How to create a Remote Execution
Many people can write a basic execution using some of the commands I previously listed. It’s not the most complex SQF. What really trips people up are BattlEye filters. Some server owners don’t fully understand how they work and allow vulnerabilities, and some cheaters don’t understand why they are getting flagged. As a disclaimer, I will note, it is extremely difficult to get around BattlEye filters for servers that the owners put time and effort into. At a certain point, you’ll end up with more banned accounts trying to get passed the Remote Execution filters a server like GrandTheftArma has than it will be worth. The reason I say that is for 99% of the remote executions that are successful and do work, they are logged to the server. So once you start using a remote execution, it really only has a finite lifespan before many servers start flagging it. So you’ll need to be crafty, and pick your targets well.
I like to start by targeting frameworks that are open source or have been leaked to the public. Often, this is Altis Life with a newer leak of infiSTAR’s BattlEye filters for life. This way, I can see all the code I have available to me, and all of the limitations applied to me. I can see “Oh look this function buyHouse is allowed to be remote executed and look here is an exploit where I can force it to execute some of my code!”. I think the difficulty of creating a remote execution is proportional to the amount of Code and BattlEye filters you have at your disposal, with the Code having the biggest impact on the challenge. The more code a server or mod runs, the more likely the developers are to make a mistake. One mistake, and you have a remote execution vulnerability. Let me try to clarify that point with a few examples.
You want to create a remote execution for an Altis Life server. We can safely assume it’s built off of the life framework, but it has been pretty heavily modified. We also know it runs infiSTAR’s anticheat. So we have a ground floor to start from. We know the mission code is likely the same as the life framework, but it’s obfuscated, so it’s not that easy to understand. We also know the filters are likely similar to infiSTAR’s. Creating a Remote Execution for this server will be slightly easier than creating one for say a Modded Life server, simply because that modded life is not open source, whereas this server is at least built off of an open source project.
A great example I like to point out in Altis Life was my exploit for the whoDoneIt function. If we look at the MPEventHandler BattlEye filters here, we see that the code _this call fn_whoDoneIt can be executed through the MPEventHandler functionality. My exploit was if I can set the value of the fn_whoDoneIt method on every machine, I can use MPEventHandler and this filter to execute it. We can see here, on L20 of the server init script that the fn_whoDoneIt method is not compileFinaled, meaning we can overwrite it. So the challenge became, how can I set this value on remote machines. To figure that one out, I would look at existing methods (maybe a method exists that’ll let me set the value of a variable on a remote machine?), and BattlEye filters. Just while writing this, I think I see a way to set the value, so I’ll leave it as an exercise to the reader to identify a possible vulnerability and try it out.