Item Dupe/Spawning Exploit

A guest came onto my server, and informed be that he could dupe an unlimited number of items. Then proceeded to create a huge number of diamond blocks from literally nothing. He was spawning them faster than I could remove them from his inventory. He could even wear blocks (even lava blocks) as helmets. He wasn't at all forthcoming about how he was doing this, and I eventually had to ban him. (He was also banned from another server for exactly the same thing).

Has this happened to anyone else? Do you have any idea how this could be happening? I checked all of my permissions just to be absolutely sure nobody had access to the /item or /give commands (they didn't, especially not guests). I am using the latest build of CraftBukkit, with Spout installed. Here are the rest of my plugins:



Is there are problem with one or more of these that I don't know about?

 

why didn't you just ban him, rather then remove them from his inventory, he was hacking.

 

Because:

1. I was trying to see if he could spawn items from nothing by making sure he started with an empty inventory (he could).

2. I was waiting to ban him to see if I could get him to talk (Worth a shot, regardless of the actual chances).

When you just ban people out of hand, you don't have any chance of learning useful information.

 

I guess. But why try remove them? Why not wait till he finishes then talk, or if you have a jail plugin, put him there so he can dupe but not affect the 'real world' then talk, learn and ban =D

 

If I had jailed or otherwise frozen him, it would have lowered his already nearly non-existent receptivity even more.

Anyway, this is all beside the point, and not helpful toward finding a reason and fix for this issue.

 

I would guess he found a way to exploit Spoutcraft.
Did other people without Spoutcraft seen his lavahelmet?

 

He did not log on using Spoutcraft. Here is the log from about one minute before the incident:

Code:

[INFO] MCBans: Malchus has connected!
2011-08-28 11:35:40 [INFO] Malchus [/65.31.126.98:33042] logged in with entity id 53509788 at ([world] 2857.0855717218, 15.0, 1501.300000011921)
2011-08-28 11:35:46

 

and he didn't done any interactions with blocks or something?
(for example it looks like duping, using Pistons still work, but don't know if bukkit fixed that http://www.youtube.com/watch?v=zT2Srr_v2hM )

 

No. He was standing right in front of me at spawn spontaneously producing the blocks in extremely large numbers. He produced over a stack and a half of diamond blocks in less than 10 seconds.

 

Check to make sure people cant use stuff like /unlimited, etc. as that is a common permission exploit I've heard of.

 

I don't have any plugins that contain that command.

 

he must have permissions for some command that he should have or else he is in the ops.txt. its not possible to hack items from the client anymore because inventory is server side.

 

Well, I am telling you, he was. He is neither in the Ops.txt (why would he be) nor did he have any permissions that he should not have. I am not a fool and I have been doing this too long to overlook such fundamental things.

 

Ok dont attack me. Sorry i dont to background research on every person I reply to.
He must have some permission. I cant think of any other reason tbh.

 

was he using a hacked client ?

 

I am thinking that it had to be a hacked client, because otherwise how did he get the lava tile on his head? I know you used to be able to do this by overfilling your inventory, but to my knowledge it doesn't work that way anymore. (Indeed, I tested it on myself in several different ways, including using the console directly, but couldn't get it to work).

The only other thing I can think of is some kind of terrible flaw in one of my plugins.

 

So, he logged on with one of his alts today and was doing the exact same thing. I noted that this alt was also banned from another server for not only unrestricted duping, but kicking mods and admins as well. I used Hawkeye to check his used commands, but found nothing, so it's gotta be some kind of high-end hacked client and/or severe plugin issue. Within seconds of logging on, he already had 21 diamond blocks in his inventory.

 

He obviously is getting permissions through some plugin you have. See if you can find the other server that he was doing this on and figure out what mutual plugins you have, then talk to a Bukkit team member or a plugin dev to look thorough the source for anything that can do anything like this (I could do this if I have the time).

 

I already tried that. In fact, it was the *very* first thing I did. But unfortunately, the other server seems to no longer exist. It's extremely frustrating. I also wonder what is so terribly wrong with one of my plugins that it would allow a person to spawn an unlimited number of items from nothing, using no commands, with no permissions or privileges at all. (That I can tell).

I know absolutely nothing about Java, or about programming / network protocols / Minecraft/Bukkit internal functioning at all, so I could never figure this out on my own. Even if I had help, we'd have to scan every almost every single plugin to find the issue.

 

That's really odd. It's not widespread, otherwise we'd hear a lot more about it.

 

I suggest you go through all your plugins that allow players to give and then using an account thats not admin or op and see if you can use any commands because some plugins may not be reading the new permissions system properly and just thinking everyone is admin. I will have a look on hack forums because if its a hacked client they will have news on it. Btw did it say anyone is giving anything in the server log.

Ooh btw, he will probably just stop if you remove mcbans or atleast make sure your not on the public server list. Because like aVo alot of their fan boys attack mcbans servers.

EDIT by Moderator: merged posts, please use the edit button instead of double posting.

 

We are not on the public server list, and haven't been for a very long time. Also, neither of these instances had any commands logged, not on the console, not in the server.log, and not by Hawkeye. I've checked this very thoroughly.

And I definitely won't remove MCBans. If it hadn't been for MCBans, I wouldn't have known that the person who logged on was actually one of his alternate accounts.

 

i have an question unrelated, but why do you have so many plugins that do the same thing or remove functions from other plugins that you have installed?

 

Because some things don't have enough functionality and/or customizability by themselves. For example, I can set up warps with CommandBook, but with xWarp, not only can I do that, but I can make them public or private, assign them to individual people, and edit multiple parameters related to them. Same thing with Tele++ and MyHome. I can do some basic Minecart stuff with Falsebook, but I keep Minecart Mania because it is far more comprehensive. Same thing with Elevators. There are a lot of things I can do with the Elevators plugin that I can *not* do with normal lifts.

As for removing functions from other plugins, I am not sure which plugins you are referring to, but I would be glad to know. (Being absolutely serious here).

 

CommandBook has warps? Where'd you download this version of CommandBook?

 

It was a dev build that I downloaded a while back when the current version completely failed to work with the latest Craftbukkit. It was interfering with xWarp so I had to edit its plugin.yml directly to change the command.

I most definitely got it from a legitimate source, if that's what you're getting at.

http://build.sk89q.com/job/CommandBook/

 

No, I just want to get a version that'll work with SuperPerms. The current one isn't working with PEX in my setup. Thanks for the Jenkins link.

Meh. Still not working.

EDIT by Moderator: merged posts, please use the edit button instead of double posting.

 

Huh. I can send you the one I am using personally, because I know for sure it works.

http://dl.dropbox.com/u/35930137/Commandbook-1.5.3-dev-PEX.zip

EDIT by Moderator: merged posts, please use the edit button instead of double posting.

 

I saw a video a while back of people duping tnt by placing it in world guard regions that blocked building, when they placed a block it gave them two back, not sure if that's what he did though.

 

Could you tell me what your Permissions file looks like? Just one section with the relevant commandbook.something node.

Also, I'm really sorry for hijacking your thread. Fell free to PM me.