why even pass the horse lmao
2 Likes
This is incorrect, see Fliptibellâs reply
VVV
Here the player could probably pass some kind of table, e.g.
local horse = {
Destroy = function (self, ...)
--// The client can now run whatever code they want on the server
end
}
Try and find a workaround where passing the horse to the server from the client is unnecessary because this is a gaping flaw.
1 Like
Wouldnât work. You canât pass functions across the client/server boundary.
EDIT: It still is a huge security flaw though because you can pass object references and destroy basically anything in the game, from the server, replicating to all players (yikes!)
7 Likes
So he just used the RemoteFunction to alter the skybox by sending code through that changes it?
1 Like
ohhh, didnât know that!
Let me rephrase a bit, is it possible to access the Skybox and alter it when no Localscript uses any RemoteEvents/Functions to acess the Skybox?
1 Like
It shouldnât be without a backdoor.
1 Like
Alright thanks to everyone for replying, Iâll just keep looking for a backdoor for now then!
Iâd just like to say as the developer of Adonis, the script is open source if youâd like to scrutinize it, and no, I did not add a backdoor, and as far as Iâm aware there is currently no way to abuse the script as a non-admin to accomplish what is being described. Based on what youâve said, it sounds like heâs only doing things that involve replication, as opposed to executing code server-side, so maybe they found some bug with FE that allows them to do this?
Also Studio has had instance/name searching built in for a while now. There should be a little search bar thing at the top of the explorer window, right above workspace. Typing in the name or classname to search for (such as âScriptâ) will show you everything that has a matching name or classname.
Also functions cannot be passed over remote events, however as previously stated any objects passed to the event in place of âhorseâ will be destroyed. This means absolutely ANYTHING that the client sees that is a destroyable instance, which includes skyboxes, can be destroyed by abusing that remote.
3 Likes
Adonis has the ability to run server sided code from the client. I dont know if that is a factor but its a good reason why you do not use freemodel admin unless youre just lazy, testing things, or idk
1 Like
It doesnât sound like they are executing code server-side, and if they are they really arenât utilizing itâs full potential, though at the same time if they are actually making things server-side they would need to be doing the actual creation server-side as the server wonât see anything the client passes to it through something like a remote event if it wasnât replicated to the server beforehand (a client canât fire a remote event with an object and tell the server to replicate it as the server would just see it as nil.) Itâs fully possible someone figured out a new way to bypass FE, as has happened in the past.
1 Like
No offense to the OP, but if there was an FE bypass their game wouldnât be the one thatâd be targeted.
1 Like
Might be possible because they just want to, are testing on non-popular games, or do not want to easily be caught.
While Iâd be inclined to agree, they are obviously the target of some form of exploiting that appears to be specialized enough to do whatâs being described consistently enough for it to be a problem for them. So regardless of how itâs done, itâs still happening, and itâs likely not something common. Iâm also inclined to believe itâs not Adonis as if it was, building on your point, it would likely be happening in more games, enough for people to complain to me about it (as they usually do when I mess something up.)
Iâd like to also say building on one of my previous replies after re-reading the initial post that if they are ONLY destroying and are NOT creating anything, then they are almost certainly abusing the previously discussed RemoteFunction and any other topics discussed here can be ignored as thatâs undoubtedly what theyâre using. If, however, they are creating objects as well then thatâs a whole different more serious problem, so start by fixing the obvious issues with the RemoteFunction and see if that solves it.
For reference of what theyâre probably doing:
--// I don't know where the RemoteFunction is located so I'm taking a guess
local func = game.ReplicatedStorage.Remotes.RemoveHorse
local function destroy(obj)
pcall(func.InvokeServer, func, nil, obj) --// Pcalling cuz pretty sure RemoteFunctions return their errors to the client and actually error where it was invoked and I'm not bothering to pass a humanoid so it will most certain error when it tries to set nonexistant humanoid's WalkSpeed
end
--// Now we can literally destroy everything
destroy(game.Lighting.Skybox)
for i,child in ipairs(workspace:GetChildren()) do
destroy(child)
end
The best way to fix this would be to either stop destroying what the client tells it to (obviously) or at least validate that what youâre about to destroy is actually a horse belonging to the player and not something else. For a little bit of guidance when going about this, it should be noted that assuming the RemoteFunction is the source of the problem (probably is) the client isnât actually replicating anything to the server, so they canât change the name of the object that the server sees and canât add or remove things from it, so you could always just add something to horses that identify them as being horses (like a string value named âIsHorseâ or something?) then just check for whatever it is you did to identify them before destroying the object passed, and if you donât see whatever it is then just ignore it (or smite them for being rude) (this is probably the last edit, I just didnât want to spam more replies or something)
4 Likes
Iâd also advise removing Adonis from your game and only using the Developer Console (itâs actually really easy to use once you get used to it.) A lot of modern Admin Commands have backdoors that allow exploiters to wreak havoc on your game, despite the name being Anti-Exploit or Admin Suite.
On the topic of passing functions and such, I had no idea that you could do that much with RemoteEvents, and makes me a bit worried now since some of my game uses object values.
1 Like
From what I know Adonis is probably the best admin commands out there. Exploiters cannot run code using adonis.
3 Likes
You canât pass functions into RemoteEvents. They get removed. Try it. You can do it with normal function calls on the same computer and the same security identity. You canât do it with RemoteEvents, RemoteFunctions, BindableEvents, or BindableFunctions. With all of those, data is serialized then deserialized. For Remotes it is because data has to be sent over the network. For bindables it is done in order to prevent stuff like this from allowing code execution on higher security identities. When serialized, some data types are removed (such as functions).
5 Likes
Adonis is very useful for groups for holding events etc and itâs very good at doing that.
Read the whole thread before suggesting that Adonis is the issue. Not only is Adonis completely open source, but the creator of it addressed the concerns of it being the problem. Check open source scripts before insinuating they could have a back door. Iâm sure anyone, yourself included, wouldnât want to be accused of putting backdoors in their scripts.
4 Likes