feat(upstream): recent exploit fix

Rushaway · web-flow · commit 086510ffa7e8 · 2025-05-07T22:07:06.000+02:00
https://github.com/SilvDev/Spray_Exploit/blob/main/scripting/spray_exploit_fixer.sp
diff --git a/addons/sourcemod/scripting/FixSprayExploit.sp b/addons/sourcemod/scripting/FixSprayExploit.sp
@@ -1,6 +1,6 @@
 /*
 *	Spray Exploit Fixer
-*	Copyright (C) 2024 Silvers
+*	Copyright (C) 2025 Silvers
 *
 *	This program is free software: you can redistribute it and/or modify
 *	it under the terms of the GNU General Public License as published by
@@ -32,19 +32,26 @@
 ========================================================================================
 	Change Log:
 
-2.25 (28-Jan-2024)
-	- Fixed memory leak caused by clearing StringMap/ArrayList data instead of deleting.
-2.24 (17-Jul-2023)
-	- Now less check of GetClientAuthId by storing them. Thanks to ".Rushaway".
+2.25 (04-Jan-2025)
+	- Changes to the recent exploit fix. Thanks to "Madness (null138)" for fixing and reporting.
 
-2.23 (01-Apr-2023)
-	- Now only TestClient depending cvar
-	- Now ban lenght can be adjusted via cvar
+2.24 (14-Dec-2024)
+	- Added forward "OnSprayExploit" for 3rd party plugins. Requested by ".Rushaway".
+	- Fixed another Spray exploit. Thanks to "Madness (null138)" for fixing and reporting.
 
-2.22 (19-Feb-2023)
-	- Now prevents even more log spamming duplicate entries. Thanks to ".Rushaway" for reporting.
+2.23 (05-Nov-2024) - Update by ".Rushaway"
+	- Added cvar "spray_exploit_fixer_punish" to specify which exploits to test for.
+	- Added cvar "spray_exploit_fixer_bantime" to set the ban length.
+	- Now less checks of GetClientAuthId by storing them.
+	- Switch to Steam3 format for AuthID.
+	- Fixed g_smWaiting not removing data for unverified clients.
+	- Prevent g_smWaiting not removing data if client was already disconnected.
+	- LogAction now print infos even if client is not verified.
+
+2.22 (28-Jan-2024)
+	- Fixed memory leak caused by clearing StringMap/ArrayList data instead of deleting.
 
-2.21 (22-Jan-2023)
+2.21 (19-Feb-2023)
 	- Now prevents even more log spamming duplicate entries. Thanks to ".Rushaway" for reporting.
 
 2.20 (20-Jan-2023)
@@ -116,7 +123,7 @@
 	- Changes to fix warnings when compiling on SourceMod 1.11.
 
 2.2 (30-Jun-2021)
-	- Fixed another Spray exploit. Thanks to "Madness (null138)" for fixing and reporting.
+	- Fixed another spray exploit. Thanks to "Madness (null138)" for fixing and reporting.
 
 2.1 (31-Mar-2021)
 	- Added a check for "sm_sprays_allowed" in the command admin_overrides.cfg to only allow specific flag groups to use sprays.
@@ -180,7 +187,7 @@
 
 
 #define MAX_READ		50
-#define TIMEOUT_LOG		5.0
+#define TIMEOUT_LOG		10.0
 #define PATH_BACKUP		"backup_sprays"
 
 int g_iVal[] = {86,84,70,0,7,0,0,0,42,0,0,0,42,0,0,0,42,42,42,42,42,42,42,42,42,42,42,0,0,0,0,0,0,0,0,0};
@@ -204,6 +211,7 @@ bool g_bProc;
 bool g_bDecal;
 bool g_bSourceBans;
 bool g_bMaterialAdmin;
+GlobalForward g_hExploit;
 
 
 
@@ -235,6 +243,8 @@ public APLRes AskPluginLoad2(Handle myself, bool late, char[] error, int err_max
 	g_iEngine = GetEngineVersion();
 	g_bLate = late;
 
