Channel Exploit(Disconnect every User on a Server)

[Probber]

Hello,

This Script is still WIP there are a few errors but you can ignore them. Sometimes not all channels get listed if your channel is one of them then use this plugin to get the cid of your channel: CLICK
If you use XAMPP please make sure you use the Version 5.5.28!
If you use this on a extern WebServer make sure that your Webserver is using PHP5.5.28!
Download XAMPP 5.5.28: https://www.apachefriends.org/de/download.html​

after Hours of testing and developing plugins to set the channel exploit on a server without having server query access, i found a easy way to set the exploit on any server that i want.
This exploit is written in PHP and is based on the script that RayGer_X has written and released recently: Teamspeak 3 Client Crash [channel]
I also want to thanks to: Derp, ehthe and Asphyxia for their usefull posts.

How to setup the Exploit:

Requirements:

• The edited PHP Script from RayGer_X. (can be downloaded on the bottom of this thread)
• A Webserver with PHP5 installed. (its recommended that you use XAMPP if you dont want to open ports)
• ClientQuery Plugin for Teamspeak 3 Client. (normally this is installed by default)

Usage:

1. Download and install all requirements.
2. Activate the ClientQuery (if you dont know how to do this here is a picture: CLICK)
3. Extract the PHP-Files to the htdocs folder of XAMPP and start the Apache module.
4. Connect to a server (Please note that this Exploit only works if you have permission to create a channel and topic!)
5. Create a channel.
6. Open your browser and type localhost.
7. Select your created channel.
8. Type this: ËÞÁËÞ ÑÂÎÉ ÏÀÕËÀÂÀØ\r\n into the Textbox and click on the button.
9. Profit.

Informations:

• Temporary Channel: Everyone can join the server again after you timed out.
• Semi permanent Channel: A Serveradmin have to restart the Teamspeak3-Server.
• Permanent Channel: Severadmin have to edit the database if he dont want to create a new Teamspeak3-Server.
• Ts3-Versions under 3.0.17 dont crash with method.

Development:

This Script is still WIP! On the index.php you get two errors didnt get managed to fix these yet, if someone knows how to fix this please tell me! I also tried to create a LUA-Plugin it worked but if you want to set the needed String for the Exploit the Lua-Plugin will tell you that the Function that you want to run dont exsist.

I also tried to set the Exploit via .NET it worked but the client doesnt crash. I guess the exploit works over PHP just because of the Ts3 API Framework. I didnt get the time to look into this script to translate it into .NET but if you get the time to do that, here is the Link to the API: http://ts3admin.info/

This script has been modified by me, that the API uses the Clientquery instead of the Serverquery. If you want to create a software for this exploit you have to use the Clientquery!

I noticed that the Exploit only works with PHP5.5.28 it doesnt work with 5.6.12.

Changelog:

Version 1.0.1:

- Added a redirect back to the index after you setting the exploit (Thanks to Bluescream for that!)

Download Version 1.0.1:

DOWNLOAD

Spoiler: Password (Im grateful for every like!)

fl4pN5)aD

best regards

Probber

 

[L.]

Very nice Script !

 

[Derp]

Good Job ,

I think we can create a TeamSpeak plugin for this, afterall this is caused by how the TS3 API Handles the writing of ËÞÁËÞ ÑÂÎÉ ÏÀÕËÀÂÀØ\r\n

So, if a php script can do it, Plugins can too

PS: Maybe, the client does some checks that prevents the use of \r\n, I'll have to look into this

-Derp

 

[Probber]

Okay i got some new informations. All Clients below 3.0.17 dont crash! So if you want to use the Exploit and stay on the Server just use a Version thats below.

 

[Kaptan647]

It didnt worked for me

 

[Probber]

It didnt worked for me

okay give me please more informations...

 

[Kaptan647]

I went to a server, created a channel, opened the php, selected the channel and pasted the code you gave. PHP made it as topic of the channel but noone disconnected.

