in.

It’s likely because they put a bunch of spam commands.

Vmena · April 14, 2020, 6:35am

No, there isn’t. Imagine trying to stop something that literally loads before any of your scripts or the server loads. It’s not possible, and once it could be possibly detected the server has already crashed. Only roblox is capable of solving this issue.

Radiakk · April 14, 2020, 6:36am

This is true, even if you developed a detection script it wouldn’t have time to load and execute before the server is already crashed and frozen. Roblox indeed does need to fix this.

Even LocalScripts in ReplicatedFirst didn’t have time to execute before the server crashed.

Master3395 · April 14, 2020, 7:01am

The exploiters can also use FE as an advantage, to use “server ban”.
And Auto report to roblox feature (The script below can only be done manually, as it requires name). Such as the script below.

while wait() do
game.Players:ReportAbuse(game.Players.NAME, “Exploiting”, “This user is exploiting, ban this user!”)
end

KingBr1ck · April 14, 2020, 11:53am

I’m having this happen in one of my games aswell, had to make it group only and change the group to join request only to get this guy to go away. Is there another way I can stop this?

shayner32 · April 14, 2020, 12:58pm

@Raspy_Pi is this the issue you were experiencing with Phantom Forces? perhaps you could post the info you have

Semaphorism · April 14, 2020, 4:34pm

I got a report from a staff member a streamer keeps getting someone joining and crashing his servers on phantom forces.

pobammer · April 14, 2020, 4:37pm

SynapseX can do that. My friend has a stream sniper feature as well as a server crasher that you can’t do much about. I don’t know how the crash works, but it does null the character and uses a tool.

I’ll reverse engineer it when he wakes up and I’ll update this post accordingly if I can.

bunny_hop · April 14, 2020, 5:01pm

This can be reproduced in Studio by editing a CoreScript (e.g. %localappdata%\Roblox\Versions\version-dea4928194014ca7\ExtraContent\scripts\CoreScripts\StarterScript.lua) to create a Player before one exists:

if game:GetService"RunService":IsClient() then
	print("Creating player client-side")
	game:GetService"Players":CreateLocalPlayer()
end

The Player will replicate to the server (excluding any properties set on client?) before the server is meant to create it and PlayerAdded is fired. Immediately after, though, the server crashes due to some engine code expecting the player to exist in a hash map (?) where it does not.

Technical info for any engineers who don’t already know the cause:
Some instances created before/during join get sent to the server via a JoinData item packet. As far as I’m aware, this is meant for the client to receive only (to stream server objects in) but the server accepts it anyway. Only the Player instance seems to replicate, though (?). In the JoinData packet deserializer/processor, on the server, after the Player has been created, the Player is used for a lookup inside of a hash map (?) inside ServerReplicator. The map is empty or the key doesn’t exist, and a null pointer access occurs as a result.

Disclaimer: My explanation makes some assumptions and should be considered an educated guess.

wravager · April 14, 2020, 5:10pm

If this were the case, wouldn’t core scripts still be calling CreateLocalPlayer() themselves to connect to the server? I don’t think this would crash the server. I’m thinking maybe this method is being spammed because there should already be in place precautions for a local player being created multiple times due to either internet or multiple devices.

If I’m wrong however, this should still be an easy fix if the server is the one that creates it as it should be able to just reject client created connections.

bunny_hop · April 14, 2020, 5:19pm

I’m pretty sure the server creates the player now (although it didn’t used to be this way, hence the existence of CreateLocalPlayer) which replicates to the client upon join. Not sure why the API still exists.

buildthomas · April 14, 2020, 6:00pm

Hiding this topic because apparently repro steps are shared in multiple replies. This is not how you are meant to handle sensitive details related to exploits, in the future please send them to @Exploit_Reports.

Staff have seen this topic so you don’t have to worry about them not seeing it now that it is unlisted. It will probably be relisted once this is fixed.

RenownHavoc · April 14, 2020, 7:46pm

I vouch for this, this needs IMMEDIATE attention!

Gu4rana · April 14, 2020, 8:05pm

We are aware of the issue. Our team is currently working on a fix.

RewrittenCode · April 14, 2020, 8:57pm

This one doesn’t require a backdoor, I’m fairly sure any game is vulnerable.

Hopefully we get an update on the situation soon!

coefficients · April 15, 2020, 4:14pm

This should now be fixed. Thanks for bringing it to our attention!

coefficients · April 15, 2020, 4:20pm