+	g_hExploit = new GlobalForward("OnSprayExploit", ET_Ignore, Param_Cell, Param_Cell, Param_Cell);
+
 	return APLRes_Success;
 }
 
@@ -271,17 +281,17 @@ public void OnPluginStart()
 	}
 
 	CreateConVar(						"spray_exploit_fixer",			PLUGIN_VERSION,		"Spray Exploit Fixer plugin version.", FCVAR_DONTRECORD);
-	g_hCvarPunish 	= CreateConVar(		"spray_exploit_fixer_punish_client",	"0",		"0=Off. 1=PlayerDecal. 2=FileCheck. 3=Both. Run the TestClient function");
+	g_hCvarPunish 	= CreateConVar(		"spray_exploit_fixer_punish",	"3",				"0=Off. 1=PlayerDecal. 2=FileCheck. 3=Both. Which exploits to test for.");
 	if( g_iEngine != Engine_TF2 )
 	{
-		g_hCvarBan 		= CreateConVar(	"spray_exploit_fixer_ban",		"0",				"0=Off. 1=Ban users who trigger invalid sprays (may still be some false positives).");
-		g_hCvarKick 	= CreateConVar(	"spray_exploit_fixer_kick",		"0",				"0=Off. 1=Kick users who trigger invalid sprays (may still be some false positives).");
-		g_hCvarBanTime 	= CreateConVar( "spray_exploit_fixer_bantime",  "5", 				"0=Perm. Ban time (in minutes)");
+		g_hCvarBan = CreateConVar(		"spray_exploit_fixer_ban",		"0",				"0=Off. 1=Ban users who trigger invalid sprays (may still be some false positives).");
+		g_hCvarKick = CreateConVar(		"spray_exploit_fixer_kick",		"0",				"0=Off. 1=Kick users who trigger invalid sprays (may still be some false positives).");
+		g_hCvarBanTime 	= CreateConVar( "spray_exploit_fixer_bantime",	"5", 				"0=Permanent. Ban time (in minutes).");
 	}
-	g_hCvarLog = CreateConVar(		"spray_exploit_fixer_log",		"1",				"Logging saved to sourcemod/logs/spray_downloads.log: 0=Off. 1=Log all user uploads. 2=Log invalid sprays only.");
-	g_hCvarMsg = CreateConVar(		"spray_exploit_fixer_msg",		"1",				"Print to server console: 0=Off. 1=Missing sprays and invalid sprays. 2=Only invalid sprays.");
-	g_hCvarPath = CreateConVar(		"spray_exploit_fixer_path",		g_sDownloads,		"Path to the downloads folder of sprays. Add /cc/ if sprays are stored in individual 2 character folders. Must contain trailing / slash.");
-	AutoExecConfig(true,			"spray_exploit_fixer");
+	g_hCvarLog = CreateConVar(			"spray_exploit_fixer_log",		"1",				"Logging saved to sourcemod/logs/spray_downloads.log: 0=Off. 1=Log all user uploads. 2=Log invalid sprays only.");
+	g_hCvarMsg = CreateConVar(			"spray_exploit_fixer_msg",		"1",				"Print to server console: 0=Off. 1=Missing sprays and invalid sprays. 2=Only invalid sprays.");
+	g_hCvarPath = CreateConVar(			"spray_exploit_fixer_path",		g_sDownloads,		"Path to the downloads folder of sprays. Add /cc/ if sprays are stored in individual 2 character folders. Must contain trailing / slash.");
+	AutoExecConfig(true,				"spray_exploit_fixer");
 	g_hCvarPath.AddChangeHook(ConVarChanged_Cvars);
 
 	g_smChecked = new StringMap();
@@ -326,11 +336,11 @@ public Action OnPlayerRunCmd(int client, int &buttons, int &impulse, float vel[3
 public void OnClientPutInServer(int client)
 {
 	char sSteamID[64];
-	GetClientAuthId(client, AuthId_Steam2, sSteamID, sizeof(sSteamID));
+	GetClientAuthId(client, AuthId_Steam3, sSteamID, sizeof(sSteamID));
 	FormatEx(g_sAuth[client], sizeof(g_sAuth[]), "%s", sSteamID);
 
 	char sSteamIDUnverified[32];
-	GetClientAuthId(client, AuthId_Steam2, sSteamIDUnverified, sizeof(sSteamIDUnverified), false);
+	GetClientAuthId(client, AuthId_Steam3, sSteamIDUnverified, sizeof(sSteamIDUnverified), false);
 	FormatEx(g_sAuthUnverified[client], sizeof(g_sAuthUnverified[]), "%s", sSteamIDUnverified);
 }
 
