EasyCommandBlocker, developed by Ajneb97, is a plugin designed to prevent players from using tab-completion for commands they shouldn't access. The plugin uses messaging channels to synchronize data between the proxy and backend servers. However, a critical oversight occurs when the proxy lacks the corresponding plugin: the messaging channels remain accessible to players, creating a potential vulnerability.
The exploit works by sending a crafted plugin message through the channel ecb:channel. The attacker specifies their desired ActionsSubChannel in the first UTF field and constructs the second UTF field as "console_command: " + [command] , where [command] is the console command they wish to execute. This crafted message bypasses restrictions and forces the server to execute the specified command as if it were sent directly from the console. This vulnerability arises from the absence of proper validation on the proxy, allowing attackers to exploit accessible channels and execute unauthorized commands.
To use this exploit, you can use the proxy command in MCPTool and use the /ecb command. You can also use clients like MCPClient or ParadiseClient.