└── README.md /README.md: -------------------------------------------------------------------------------- 1 | # BeeBox 2 | ### NOT THE BEES 3 | #### AAAAAAAA 4 | Conceptualization of a coordinate exploit for minecraft using, you guessed it, bees (lmao) 5 | 6 | Note: this information is primarily relevant to the anarchy minecraft server [Constantiam](https://constantiam.net/) (website is still down as of writing, so here's a [link](https://www.reddit.com/r/constantiam/) to the subreddit) 7 | 8 | ## What the fuck, Bees???? 9 | No, this isn't a joke, you read that right, bees. Bees are the source of the current cordinate exploit currently being used en masse on constantiam. Here's how it was (and still is, at times!) executed, in breif. 10 | 1. A trade ad is put up looking for beehives or bee nests, with bees still in them. Generally at outragous margins with the requirement that it be as fast as possible. 11 | 2. The victim gathers beehives from around their base, stash, or other builds 12 | 3. The attacker completes the trade successfully, and uses `.nbt` or a similar command to view the NBT data of the bees inside the hive 13 | 4. The attacker extracts all coordinate information from the bees inside the hive, and uses said information to hunt for a base with much greater accuracy than would otherwise be possible 14 | 5. The attacker locates the base. Profit. 15 | 16 | As you can see, this is a very simple attack. It requires no special mods or clients, as to my knowledge almost all utility clients currently available for 1.19.2 offer a way to view NBT data in game with little to no hassle, albiet generally horribly formatted. For that reason i have attached some *readable* NBT data so you can get a better understanding of how easy this is to actually do. Here is part of the NBT data from a real hive on Constantiam that shows some of the critical information available in it, albiet censored. 17 | ```java 18 | { 19 | BlockEntityTag: 20 | { 21 | Bees:[ 22 | { 23 | EntityData: 24 | { 25 | AbsorptionAmount:0.0f, 26 | Age:-20339, 27 | AgeLocked:0b, 28 | AngerTime:0, 29 | Attributes: 30 | [ 31 | {Name:"minecraft:generic.max_health",Base:10.0d}, 32 | {Name:"minecraft:generic.movement_speed",Base:0.30000001192092896d} 33 | ], 34 | Bukkit.Aware:1b,Bukkit.updateLevel:2, 35 | FlowerPos: 36 | {X:-1500,Y:69,Z:-1500}, //not real cords nothing ever happened here look away 37 | ForcedAge:0, 38 | HasNectar:0b, 39 | HasStung:0b, 40 | Health:10.0f, 41 | InLove:0, 42 | Invulnerable:0b, 43 | Paper.Origin: 44 | [CENSORED], //Redacted information 45 | Paper.OriginWorld: 46 | [CENSORED], //Redacted information 47 | Paper.SpawnReason:"BREEDING", 48 | PersistenceRequired:0b, 49 | Spigot.ticksLived:7265, 50 | WorldUUIDLeast:CENSORED, //Redacted information 51 | WorldUUIDMost:CENSORED, //Redacted information 52 | id:"minecraft:bee" 53 | }, 54 | MinOccupationTicks:600, 55 | TicksInHive:479 56 | }, 57 | ``` 58 | Some things to note: 59 | 60 | 1. There are __multiple__ sources of coordinate information available in the bee NBT data. Some of these are not vanilla sources! This means testing in singleplayer is not adequate to determine if any "bee laundering" methood works 61 | 2. The multipile sources include not only where the bee was made, but also the last flower said bee touched. 62 | 3. There *appears* to be no viable methood to "launder" existing bees on Paper servers such as Constantiam, as they have origin coordinates stored in `Paper.Origin`, which states the exact location that the bee was first spawned. `Paper.OriginWorld` may also have similar information but is a four-datum variable, which looks more like a UUID. ~~that said, I don't know what it does aside from the name.~~ I have been told this is for labeling dimensions as paper now supports multiple dimensions 63 | 4. the *only* place location data seems to show up, contrary to what the minecraft wiki says, is in the bee NBT data. I could be wrong on this, of course, but it SEEMS that if you trade beehives that currently do not have bees in them, there will be no location data. 64 | 5. If you are really, really, *really* paranoid but still want to trade beehives, you can avoid all this fuss and concern by just crafting new beehives and not placing them. Any hives that don't have bees in them currently should be safe though. 65 | 6. Explorer maps (Buried treasure, woodland mansion, etc), according to the minecraft wiki, MIGHT have similar information in them as well, so don't share those either if you can help it. Honestly not sure why you would in the first place? 66 | 67 | ### Am I safe? 68 | Maybe. Ask yourself the following questions: 69 | 1. Have I traded any beehives? 70 | 1. If no, You're 100% safe 71 | 2. Did those beehives have bees in them? 72 | 1. If no, i'm 99% sure you're safe 73 | 3. Were those bees bred or generated at (or near) a sensitive location? 74 | 1. If yes, that location is compromised 75 | 4. Where was the last place those bees were let out and might have seen a flower? 