@@ -343,23 +353,17 @@ public void OnClientConnected(int client)
 
 public void OnClientDisconnect(int client)
 {
-	if( !IsFakeClient(client) )
-	{
-		if( IsClientConnected(client) )
-		{
-			//static char auth[32];
-			//GetClientAuthId(client, AuthId_Steam2, auth, sizeof(auth), false);
-			g_smWaiting.Remove(g_sAuthUnverified[client]);
-		}
-
-		g_smChecked.Remove(g_sPath1[client]);
-		g_smReceive.Remove(g_sPath1[client]);
-		g_smChecked.Remove(g_sPath2[client]);
-		g_smReceive.Remove(g_sPath2[client]);
-	}
+	if( IsFakeClient(client) ) return;
+	
+	g_smWaiting.Remove(g_sAuthUnverified[client]);
+	g_smChecked.Remove(g_sPath1[client]);
+	g_smReceive.Remove(g_sPath1[client]);
+	g_smChecked.Remove(g_sPath2[client]);
+	g_smReceive.Remove(g_sPath2[client]);
 
-	FormatEx(g_sAuth[client], sizeof(g_sAuth[]), "");
-	FormatEx(g_sAuthUnverified[client], sizeof(g_sAuthUnverified[]), "");
+	g_sAuth[client][0] = 0;
+	g_sAuth[client][6] = 0;
+	g_sAuthUnverified[client][0] = 0;
 
 	/*
 	static char sPath[PLATFORM_MAX_PATH];
@@ -426,6 +430,7 @@ public void OnClientDisconnect(int client)
 public void OnMapEnd()
 {
 	MoveSprays();
+
 	// .Clear() is creating a memory leak
 	// g_smReceive.Clear();
 	// g_smWaiting.Clear();
@@ -742,6 +747,10 @@ Action PlayerDecal(const char[] te_name, const int[] Players, int numClients, fl
 		return Plugin_Continue;
 	}
 
+	// Here because of error: "No TempEntity call is in progress" - Must have taken too long in this function when placed with the vPos use below and become invalid
+	float vPos[3];
+	TE_ReadVector("m_vecOrigin", vPos);
+
 	g_sFilename[0] = 0;
 	GetPlayerDecalFile(client, g_sFilename, sizeof(g_sFilename));
 
@@ -767,16 +776,10 @@ Action PlayerDecal(const char[] te_name, const int[] Players, int numClients, fl
 	if( !val )
 	{
 		static char auth[64];
-		//GetClientAuthId(client, AuthId_Steam2, auth, sizeof(auth));
 		if ( g_sAuth[client][6] == 'I' )
-		{
-			//GetClientAuthId(client, AuthId_Steam2, auth, sizeof(auth), false);
 			Format(auth, sizeof(auth), "Unverified: %s", g_sAuthUnverified[client]);
-		}
 		else
-		{
 			Format(auth, sizeof(auth), "%s", g_sAuth[client]);
-		}
 
 		if( FileExists(g_sFilename) )
 		{
@@ -792,17 +795,16 @@ Action PlayerDecal(const char[] te_name, const int[] Players, int numClients, fl
 		}
 		else
 		{
-			if( GetGameTime() - g_fSprayed[client] > TIMEOUT_LOG && !g_smWaiting.GetValue(auth, val) )
+			if( GetGameTime() - g_fSprayed[client] > TIMEOUT_LOG && !g_smWaiting.GetValue(g_sAuthUnverified[client], val) )
 			{
 				g_fSprayed[client] = GetGameTime();
-				g_smWaiting.SetValue(auth, true);
+				g_smWaiting.SetValue(g_sAuthUnverified[client], true);
+
 				if( g_hCvarLog.IntValue ) LogCustom("Blocked unchecked spray - missing file: %s from (%N) [%s]", g_sFilename, client, auth);
 				if( g_hCvarMsg.IntValue == 1 ) PrintToServer("[Spray Exploit] Blocked unchecked spray - missing file: %s from (%N) [%s]", g_sFilename, client, auth);
 			}
 		}
 
