Found one of the LocalScripts a lvl7 exploit uses

Apparently it can call loadstring() from the client, still. It’s admin commands. FE will block all commands except ;goto

Edit: Here’s the block of code that the exploit runs to use this script: loadstring(game:GetObjects('rbxassetid://295850902')[1].Source)()

1 Like

I thought we removed GetObjects… Apparently we just removed it from the API dump… :disappointed:

GetObjects is the root of all evil. Unrestricted insert privileges. May as well not even disable inserting in your game until we actually remove that function.


Could loadstring not also be removed entirely from the client?

1 Like

What does this mean? They can insert models you own, or any model at all? And is it inserted into the server or just client?

:GetObject() will insert ANY MODEL so long as the model is for sale. Ownership doesn’t matter. It will insert on the serverside unless FE is on.

1 Like

Ah so it’s yet more trouble for non FE games?

Effectively, yes.

Adding to that, it doesn’t even have to be a web asset. GetObjects accepts a content string so you can link it to rbxm files on your computer, for quick and easy exploit injections.

IIRC GetObjects can insert anything that is:

  • free
  • created by a Contributor account (ROBLOX, Games, etc)
  • located locally on your pc
  • owned by the developer
  • or owned by the local player

Disabling client side inserting doesn’t affect it, and even if you allowed client side inserting it would still be more powerful than InsertService.

So when is this going to be shut off/fixed, since it doesn’t appear to have a use?

The only “good” side of GetObjects is that it allows me to lessen the work on my patner for making his animations R15 compatible - but besides that, if sharing animations was easier, it’d be great to have this area of insecure API removed.

I mentioned this to Seranok ages ago (like months) and he said that it (and presumable ::GetObjects) were removed. That’s clearly not a thing that’s happened, but that might be why you were under that impression.

I don’t think that one applies? iirc, GetObjects with rbxassetid:// is the same as GetObjects with /asset/?id=, which’ll just download the file the same way as if done by going to that address in the browser. Thus you can insert every free model, or private models you have access to.

Apart from that, I thought loadstring() didn’t work clientside anymore, that it even got removed, no? Might this code be executed inside one of those “lvl7 environments”, that also have getrawmetatable(), saveinstance(), … ?

EDIT: Did a quick test online: game.GetObjects is indeed removed. Either that code is very old, or it’s for one of those exploit environments.

1 Like

GetObjects has been re-implemented by some exploits. It isn’t in the normal client anymore. It might appear in the API though as it does exist in studio, server, and for internal unit tests.

That said, it can only do what the exploit could already do. Basically, the exploit has a convenience command that has the familiar name “GetObjects” to allow existing exploit localscripts to work more easily.