Trinitycore: exploit spam duel starting!

Created on 2 Sep 2018  路  19Comments  路  Source: TrinityCore/TrinityCore

hack exploit!
player give duel and on duel vs end duel send me spam duel starting..

for fixed just need to logout!

http://i63.tinypic.com/dlqf5y.png

os: windows server 2012
TC 3.3.5
version:
https://github.com/TrinityCore/TrinityCore/commit/1cc3d33cfe7e51d66925d5df536a952165a88094

Branch-3.3.5a Comp-Core Sub-Chat
Source
picture ghost

Most helpful comment

There are two variables on duels right now. startTime and startTimer. They do different things. It's dumb.

startTime = 0, startTimer = n is duel countdown, countdown started at time n
startTime = n, startTimer = 0 is duel in progress, duel started at time n

Fix will be pushed momentarily.

picture Treeston on 17 Sep 2018
👍2

All 19 comments

Update your core before reporting bugs.

Aokromes picture Aokromes on 2 Sep 2018

what?

my version is new!

1cc3d33

ghost picture ghost on 2 Sep 2018

@Hir0shi your core is Feb 19, now is SEP 02. That is not new!!!

Faq picture Faq on 2 Sep 2018
😄2

ok will update to https://github.com/TrinityCore/TrinityCore/commit/133c91ca4368487af50f33253579a30845e28b1b

BUG:
player give duel and on duel vs end duel send me spam duel starting !
for fixed just need to logout!

ghost picture ghost on 3 Sep 2018
😕2

@Hir0shi : that image link (http://oi65.tinypic.com/ziq78o.jpg) is identical to the one you posted when opening the issue and you said your core revision hash was https://github.com/TrinityCore/TrinityCore/commit/1cc3d33cfe7e51d66925d5df536a952165a88094 .

It does not look convincing to be any "proof" for this issue remaining after updating and testing again. Also make sure your Cache folder has been deleted between tests. A screenshot where you include the output of .server info (unlock your chat window so you can resize it to show more text output) and test again, please.

Any confirmation of this issue existing (or not) from other users would be quite useful here.

illfated picture illfated on 3 Sep 2018

Cannot reproduce on rev. a10870571558

Killyana picture Killyana on 4 Sep 2018

Not even manually forging the packet ?

jackpoz picture jackpoz on 4 Sep 2018

I can confirm this issue exists in: 5843724debc3642434c055e5cf6f29a1eaf65358 ( someone did it on me but didn't give me any useful information )

tje3d picture tje3d on 7 Sep 2018

Without providing steps to reproduce the issue, it gonna be hard to fix it.

Killyana picture Killyana on 7 Sep 2018

@tje3d post a screenshot too if you encounter it again pls

jackpoz picture jackpoz on 8 Sep 2018
👍2

@jackpoz Ok i will.
I see exactly same thing as Hir0shi.

A few things that might be useful:

  • You have to send duel request to exploiter ( exploiter can't ask you for duel, this is how its done to me )
  • After i asked for duel to exploiter and when he accepted it, i didn't see the countdown from 3, but instead its started from -1 and i received +20 message ( Duel starting: -10... ) every second. I'm not sure but i think duel started immediately
  • Relog and Reopen doesn't works for me and i see that messages even after relog. But removing cache folder works ( macOS )
  • When you start another duel while you are receiving that spam messages, count down will reset to -1
tje3d picture tje3d on 8 Sep 2018

hi again

exploit is worked on last version
i changed to this version https://github.com/TrinityCore/TrinityCore/commit/66a87c4642d25f27ca24254cfeb0a0c4b21036b1
but!

http://i63.tinypic.com/dlqf5y.png

ghost picture ghost on 8 Sep 2018

https://github.com/TrinityCore/TrinityCore/blob/3.3.5/src/server/game/Handlers/DuelHandler.cpp#L26
HandleDuelAcceptedOpcode() just sends a countdown of 3 seconds and doesn't read any data from the client, strange that it shows like that ingame

jackpoz picture jackpoz on 10 Sep 2018

do you have any custom change at all ?

jackpoz picture jackpoz on 10 Sep 2018

@jackpoz No, Never!

@Treeston

ghost picture ghost on 13 Sep 2018

Highlighting random developers is an excellent way to get banned from the repo.

