How to Stop the Hacks

– to a mod; if you think this should go elsewhere please feel free to move it

Hello forum peoples! This is my first topic here, following this I’ll be releasing quite a few custom resources to help give back to the community.

I’m making this post to inform you all in a more serious manner than done previously, an exploit that allows your entire server to be kicked, temporarily banned, turned into whales, and plenty of other things.

This is all based around FiveM’s NUI system, and it’s some pretty serious stuff if you’re not watching what you’re downloading and slapping into your server. If you inspect some of your addons, you’ll notice functions labeled ‘RegisterNuiCallback’ – these can be used to to send messages back to the client from NUI based menu’s; it works great when it’s being used the right way.

Unfortunately, it doesn’t take a whole lot of creativity to exploit these functions; especially when the server doesn’t check the information the client is sending to it.

bifan1892×935 229 KB

This is our popup discord; we went around to every server with this vulnerability and kicked the entire server with a message displaying our discord, which had channels in it explaining how to fix it.

Short form patch? esx_spectate, mellotrainer, esx_k9, and most custom mdt systems are wide open to this exploit. Get rid of them.

Can’t part with your beloved addons? No problem; simply gather some more information about the client and the information they’re sending to the server and then allow the server to make the informed decision on whether or not to actually allow the requested command to be performed.

tl;dr delete esx_spectate, and mellotrainer

I’ll be posting a much bigger topic on this, and a walk-through on how to secure other resources such as your car dealer, garages, banking systems, and home systems against data editing with cheat engine and other programs.

We also owe a few people apologies if they feel they’ve been wronged after our little exploit spree; just give this topic a good read and we hope that you’ll make smarter decisions about the code you run on your servers.

we, being you. Good to know that you have been doing these actions as well.

Well, Really anything client can be touched. Yes NUI is easier but you can either way.

So. Don’t download probably around 50% of the releases section? Got it.

Yes. Nice to see that you posted something that’s 100% offtopic to this. This being finnish a simple translation going to:
“nig*ers from Vittuu, Finland for Valkonen, Finland”
“Vittuu” = Pu**y

So thanks for that!

That will most likely be taken down, to be honest

Our implying you as well… Again thanks.

Outrageous and over the top comment to be fair. This is not the owners/developers fault at all. It’s yours if anything. Instead of apologising how about you make smarter decisions in the future and not purposely do this?

I don’t agree with this at all. It’s the responsibility of server owners to run their servers in a secure manner. They should be aware of exploits.

The only way you can blame OP is if he abuses the exploits and continuously uses them.

Awareness is not a bad thing!

To @ioerror; these NUI exploits on mellotrainer are known. There is a post on the forum explaining this. It’s the exact same as what you described. In other words, this is not something new. It can also not me patched by FiveM and is 100% the responsibility of server owners/developers.
If you would be so kind, contact the creators of the resources you’ve found are insecure and make them aware of the exploit so they have the chance to fix it. Also tell them how you do it. This would benefit everyone.

Yeah. I probably put that in bad context Otherwise all good points I can agree with. I probably took too much of an attack approach then a different one, based off of a couple of things said in OP. But ayy it’s a discussion forum right

It may or may not be clear but, we speak english. Why were those people in our discord? They were “victims” of this easy exploit.

Either that or, fix it!

Once again, not just him. One person would take to long to inform people.

Certain elements were already aware of this (not 100% sure but, pretty positive

Why would post regarding good security practices be deleted? If your server took minutes, even seconds to cheat on, wouldn’t you like to know how to fix it?

Well, it is. No one is forcing them to install things. They install what they want at their own will. Therefore, it is their responsibility to be away of what they are putting in to their server.

So you don’t want people to fix their scuffed servers?

How exactly does this exploit work? (Dont actually tell me. It was just a nice question to make sure I knew I read the topic right) It sounds to me you guys are triggering unsecure trigger events from the client? Which if that is the case that would be 100% the developers fault for not doing client checks when the server event is triggered or the server owners fault for not being more aware of the resources they put into their servers.