76 | 1. Those locations are all potentially compromised, but could possibly be "laundered" 77 | 78 | ## This seems really stupid 79 | I mean, yeah. Kinda is lmao 80 | ## Will Mojang fix this? 81 | Probably not. For one this is a very niche issue. It has 100% existed since 1.16 when bees were introduced, and seeming hasn't been seen as a problem since then. It's likely they don't see it as a real issue as they are not worried about the anarchy community. 82 | ## Will PaperMC fix this?? 83 | ~~Maybe? They're certainly the best equipped. That said, this is, again, a very niche issue, and I don't see it at the top of their priority list. After all, you kinda have to... yknow... give the attacker a beehive with bees in it.~~ 84 | Update: another player has told me that this is a wontfix from PaperMC, so this almost certainly will not be fixed by them. 85 | ## Will Phantom fix this??? 86 | Possibly. I'm not sure of exactly how to do so, but feasibly you could hide all sensitive NBT data from the minecraft client and things would still be completely fine. That said knowing Phantom, its likely he would break something in the process, and i would rather not him try. Just don't trade beehives with bees in them lmao. 87 | ## What NBT data should I look for? 88 | You should 100% look at the following data to confirm things for your own saftey. that said there may be other bits of data in the NBT data that i'm missing because i'm an idiot 89 | - `FlowerPos` 90 | - `Paper.Origin` 91 | - `Paper.OriginWorld` 92 | ## Full NBT data for me to read pls? 93 | Here you go! 94 | ```java 95 | { 96 | BlockEntityTag: 97 | { 98 | Bees:[ 99 | { 100 | EntityData: 101 | { 102 | AbsorptionAmount:0.0f, 103 | Age:-20339, 104 | AgeLocked:0b, 105 | AngerTime:0, 106 | Attributes: 107 | [ 108 | {Name:"minecraft:generic.max_health",Base:10.0d}, 109 | {Name:"minecraft:generic.movement_speed",Base:0.30000001192092896d} 110 | ], 111 | Bukkit.Aware:1b,Bukkit.updateLevel:2, 112 | FlowerPos: 113 | {X:-1500,Y:69,Z:-1500}, //not real cords nothing ever happened here look away 114 | ForcedAge:0, 115 | HasNectar:0b, 116 | HasStung:0b, 117 | Health:10.0f, 118 | InLove:0, 119 | Invulnerable:0b, 120 | Paper.Origin: 121 | [CENSORED], //Redacted information 122 | Paper.OriginWorld: 123 | [CENSORED], //Redacted information 124 | Paper.SpawnReason:"BREEDING", 125 | PersistenceRequired:0b, 126 | Spigot.ticksLived:7265, 127 | WorldUUIDLeast:CENSORED, //Redacted information 128 | WorldUUIDMost:CENSORED, //Redacted information 129 | id:"minecraft:bee" 130 | }, 131 | MinOccupationTicks:600, 132 | TicksInHive:479 133 | }, 134 | { 135 | EntityData: 136 | { 137 | AbsorptionAmount:0.0f, 138 | Age:-20339, 139 | AgeLocked:0b, 140 | AngerTime:0, 141 | Attributes: 142 | [ 143 | {Name:"minecraft:generic.max_health",Base:10.0d}, 144 | {Name:"minecraft:generic.movement_speed",Base:0.30000001192092896d} 145 | ], 146 | Bukkit.Aware:1b, 147 | Bukkit.updateLevel:2, 148 | ForcedAge:0, 149 | HasNectar:0b, 150 | HasStung:0b, 151 | Health:10.0f, 152 | InLove:0, 153 | Invulnerable:0b, 154 | Paper.Origin: 155 | [CENSORED], //Redacted information 156 | Paper.OriginWorld: 157 | [CENSORED], //Redacted information 158 | Paper.SpawnReason:"BREEDING", 159 | PersistenceRequired:0b,Spigot.ticksLived:3662, 160 | WorldUUIDLeast:CENSORED, //Redacted information 161 | WorldUUIDMost:CENSORED, //Redacted information 162 | id:"minecraft:bee" 163 | }, 164 | MinOccupationTicks:600, 165 | TicksInHive:241 166 | }, 167 | { 168 | EntityData: 169 | { 170 | AbsorptionAmount:0.0f, 171 | Age:-20339, 172 | AgeLocked:0b, 173 | AngerTime:0, 174 | Attributes: 175 | [ 176 | {Name:"minecraft:generic.max_health",Base:10.0d}, 177 | {Name:"minecraft:generic.movement_speed",Base:0.30000001192092896d} 178 | ], 179 | Bukkit.Aware:1b, 180 | Bukkit.updateLevel:2, 181 | ForcedAge:0, 182 | HasNectar:0b, 183 | HasStung:0b, 184 | Health:10.0f, 185 | InLove:0, 186 | Invulnerable:0b, 187 | Paper.Origin: 188 | [CENSORED], //Redacted information 189 | Paper.OriginWorld: 190 | [CENSORED], //Redacted information 191 | Paper.SpawnReason:"BREEDING", 192 | PersistenceRequired:0b, 193 | Spigot.ticksLived:4070, 194 | WorldUUIDLeast:CENSORED, //Redacted information 195 | WorldUUIDMost:CENSORED, //Redacted information 196 | id:"minecraft:bee" 197 | }, 198 | MinOccupationTicks:600, 199 | TicksInHive:42 200 | } 201 | ] 202 | } 203 | BlockStateTag: 204 | {honey_level:"5"} 205 | } 206 | ``` 207 | 208 | ## Why did you censor UUIDs? 209 | Idk i'm paranoid IG 210 | 211 | Credit to: 212 | 213 | Yoko99 for pointing this out to the community 214 | 215 | [Meteor](https://meteorclient.com/) devs for making Meteor 216 | 217 | PhantomCaptain for running my personal minecraft addition and ruining my life by convincing me to mine thousands on thousands of blocks of cobblestone because why not 218 | 219 | All the people who were hit by this exploit (Does this really qualify as an exploit? its arguably built into the game) and published their experiences for us to learn from. RIP to your stashes and builds, HMU if you need anything and I'll do my best to help you out. 220 | 221 | Yes, Cuboyd asked to use this stuff in his video 222 | --------------------------------------------------------------------------------