rehlds icon indicating copy to clipboard operation
rehlds copied to clipboard
verified publisher icon dreamstalker

[BUG]: Exploit (NEW)

Open Defect3dz opened this issue 11 months ago β€’ 7 comments

πŸ‘‰πŸ‘ˆ Contact Details (optional)

No response

πŸ€” What happened?

There is another Exploit. (We are Using ReHLDS with fixed exploit on issue #1074, also using safe_userinfo plugin. This exploit is new and does not have protection, when exploit is done we freeze and in console i see this: SZ_GetSpace: overflow on netchan-message

I will post tcpdump and IP of Exploiter below:

Exploiter's IP: 193.32.248.201 and 193.32.248.239

tcpdump: attacker.zip

⚠️ Meta-information

Protocol version 48 
Exe version 1.1.2.7/Stdio (cstrike) 
ReHLDS version: 3.14.0.861-dev 
Build date: 22:09:06 Apr 03 2025 (4009) 
Build from: https://github.com/rehlds/ReHLDS/commit/98b4103

ReGameDLL version: 5.26.0.668-dev
Build date: 19:02:48 Dec 31 2023
Build from: https://github.com/s1lentq/ReGameDLL_CS/commit/d3c0ec8

Linux

πŸ“„ Relevant log output

Defect3dz avatar May 16 '25 22:05 Defect3dz

Not bug probably some kind of flood Payload size: Alternating between 86 and 90 bytes Payload: Varies per packet but starts with binary junk and recognizable HLDS markers (e.g. ff 44 69 6a which is "Dij" in ASCII)

Image

EVOLCORE avatar May 18 '25 11:05 EVOLCORE

The attacker uses a speedhack (moves with 62 ticks and 255 msec inside), but rehlds should detect such a ticks flood.

@Defect3dz what values ​​does your server use for the following variables?

sv_rehlds_movecmdrate_avg_punish
sv_rehlds_movecmdrate_burst_punish
sv_rehlds_movecmdrate_max_avg
sv_rehlds_movecmdrate_max_burst

I recommend using the default values, so the server will ban the attacker with such flood. Also the server freeze during an attack most likely occurs due to plugins using client_PreThink / client_PostThink calls.

Splatt581 avatar May 18 '25 16:05 Splatt581

@Defect3dz It looks like the attacker is flooding the server with a certain type of package. This should be detected by ReHLDS without any problems, but here we encounter a problem. If the player floods the server in such a way that he does not have to be connected to the server, and floods through some program that directly sends udp packets, then there is nothing you can do except contact the hosting or take certain protection.

Video : #hidden

In this video, the attacker uses a certain yet unknown method of sending packets, he states in the video that his program can "allegedly" bypass rehlds and spoof the attacker's IP. Also, the server on the video reacts the same as according to your description, it freezes until the attacker stop attack. My recommendation is to contact hosting.

HarmonicWay avatar May 19 '25 09:05 HarmonicWay

The attacker uses a speedhack (moves with 62 ticks and 255 msec inside), but rehlds should detect such a ticks flood.

@Defect3dz what values ​​does your server use for the following variables?

sv_rehlds_movecmdrate_avg_punish
sv_rehlds_movecmdrate_burst_punish
sv_rehlds_movecmdrate_max_avg
sv_rehlds_movecmdrate_max_burst

I recommend using the default values, so the server will ban the attacker with such flood. Also the server freeze during an attack most likely occurs due to plugins using client_PreThink / client_PostThink calls.

Sorry for late reply, after finally getting in contact with server owner he gave me this information:

sv_rehlds_movecmdrate_avg_punish -5 sv_rehlds_movecmdrate_burst_punish -5 sv_rehlds_movecmdrate_max_avg 1800 sv_rehlds_movecmdrate_max_burst -1

Another thing that player reported to me, is that attacker is dying very fast and very often, unusual fast dying and they said they saw him using speedhack too, so you are right, sorry for not giving all informations in first place.

What should be default values for these cvars + what should i tell owner to do with plugins using client_PreThink / client_PostThink calls.

Would installing this module for speedhack detection help? it block speed hack on other servers.

Thanks for your reply @Splatt581

Defect3dz avatar May 19 '25 13:05 Defect3dz

sv_rehlds_movecmdrate_avg_punish -5 sv_rehlds_movecmdrate_burst_punish -5 sv_rehlds_movecmdrate_max_avg 1800 sv_rehlds_movecmdrate_max_burst -1

Try this:

sv_rehlds_movecmdrate_avg_punish 5
sv_rehlds_movecmdrate_burst_punish 5
sv_rehlds_movecmdrate_max_avg 1800
sv_rehlds_movecmdrate_max_burst 5500

These are default values ​​and they should help.

What should be default values for these cvars + what should i tell owner to do with plugins using client_PreThink / client_PostThink calls.

Most likely the problem is not in the plugins, but in the disabled sv_rehlds_movecmdrate_max_burst cvar on the server. Try setting the values ​​I wrote above and check if the problem goes away.

Would installing this module for speedhack detection help? it block speed hack on other servers.

I think it won't be superfluous.

Splatt581 avatar May 19 '25 20:05 Splatt581

Okay owner replied that cvars are changed and module is installed anyway for general cheaters that will in future maybe use speedhack, and hosting will block packets if needed, thanks for your reply @Splatt581 and talk to you soon if needed.

Defect3dz avatar May 20 '25 23:05 Defect3dz

Okay owner replied that cvars are changed and module is installed anyway for general cheaters that will in future maybe use speedhack, and hosting will block packets if needed, thanks for your reply @Splatt581 and talk to you soon if needed.

Hello, were you able to solve the problem?

fcastilm avatar Jun 11 '25 14:06 fcastilm