I kinda agree with this cause it would be nice to see everyone's exploit in a single section with its own standard/requirements, like virustotal, previews, and descriptions of the "features"

But, imo this website is mostly for ppl to hang around so it aint necessarily gonna get much user traffic 

Well, I as a normal human being yk we curious... so, I went ahead and scooped around to find out what this event was about. After a couple of minutes I landed on v3rmillion. There I found out the APIs ACE vulnerability is pretty serious. Also, WRD's API was not the only affected.

Who were caught in this?

My perspective is that every exploit that has support for getrenv is currently in the scope of this exploit. These include: Script-Ware, KRNL, Synapse, WeAreDevs, etc.

The first three have reported to have fixed the issue.

What happened?

Someone found out a way to require a CorePackage, these are scripts that ROBLOX uses internally. And, to put into perspective they have system level of access (not sure). The author of the thread showed a video where he opened a URL in a browser from the Synapse Executor Window.

What can I do?

YOU MY FRIEND SHALL PANIC YOUR COMPUTER IS NOW MINE GOOD LUCK TRYING TO RECOVER THOSE COOKIE CLICKER POINTS CUZ NOW I HAVE YOUR ROBLOX COOKIES

SNIPPET (1)

local pack = assert(getrenv().require(game.CorePackages.UniversalApp.Linking.LinkingProtocol),"LinkingProtocol not found")

(innefficient vulnerability check on fix)

SNIPPET (2)

local MBS = game:GetService("MessageBusService")

local urlid = MBS:GetMessageId("Linking", "openURLRequest")

MBS:Publish(urlid, {url = "notepad.exe"})

(this opens a notepad window ono) [v3rm:cuck333]

SOURCE(s)

[MAJOR VULNERABILITY] [RELAUNCH SYNAPSE / OTHER EXPLOITS NOW] ACE/CE VULNERABILITY (www.v3rmillion.net)

@julisceaser19 I don't think this is roblox related lol

"Arbitrary code execution (ACE) is a form of cyber attack which allows the attacker to execute code in software or on hardware."

"Remote code execution (RCE) is an exploit that allows the code to be executed on a network."

(source: www.litigationsupporttipofthenight.com)

Found a better site: https://www.checkpoint.com/cyber-hub/cyber-security/what-is-remote-code-execution-rce/

Someone probably got system privileges through lua? idk

@x0f20 true, actual users would just copy and paste and hope it ain't patched

@Syraxes_ this is probably a force join, or he uses it for discord to popup the join server thing.

local json = {
   ["cmd"] = "INVITE_BROWSER",
   ["args"] = {
       ["code"] = "hsdcAFZY9E"
   },
   ["nonce"] = 'a'
}

ngl, this looks kinda professional. Something that Microsoft would make, just missing more spyware.

Hello everyone, I am here to present to you the ULTIMATE AND MAGNIFICENT SCRIPT QUERY SCRIPT!!!! Although, this glamorous script will only fetch the scripts listed in the scripts page, its core use is not too far from its vision. You see its usage is quite simple as shown below:

_G.ScriptSearchAPI:search('Dex'):GetCodeAsync(function(code)
  loadstring(code)()
end)

To fully experience its use, you are recommended to insert it into your "autoexec" folder

Further details & how to load it, can be found here: https://github.com/sound-infinity/script-query

What can I do with this?

1. Extend your command line GUI with another command!
2. Create a Script Hub
3. Etc.

(i made this for fun, so enjoy!)

@Klem Although this script is not that useful in the exploiting side of things, you know... because script devs are not actually gonna use. I have to say, this is a great and nice contribution.

@crazy_cat my bad... but essentially the comment still stands tho, probably Nihon doesn't use the API correctly, or they added a loop/timer.

This isn't a bug.

this is what happens on the code:

call LaunchExploit()

      -> call  IsUpdated()

          -> read IsPatched

          -> call DownloadFile()

      -> call Inject()

this will always download the latest update.

After a little testing I did, it worked just fine.

first I rewrote the script (cause that one you got looks bothers me lol):

local safe_http_request = request or http_request or (http and http.request) or (syn and syn.request)
assert(type(safe_http_request) == "function", "error: not able to do http request. function is undefined.")

local request = {
	Url = table.concat({
		"http://api.eclipsehub.xyz/auth",
		"?key=",
		tostring(mainKey or getgenv().mainKey),
	}),
	Headers = {
		["User-Agent"] = "Eclipse",
	},
}

local response = safe_http_request(request)
assert(response, "error: failed to fetch remote content!")
local response_body = response.Body
do

	local loader = loadstring(response_body)
	if type(loader) == "function" then
		local suc, msg = pcall(loader)
		if not suc then
			print("error:", msg)
		end
	else
		print("error: loader is not a function!")
        print("error: loader_str:", loader)
        print("error: response_str:", response_body)
	end
end

then:

1. navigated to "autoexec"
2. created file "eclipse.lua"
3. pasted my script
4. joined a game.
5. injected krnl

result:

The GUI loaded up and no errors were fired.

@Moon great features but in plain sight they're kinda unnecessary.

in my opinion:

from

• Go to "User Search" and search the user & view all their threads.
• Most threads you're interested in shouldn't go past their first page.

mentions

• Why would you need this? unless you are stalking somebody
• But from my little knowledge of coding, Jon would need to store the threadIds where they are mentioned. occupying more server storage though probably in kilobytes

before & after

• not really useful for this forum. Why would you look up old stuff?

Am not saying they are entirely useless but in the cases where they could be used in this forum seem kinda pointless.

@CJ99 First, what are the issues you have with Visual Code? What features are you looking for to develop exploit scripts?

In my opinion Visual Code is the best IDE for exploit scripts IF properly setup. Recently, I started to develop a script to interface with metatables and it helped me by a lot, provided me with documentation and static code check.  Also, its debugging function may not work, but that is because Roblox is a running client so you must use an exploit to actually test the scripts.

@Astronemi "terrible feature" lmao

@Ducxy wrdplus + betterwrd, don't conflict that much outside the UI side of things: https://i.ibb.co/6NBtRhR/betterwrd.png

(i also wouldnt recommend mixing them in later releases)