[Exploit] Summon any monster at any server without gm account

Page 1 of 5 1 23 Last »
03/25/2020 21:16 gigola123#1
OPCODE :
0x34BB

Hello everyone, today I just discovered that we can summon any monster at any server without gm account, you can also spawn NPC, sorry for the server where I've spawn those monster. It was just a test.

Proof of concept:



As you can see on the second video, it's not only client side.

I guess it's JGuard and NaviFilter which are used on those server.

I'm really sorry again for KeonSro, I've spawned roc, I should have spawn something else, sorry again.
(I contacted GM of both server for restart them)
03/25/2020 21:56 A new hope#2
gz man good stuff
03/25/2020 22:15 Alpha-x71#3
Thanks for letting me know , ( Fixed )
03/25/2020 23:55 VEssence#4
I wonder which exploit is this, there was a shard manager exploit that I used to use years ago. Is that it?
03/26/2020 01:19 JoleChow*#5
Awesome :topnep:
Would be nice if you release the fix tho (exploit opt) :)
03/26/2020 02:47 PortalDark#6
It was a good idea to post this. Now the people will know this is a thing and will have it fixed in no time instead of having a rogue group abusing this
03/26/2020 02:50 b0ykoe#7
Quote:
Originally Posted by PortalDark View Post
It was a good idea to post this. Now the people will know this is a thing and will have it fixed in no time instead of having a rogue group abusing this
The Opcode was posted here [Only registered and activated users can see links. Click Here To Register...] btw. they removed it ^-^
03/26/2020 03:27 gigola123#8
Quote:
Originally Posted by b0ykoe View Post
The Opcode was posted here [Only registered and activated users can see links. Click Here To Register...] btw. they removed it ^-^
Yes was a stupid move from my part, I was just sharing what I've discovered and I didn't know that the client can inject this packet, I thought joymax will secure it by verifing who is sending the packet, it's not the case.
03/26/2020 04:29 DaxterSoul#9
I think it comes down to devs being inconsistent with the opcodes.

The AgentServer filters all incoming packets based on some rules:
First it filters all framework opcodes (0x2000->0x2FFF, 0x6000->0x6FFF, 0xA000, 0xAFFF) with the some exceptions:
Code:
0x600D (massive)
0x6103 (auth)
0x6110
0x6314 (cas‬_request)
0x6316 (cas_answer)
0x2110
0x2113 (xtrap)
0x2001 (identity)
0x2002 (keep alive)
Second it removes all acknowledges (0x8000, 0x9000, 0xA000, 0xB000) and any opcode > 0x07FF in their respective group.

0x9000 is only allowed in _OnMsgReceivedBeforeHandshake().

So the remaining allowed opcode ranges are:
Code:
0x1000 -> 0x17FF: NetEngineNoDir
0x5000 -> 0x57FF: NetEngineReq
0x3000 -> 0x37FF: GameNoDir
0x7000 -> 0x77FF: GameReq


The exploit happens to be within this range, good luck :P
03/26/2020 09:24 sonzenbi#10
Well
i just woke up and saw this on my server :lul:
[Only registered and activated users can see links. Click Here To Register...]
03/26/2020 09:28 #HB#11
Finally exposed.. BB me no play :D

Shouldn't work on servers that block unknown opcodes.
03/26/2020 12:03 Hercules*#12
so how we can block it?
03/26/2020 13:00 Devsome#13
Quote:
Originally Posted by Hercules* View Post
so how we can block it?
Don't trust random filters
03/26/2020 15:09 Mudzas#14
Thanks for sharing this. So far, no issues detected with all unknown opcodes blocked. :D
03/26/2020 16:04 Laag#82#15
Quote:
Originally Posted by sonzenbi View Post
Well
i just woke up and saw this on my server :lul:
[Only registered and activated users can see links. Click Here To Register...]
Fix -> (0xA003)
Page 1 of 5 1 23 Last »