 

[Probber]

I went to a server, created a channel, opened the php, selected the channel and pasted the code you gave. PHP made it as topic of the channel but noone disconnected.

I see the Problem i will look into this

Edit: Use the Version 5.5 from XAMPP instead of the 5.6 and it will work. I tried it with 5.6 and the Exploit didnt worked for me too.

 

[Kaptan647]

Is it possible if we can use this with poke ore client description ? I am not sure abouth poke but clien description should work. Can anyone look into it ?

 

[ehthe]

Is it possible if we can use this with poke ore client description ? I am not sure abouth poke but clien description should work. Can anyone look into it ?

I tryed to set the Exploit on any Client Propertie but it seems that it dont work.

But you can still try it

 

[Derp]

I think this can be done, If I'm right this is an InfoFrame vulnerability, so if we crash from some channel's topic / description , we can crash from someone's description too

 

[Probber]

I tried to crash with the client description via the database of my server but it didnt worked. Maybe it works if we change this over the PHP Framework.

 

[Bluscream]

I see the Problem i will look into this

Edit: Use the Version 5.5 from XAMPP instead of the 5.6 and it will work. I tried it with 5.6 and the Exploit didnt worked for me too.

How to downgrade to 5.5? If i download 5.5.30 from the php for windows site, xampp will not let me use it.

 

[Kaptan647]

I tried to crash with the client description via the database of my server but it didnt worked. Maybe it works if we change this over the PHP Framework.

As derp said it should work. I wanted to test it but since i dont undersand anything about PHP i couldn't do it. The functioın we should use is clientdbedit and the data is client_description

 

[Probber]

How to downgrade to 5.5? If i download 5.5.30 from the php for windows site, xampp will not let me use it.

Just use this downloadpage to download XAMPP with 5.5.28: https://www.apachefriends.org/de/download.html

 

[Asphyxia.Cell]

Thanks, if we can change the client description with PHP and this works, we could have a fun client name crash again.

 

[Bluscream]

I tried with the other xampp version. still no success. it just shows ËÞÁËÞ ÑÂÎÉ ÏÀÕËÀÂÀØ for everyone.

D:\SERVERS\XAMPP_OLD\php>php -version
PHP 5.5.28 (cli) (built: Aug  5 2015 13:39:48)
Copyright (c) 1997-2015 The PHP Group
Zend Engine v2.5.0, Copyright (c) 1998-2015 Zend Technologies

Also please add

<META http-equiv="refresh" content="1;URL=index.php">

at the end of the edit2.php

 

[Kaptan647]

I tried with the other xampp version. still no success. it just shows ËÞÁËÞ ÑÂÎÉ ÏÀÕËÀÂÀØ for everyone.

D:\SERVERS\XAMPP_OLD\php>php -version
PHP 5.5.28 (cli) (built: Aug  5 2015 13:39:48)
Copyright (c) 1997-2015 The PHP Group
Zend Engine v2.5.0, Copyright (c) 1998-2015 Zend Technologies

Also please add

<META http-equiv="refresh" content="1;URL=index.php">

at the end of the edit2.php

I will send the working xampp link when i come home

 

[ehthe]

I think this can be done, If I'm right this is an InfoFrame vulnerability, so if we crash from some channel's topic / description , we can crash from someone's description too

This is surely not an info-frame vulnerability but a network problem. As everyone know teamspeak uses a plain-text protocol (encrypted). It's as the error tells us a convert error. So there seems to be some process that is not applied correctly to all text infos from the server to the client. And given that it doesn't apparently work on 3.0.16 it must be some receiving convert function that is broken.

Regarding the problem with doing this via serverquery : It is absolutely possible. But you would need to code something for it I believe (didn't have time to look into this yet).
It's even easier via a direct client-plugin. I'll try to do one if I find the time
EDIT : I found time !

 

[Probber]

Updated the Script that it has a redirect after you setting the exploit.