Treeston picture Treeston on 13 Sep 2018

First: Clone WowAddin (WoW Console) from https://github.com/tomrus88/WowAddin
Then: Use below code as a method and register the command in order to function

BOOL DuelAccept(char const*, char const* String)
{
    long Count = atoi(String);

    if (Count <= 0)
        Count += 1;

    for (long A = 0; A < Count; ++A)
    {
        if (Delay > 1)
            Sleep(Delay);

        CDataStore Data(CMSG_DUEL_ACCEPTED);
        Data.PutInt64(GetTargetGuid());
        Data.Finalize();
        ClientServices::SendPacket(&Data);
    }

    Console::Write("Packet Sent %u Times", ECHO_COLOR, Count);
    return true;
}

Fixed duel countdown spam exploit

diff --git a/src/server/game/Entities/Player/Player.cpp b/src/server/game/Entities/Player/Player.cpp
index 65e7ec8586..536829500d 100644
--- a/src/server/game/Entities/Player/Player.cpp
+++ b/src/server/game/Entities/Player/Player.cpp
@@ -532,6 +532,8 @@ Player::Player(WorldSession* session): Unit(true)

     m_achievementMgr = new AchievementMgr(this);
     m_reputationMgr = new ReputationMgr(this);
+
+    IsDueling = false;
 }

 Player::~Player()
diff --git a/src/server/game/Entities/Player/Player.h b/src/server/game/Entities/Player/Player.h
index ad587942ef..acbd3b2585 100644
--- a/src/server/game/Entities/Player/Player.h
+++ b/src/server/game/Entities/Player/Player.h
@@ -2279,6 +2279,9 @@ class TC_GAME_API Player : public Unit, public GridObject<Player>

         std::string GetMapAreaAndZoneString() const;
         std::string GetCoordsMapAreaAndZoneString() const;
+   
+        // Duel flag
+        bool IsDueling;

     protected:
         // Gamemaster whisper whitelist
diff --git a/src/server/game/Handlers/DuelHandler.cpp b/src/server/game/Handlers/DuelHandler.cpp
index 52513106e7..d82ebacbd0 100644
--- a/src/server/game/Handlers/DuelHandler.cpp
+++ b/src/server/game/Handlers/DuelHandler.cpp
@@ -39,6 +39,9 @@ void WorldSession::HandleDuelAcceptedOpcode(WorldPacket& recvPacket)
     if (player == player->duel->initiator || !plTarget || player == plTarget || player->duel->startTime != 0 || plTarget->duel->startTime != 0)
         return;

+    if (player->IsDueling || plTarget->IsDueling)
+        return;
+
     //TC_LOG_DEBUG("network", "WORLD: Received CMSG_DUEL_ACCEPTED");
     TC_LOG_DEBUG("network", "Player 1 is: %u (%s)", player->GetGUID().GetCounter(), player->GetName().c_str());
     TC_LOG_DEBUG("network", "Player 2 is: %u (%s)", plTarget->GetGUID().GetCounter(), plTarget->GetName().c_str());
@@ -47,6 +50,9 @@ void WorldSession::HandleDuelAcceptedOpcode(WorldPacket& recvPacket)
     player->duel->startTimer = now;
     plTarget->duel->startTimer = now;

+    player->IsDueling = true;
+    plTarget->IsDueling = true;
+
     player->SendDuelCountdown(3000);
     plTarget->SendDuelCountdown(3000);
 }
@@ -61,6 +67,9 @@ void WorldSession::HandleDuelCancelledOpcode(WorldPacket& recvPacket)
     if (!GetPlayer()->duel)
         return;

+    GetPlayer()->IsDueling = false;
+    GetPlayer()->duel->opponent->IsDueling = false;
+
     // player surrendered in a duel using /forfeit
     if (GetPlayer()->duel->startTime != 0)
     {
HamedMohsenavi picture HamedMohsenavi on 17 Sep 2018
👍2

how come the "plTarget->duel->startTime != 0" check doesn't handle this case ?

jackpoz picture jackpoz on 17 Sep 2018

There are two variables on duels right now. startTime and startTimer. They do different things. It's dumb.

startTime = 0, startTimer = n is duel countdown, countdown started at time n
startTime = n, startTimer = 0 is duel in progress, duel started at time n

Fix will be pushed momentarily.

Treeston picture Treeston on 17 Sep 2018
👍2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Vincent-Michael picture Vincent-Michael  路  98Comments
Treeston picture Treeston  路  56Comments
digz6666 picture digz6666  路  90Comments
minkokomaung picture minkokomaung  路  69Comments
D-CellX picture D-CellX  路  108Comments