Exploits: Difference between revisions

Browse history interactively

← Older edit

Content deleted Content added

VisualWikitext

Revision as of 04:30, 18 August 2023 view source Alco Rs11 (talk \| contribs) Patrollers, File uploaders 19 edits No edit summary Tag: Visual edit ← Older edit		Latest revision as of 22:47, 4 September 2023 view source Video (talk \| contribs) Patrollers, File uploaders 171 edits No edit summary Tag: Visual edit: Switched
(15 intermediate revisions by 5 users not shown)
Line 1: [[File:OmegaTrack_flatlands_heatmap.png\|thumbnail\|Heatmap of player activity gathered from collected coordinates using Worldcom, a coordinate exploit that was patched in July 2023 but continued to be used on the server for an entire month afterwards]] TotalFreedom has had a long history of exploits being used both maliciously and harmlessly. == Unknown ==▼ Some exploits were discovered so long ago that knowledge of when they were initially discovered or first used are widely unknown. ===Columbus Griefing=== Columbus Griefing was an exploit in which a player would fly insanely fast (whether it be by using the <code>/speed</code> command or by using a combination of hacks) to force the server to load or generate dozens of chunks at a time, with the goal being to lag or even crash the server. The term was coined in October 2014 by '''TheMinecraft''' in a thread on the ProBoards forum which explained the exploit. == 2014 == === Invalid Flower === Invalid Flower was an exploit discovered in early 2014 for Minecraft 1.7.x that crashed players who attempted to render a nonexistent variant of a flower. This exploit was maliciously used to crash players' clients and prevent them from joining the server. == 2016 == ===Too Many Particles=== Too Many Particles (also known internally as simply Particle Crash Exploit) was an exploit discovered in April 2016 that used the <code>/particle</code> command to effectively freeze players' clients completely. Upon discovery, a suggestion was created to block the command for non-operators and was approved in August 2016. The exploit resurfaced in early 2022 as an administrative tool to help combat the then-ongoing [[Akefu Raids]] by completely freezing the attackers' clients. This was done specifically to waste the attackers' time and frustrate them, as they would have to constantly close their game with the Task Manager and restart it manually. For the most part, this was hugely successful and the attackers were becoming noticeably frustrated in both the messages they were spamming and in the group chats where they were coordinating the attacks. == 2020 == ===~~Moving_Piston~~Moving Piston=== Discovered in November 2020, the '''Moving Piston''' exploit is an exploit affecting only servers running Spigot and was subsequently abused in the subsequent months by taking advantage of a bug in Spigot that is caused when a tile entity (e.g. a chest) is overwritten with a ''moving_piston'' block by replacing the tile entity with WorldEdit or similar plugins that replace blocks. The server then crashes when it tries to fix the overwritten tile entity. It affected Minecraft 1.16.4 and eventually was patched. == 2021 == Line 16 ⟶ 31: == 2022 == ===Infinity Cart=== Infinity Cart was an exploit discovered ~~by the Moles~~ in March 2022 that abused a lack of validation in entity loot tables which caused affected servers to fail to remove entities with the exploit applied. When a server would attempt to remove the entities (whether it be by command or by the entity being in the void), the invalid loot table would cause an exception to be thrown and would either abort whatever was trying to remove it or outright crash the server. When the entity was put in the void at a world spawn, the server would effectively be sent into a crash loop because the Minecart would be loaded in as soon as it finished starting up. This exploit was initially patched by [[Community:Telesphoreo\|Telesphoreo]] in a private fork of Paper, which was later superseded by the [[Scissors]] project. ▼ This exploit in particular prompted the development team to begin work on a fork of the Paper server software called Scissors, which became the foundation for exploit patches as the year progressed and more exploits were patched.▼ ▲~~This~~It ~~exploit in~~was ~~particular~~what prompted the development team to begin work on ~~a fork of the Paper server software called~~ Scissors, which became the foundation for exploit patches as the year progressed and more exploits were ~~patched~~discovered. ~~=== Worldcom ===~~ Worldcom was an exploit discovered by [[Community:VideoGameSm12\|videogamesm12]] in August 2022 which allowed players to obtain the player data of any entity in the same world as them. The exploit worked by abusing the lack of a distance check in the "Query Entity Tag" packet.▼ Video created a fork of [[Community:EpsilonBot\|EpsilonBot]] to use the exploit to collect consenting player's in-game coordinates every few seconds and store them in a PostgreSQL database, with the ultimate goal being to find builds to independently archive them.▼ === ~~New Columbus Grief Exploit~~SilentTP === The '''New Columbus Grief Exploit''' is a modified version of the classic Columbus Grief exploit which involves a player flying at a high speed to load as many chunks as possible which puts stress on the server, lowering the TPS. This version is more discrete as players boost their speed primarily through a hacked client which makes it harder to detect whereas the classic version requires /speed 10, this version can be done with lower speeds because a player uses their hacked client that has a "timer" function (which allows for higher speeds) to add the required boost of speed to do the exploit. As with the classic Columbus Griefing exploit, you can detect its usage by looking for <code> [PLAYER] moved too quickly!</code> errors in the server console. SilentTP, colloquially referred to as the first Nocom exploit, or just Nocom, was a text component that allowed for querying of a target player's position tag when resolved, even if they had TPToggle disabled in Essentials. This was added to [[DeviousMod]] in the form of a command allowing the user to automatically execute the exploit and teleport using Essentials to the target player's coordinates. Later, this was added to [[Community:SexiestBot\|SexiestBot]] in the form of an algorithm which queried the position of every player connected to the server, allowing for teleportation to any player without having to first install DeviousMod. ▲== Unknown == ~~===Particle Crash Exploit===~~ This exploit was initially undiscovered for a few days, until [[Community:fyyv\|fyyv]] made a suggestion on the forums, detailing how it deliberately circumvented TPToggle, recommending the developers patch the exploit<ref>https://web.archive.org/web/20230726113259/https://totalfreedom.me/forum/thread/4096-prohibit-the-creative-nocom-exploit/</ref>. SexiestBot was banned when the suggestion was accepted, and was later unbanned once the SilentTP functionality had been completely removed. It was later patched fully in Scissors by [[Community:VideoGameSm12\|VideoGameSm12]]. The '''Particle Crash Exploit''' was an exploit that was discovered at an unknown date but used throughout mid-2022 extensively, mainly from May to June 2022 as a reasonably effective way to combat the [[Akefu Raids]]. It worked by simply generating a large amount of particles via the <code>/particle</code> command which would cause anyone's client which was targeted by the command to instantly freeze unless they turned particles off or had them blocked. This exploit was used extensively by [[Community:Alco Rs11\|Alco_Rs11]] with often hilarious results while combating the raids. ===~~Classic~~ ~~Columbus~~Worldcom ~~Grief~~=== ▲Worldcom was an exploit discovered by [[Community:VideoGameSm12\|videogamesm12]] in August 2022 which allowed players to obtain the player data of any entity in the same world as them. The exploit worked by abusing the lack of a distance check in the "Query Entity Tag" packet. '''Columbus Griefing''' was an exploit in which a player would set their /speed to the max and fly as fast as possible in an attempt to lag the server by loading as many chunks as possible, putting strain on the server. A newer version was 'discovered' in 2022 that involved using a hacked client's timer function to avoid raising suspicion with /speed. ▲ ▲Video created a fork of [[Community:EpsilonBot\|EpsilonBot]] to use the exploit to collect consenting player's in-game coordinates every few seconds and store them in a PostgreSQL database, with the ultimate goal being to find builds to independently archive them.