For most of it, we’re simply using the built in CEF tools and executing JS posts that are clearly inside the client side scripts with zero checks.

The problem is, there was a post about esx_spectate MONTHS ago… right now, 292 servers are still using it. In that same post, mellotrainer was mentioned… 283 servers are still using it…

These aren’t the only ones affected by such an easy exploit. It’s obvious to spot.

Ah. Well thats pretty much the same thing as to using a tool to trigger events then. Its honestly just bad resources.

So FiveM is responsible for servers not paying attention to their resources and just because they didnt remove the resource or not allow the resource to be used on their servers?

Would have loved to see a post concerning the callback code in question compared with the code that can exploit it. Perhaps in one of your upcoming posts that you mentioned.

No. FiveM is in no way “responsible”. Responsibility is in no way anyone but the server owner’s. My response to FAXES pretty much is here, again

In laymans terms : The server owner should’ve read the code and simply realized hey, why does this client side script have kick features?

The main cause to this is rushed scripts. Some people just have an idea, do it as fast as possible, and just post it.

Well I mean FiveM is an open community where sharing is everything no matter if the resource has issues or not. When I say “Responsible” in the original topic he talks about getting rid of certain resources as a “patch” which is why I thought you guys were trying to say (since you both are doing the same thing) that FiveM not “patching” this is a bad thing but going further most of the FiveM server owners dont even know what code is (I dont know why they are an owner at this point. dont ask me as I got no clue why) but going on I honestly doubt anything is done to those resources that are allowing such exploits. The server owners or even the devs should have been more aware on the forums when people started calling out MelloTrainer the first time. Especially if they aren’t the type of owner that can write code and check resources before implementing and if the person installing resources is unaware these issues can happen on bad resources they DEFINATELY shouldnt be in charge of installing them

Well, in our official unofficial hamcord unofficial official server, we essentially say hey, here are vulnerable servers (memeable servers) that we’ve been on and a channel for hey, how do I fix this.

[quote=“ioerror, post:1, topic:342594, full:true”]we went around to every server with this vulnerability and kicked the entire server with a message displaying our discord, which had channels in it explaining how to fix it.
[/quote]

Weird, cause when this happen to the server I play on, all we got was a message that said HamMafia and then a few racial slurs.

It’s adorable that you think you’re some white knight hacker though.

I believe a few of you have the wrong idea about the message behind this; we did this to bring awareness to the community that this sort of thing can happen and will happen when you’re not being smart, as well as to have a basis for which to write a series of informative threads off that will benefit the community in the long run. Not everyone here is a professional full time developer and that is OK . It is important that people in the community are exploiting with the intent to better understand the security of this platform and informing others of its flaws so that the developers can either patch these issues, or server owners can implement their own fixes. Posting a big topic entirely based on these ideas including best practices with examples later for the purpose of education, not for the purpose of discussing my own moral compass. I’ll link that here when it’s up.

Yeah. I mean there are a lot of people here on the forums that arent even developers irl and can understand the basics to be able to check if a resource has server event check issues.

The FiveM platform is not the issue. You guys are just exploiting servers. The base platform isnt even being touched. Basically if you think going around and kicking people from their servers is helping then I believe you guys have the wrong idea… You guys 100% knew that the exploits were gonna work on their servers. Why use the exploit instead of just contacting them and helping them fix it. While I understand you guys are making an attempt to fix servers that have flaws at the same time you guys are ruining their experience as a whole.

I never said the issue was with the platform it’s self, but in reality it is an exploit through tools given to us by the FiveM platform. Why not just tell them? We’ve tried, and this was far more fun. Again - this is not a discussion about the morale compass of myself or the others associated. This topic was created to inform others of a flaw, take the information and use it or don’t - that’s up to you.

You said “the security of this platform”? I must have gotten confused.

Correct, referring to the platform’s use of lua as a base for developing your own custom experiences.

Lua is not the Base language on FiveM? Its just the most used as its easy to learn but they have other languages like C# or JS/TS that will have the same flaws if it doesnt have protected events.

I thought the CEF debugger was the issue not the language the resources were written in?