TrinityCore 3.3.5 exploit research menu

User Tag List

Results 1 to 1 of 1
  1. #1
    apac94's Avatar Member
    Reputation
    1
    Join Date
    Aug 2015
    Posts
    1
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    TrinityCore 3.3.5 exploit research

    Hello everyone!
    I was looking through the issues on the trinitycore github and found interesting (for me ) one: [Exploit/Dupe] Container item by robinsch . Pull Request #26689 . TrinityCore/TrinityCore . GitHub
    It's already fixed, but it became interesting for me to reproduce it on the code that was before the fix commits.
    As there is no description of how it should be reproduced, it remains only to make some assumptions on the changes made.
    Needless to say, I'm not good at C++ at all, but despite this, I was able to debug the code and do a little research.
    To fix this exploit, the [item_index] column was added to the [characters].[item_loot_items] table, the loot generation logic, and the query generation logic for deleting data from the database were also changed to handle the new column.
    As far as I could understand, there is no more usages for new itemIndex field of LootItem class but the loot generation in the method Loot::AddItem and deleting from DB in the method LootItemStorage::RemoveStoredLootItemForContainer.
    This field is not used in any validations on creating item/sending loot, it's only passed to the method LootItemStorage::RemoveStoredLootItemForContainer in the end of Player::StoreLootItem method, after loot packet sent to the client. Based on this, I concluded that the exploit is associated only with deleting the wrong row from the database.
    There are no restrictions for the table [characters].[item_loot_items] in the DB schema, like unique columns or composit keys, so it's theoretically possible to have two or more different items with same ID in the same container.
    So, let's take a look on
    DB query, generated BEFORE fix:
    Code:
    DELETE FROM item_loot_items WHERE container_id = 500 AND item_id = 33447 AND item_count = 5
    and DB query, generated AFTER fix:
    Code:
    DELETE FROM item_loot_items WHERE container_id = 500 AND item_id = 33447 AND item_count = 5 AND item_index = 8
    And if [characters].[item_loot_items] storing something like that (rows with item_index 5-8 manually inserted by me)
    container_id item_id item_count item_index
    500 33447 5 1
    500 33448 5 2
    500 40211 5 3
    500 41427 5 4
    500 33447 1 5
    500 33447 2 6
    500 33447 3 7
    500 33447 5 8
    And if in the loot window, we picked an item on the 8 position, most likely the first row instead of the eighth row will be deleted without a new field.
    Ok, maybe it didn't work as expected, but how can it be exploited?
    There are a few points that I don't see why this could somehow be used as an exploit:
    1. First of all, in commit description mentioned that it exploit works only for non-unique, non-stackable items. But when I debugged the code, i didn't notice any difference in handling stackable and non-stackable items, that dropped from the container. Because non-stackable items just have count 1, but not any special flag. And I can't fully understand, what does it mean non-unique? Is that flag 0x080000 Unique equipped (player can only have one equipped at the same time) or it's about [world].[item_template].[maxcount] field?
    2. Loot state processed independently of the database, and if we will pick 8-th item in the loot window, this item will be marked as is_Looted on the server side, and even if wrong row deleted from DB, we won't be able to get this item on more time and just get an error EQUIP_ERR_ALREADY_LOOTED
    3. The only time loot is loaded from the database is when the server is started. And if we are picked 8-th (because 8 = ∞ xD) item in the loot window, the first row deleted from DB, the server crashed or restarted, then the loot will not contain the item that was on the first row in the DB table, but we don't really benefit from it.
    4. I don't know is there a way to get loot from the container in the bag with two equal items in different slots.

    So, i'm stuck at this point and would be very grateful if someone has good comments on my statements or any ideas where to dig further.
    P.S. : sorry for my english

    These ads disappear when you log in.

Similar Threads

  1. WoW Classic Vanilla Exploit Wow Classic Exploit Guide
    By advanta in forum WoW Classic Exploits
    Replies: 6
    Last Post: 10-18-2019, 09:38 AM
  2. WoW Classic Vanilla Exploit Name Change Exploit
    By Ghowlish in forum WoW Classic Exploits
    Replies: 5
    Last Post: 09-18-2019, 07:15 AM
  3. WoW Classic Vanilla Exploit Classic WoW Respawn Exploit (Goretusk)
    By Johnde21 in forum WoW Classic Exploits
    Replies: 4
    Last Post: 08-30-2019, 07:37 AM
  4. Exploits Trinitycore rev.1571
    By zoom12 in forum WoW EMU Questions & Requests
    Replies: 0
    Last Post: 06-13-2009, 07:31 PM
All times are GMT -5. The time now is 11:25 AM. Powered by vBulletin® Version 4.2.3
Copyright © 2022 vBulletin Solutions, Inc. All rights reserved. User Alert System provided by Advanced User Tagging (Pro) - vBulletin Mods & Addons Copyright © 2022 DragonByte Technologies Ltd.
Digital Point modules: Sphinx-based search