No disrespect intended but you have no idea what you are speaking about. The custom "texture", whether that be a .BMP, .jpg,.gif,etc. can be injected with any code you want. This not only can then be selected as a spray paint (which then transports to the server and is stored in cache which is redistributed to the clients and then rendered on their screens), but also as a weapons skin, model skin, or texture stored in a .bsp wad file.
These files can be manipulated by injection of whatever code you want. Suggest you research code injections into graphical files. And learn networking, software, and operating system environments. Then study NetSec/ITSec. This is an old way to hack computers. And go especially with its market of weapon skins, and any hl mod with the spray paints, are especially vulnerable. This isn't even touching on the non encrypted UDP packet data that also can be injected. So please research and know the field before speaking opinions not grounded in education. -StealthMode On Oct 9, 2017 19:57, "Francois Dupont" <[email protected]> wrote: > PoC||GTFO Chris. I mean despite the fact that clients don't upload > textures, that you think it is a possible vector for a batch file to be > executed after simply being put into memory shows how clueless you are. If > you have anything productive please post, otherwise stop abusing computer > security vernacular. > > -nfbush > > On 9 Oct 2017 11:47 p.m., "Stealth Mode" <[email protected]> > wrote: > >> Like literally, I could place an autoexec batch script in a spraypaint, >> or a weapon skin, or any custom file. And once it hits memory (server >> cache) it will execute whatever is wanted. >> >> On Mon, Oct 9, 2017 at 11:59 AM, iNilo <[email protected]> wrote: >> >>> Sure, >>> >>> But you have anything to back this up? (don't take it the wrong way) >>> >>> Nilo. >>> >>> 2017-10-09 16:54 GMT+02:00 Stealth Mode <[email protected]>: >>> >>>> Headsup admins/owners. Might want to disable custom files till valve >>>> addresses this issue brought to their attention a month ago. >>>> There is an exploit where any client with minor skill can inject custom >>>> files with all types of malicious code. From hacks in weapon skins, to >>>> ransomware in custom .bsp, to remote backdoors in custom spray paints. >>>> >>>> The exploit is injecting code into any image, sound, or data file. You >>>> can take weapon skins (csgo), sound files, spray paint image files, even >>>> .bsp/etc. and inject hack code, or actual ransomware, viruses, or >>>> Trojans/rootkits directly into a server cache, or client cache via the >>>> custom file. >>>> >>>> Might want to disable custom files till valve decides to correct this >>>> issue. >>>> >>>> -StealthMode >>>> >>>> _______________________________________________ >>>> Csgo_servers mailing list >>>> [email protected] >>>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers >>>> >>> >>> >>> _______________________________________________ >>> Csgo_servers mailing list >>> [email protected] >>> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers >>> >> >> >> _______________________________________________ >> Csgo_servers mailing list >> [email protected] >> https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers >> > > _______________________________________________ > Csgo_servers mailing list > [email protected] > https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers >
_______________________________________________ Csgo_servers mailing list [email protected] https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