-		float vPos[3];
-		TE_ReadVector("m_vecOrigin", vPos);
 		DataPack hPack = new DataPack();
 		hPack.WriteCell(GetClientUserId(client));
 		hPack.WriteFloat(vPos[0]);
@@ -888,13 +890,13 @@ void TestClient(int client)
 			else
 				BanClient(client, iDuration, BANFLAG_AUTO, "Invalid spray");
 
-			LogAction(client, -1, "[Spray Exploit] %L Banned %d minutes for invalid Spray", client, iDuration);
+			LogAction(client, -1, "[Spray Exploit] %N %s was banned %d minutes for invalid Spray", client, g_sAuthUnverified[client], iDuration);
 			return;
 		}
 		else if( g_hCvarKick.IntValue )
 		{
 			KickClient(client, "Invalid spray. Please change it");
-			LogAction(client, -1, "[Spray Exploit] %L was kicked for invalid Spray.", client);
+			LogAction(client, -1, "[Spray Exploit] %N %s was kicked for invalid Spray.", client, g_sAuthUnverified[client]);
 			return;
 		}
 	}
@@ -939,16 +941,10 @@ public Action OnFileReceive(int client, const char[] sFile)
 		if( client )
 		{
 			static char auth[64];
-			//GetClientAuthId(client, AuthId_Steam2, auth, sizeof(auth));
 			if ( g_sAuth[client][6] == 'I' )
-			{
-				//GetClientAuthId(client, AuthId_Steam2, auth, sizeof(auth), false);
 				Format(auth, sizeof(auth), "Unverified: %s", g_sAuthUnverified[client]);
-			}
 			else
-			{
 				Format(auth, sizeof(auth), "%s", g_sAuth[client]);
-			}
 
 			LogCustom("File received: %s from (%N) [%s]", sFile, client, auth);
 		}
@@ -1009,16 +1005,10 @@ void FileCheck()
 					if( client )
 					{
 						static char auth[64];
-						//GetClientAuthId(client, AuthId_Steam2, auth, sizeof(auth));
 						if ( g_sAuth[client][6] == 'I' )
-						{
-							//GetClientAuthId(client, AuthId_Steam2, auth, sizeof(auth), false);
 							Format(auth, sizeof(auth), "Unverified: %s", g_sAuthUnverified[client]);
-						}
 						else
-						{
 							Format(auth, sizeof(auth), "%s", g_sAuth[client]);
-						}
 
 						if( g_hCvarLog.IntValue ) LogCustom("Invalid spray: %s from (%N) [%s]", g_sFilename, client, auth);
 						if( g_hCvarMsg.IntValue ) PrintToServer("[Spray Exploit] Invalid spray: %s: %02d (%02X <> %02X) from (%N) [%s]", g_sFilename, i, iRead[i], g_iVal[i], client, auth);
@@ -1027,6 +1017,12 @@ void FileCheck()
 						if( g_hCvarMsg.IntValue ) PrintToServer("[Spray Exploit] Invalid spray: %s: %02d (%02X <> %02X)", g_sFilename, i, iRead[i], g_iVal[i]);
 					}
 
+					Call_StartForward(g_hExploit);
+					Call_PushCell(client);
+					Call_PushCell(i);
+					Call_PushCell(iRead[i]);
+					Call_Finish();
+
 					if( g_hCvarPunish.IntValue >= 2 )
 						TestClient(client);
 
@@ -1052,6 +1048,11 @@ int ValFile(int iRead[sizeof(g_iVal)])
 		return -1;
 	}
 
+	if( iRead[16] == 80 && iRead[24] > 1 )
+	{
+		return 24;
+	}
+
 	char bytes[10];
 	bool read = true;
 	int n;
