[C] Send fake appscanner commands

[Bluscream]

The AppScanner plugin exists since forever but was recently outsourced to myTeamspeak. Back in the days almost everyone had it pre-installed so it was way more popular and well known. Today i haven't seen anyone using since about half an year. But still, i use it and was interested in how it works. Since the release of TS3Hook i do know how it works and how to trick it, i'm gonna share that info with you.

So the original appscanner_plugin.dll sends plugin commands to give clients infos about your own running apps on every "cliententerview" event. Either by them connecting or you subscribing their channel. The command that it sends looks like this:

plugincmd name=appscanner_plugin data=5&&Microsoft\sVisual\sStudio,\sMozilla\sFirefox targetmode=3

other clients recieve that as

notifyplugincmd name=appscanner_plugin data=5&&Microsoft\sVisual\sStudio,\sMozilla\sFirefox

So the only way they know which client sent it is the clientID before the && which makes it incredibly easy to fake it.

I built a demo plugin to play around with and maybe to find xpl01ts

Source: https://github.com/R4P3-NET/appscanner_plugin/blob/master/plugin.cpp#L335
Download: https://github.com/R4P3-NET/appscanner_plugin/releases

If you want to send a command just write this anywhere in your Teamspeak chat input:

/as send <clientID>&&Application 1, Application 2

Have fun

 

[Asphyxia]

Thank you so much @Bluscream, just to clarify this only impacts individuals with the AppScanner plugin, correct?

 

[Bluscream]

The common information impacts all users of plugins that communicate via plugincmd. One just has to create a plugin with the same dll name and then he can send commands as if the original plugin itself did it. Teamspeak didn't provide any way to verify the sender so plugins that wanted some safety invented their own ways (for example pyTSon).

On older server versions it's even easier cause you could send plugin commands via ServerQuery back then.

P.S. https://www.myteamspeak.com/addons/36985fae-1157-4be2-b807-93f72414105c is also a plugin that uses plugincmd's and is therefor theoretically atleast fakeable if not crashable/exploitable

 

[BogdanSA]

http://prntscr.com/i9ym3w ???

 

[EGX]

Downgrade your ts3 lul

 

[Alligatoras]

http://prntscr.com/i9ym3w ???

Downgrade your ts3 lul

don't say nonsence stuff. Something else is wrong with the plugin. the version is fine!
check the client log for any errors

 

[EGX]

It's the ts3 client minimum "21" and his is "22" I already get this error on some plugins downgrade your ts3.

 

[Alligatoras]

It's the ts3 client minimum "21" and his is "22" I already get this error on some plugins downgrade your ts3.

One more time "minimum 21" means 21++!

 

[BogdanSA]

@EGX @Alligatoras
Okey fixed, thanks guys!