- Apr 30, 2015
- 933
- 1,014
- 217
I'm taking a Wild Guess
I was looking at the code and, Looks like this is the main function
edit2.php
and, in the first edit.php there's
So, I guess this has to do with the way how the library handles the writing of
into the channel's description
NOTE: I'm not a PHP Coder, So These assumptions are based on basic knowledge of PHP, so, let me know if I'm wrong or not
BTW: Cool Release, welcome on the VIP section
I was looking at the code and, Looks like this is the main function
edit2.php
Code:
$info = $_POST['info'];
$data["channel_description"] = $info;
$channelEdit = $ts->channelEdit($cid, $data);and, in the first edit.php there's
Code:
<textarea name=\"info\" cols=\"50\" rows=\"30\">So, I guess this has to do with the way how the library handles the writing of
Code:
ЛЮБЛЮ СВОЙ ПАХЛАВАШ\r\ninto the channel's description
NOTE: I'm not a PHP Coder, So These assumptions are based on basic knowledge of PHP, so, let me know if I'm wrong or not
BTW: Cool Release, welcome on the VIP section
- Apr 26, 2015
- 1,029
- 896
- 216
Did not work for me.
Does anyone have a ts3server.sqlitedb that i could test with ?
EDIT : tested by directly injecting it in the db, did not work.
Managed to get those when connecting to the right server :
Still couldn't reproduce it.
Does anyone have a ts3server.sqlitedb that i could test with ?
EDIT : tested by directly injecting it in the db, did not work.
Managed to get those when connecting to the right server :
Code:
27/09/2015 21:54:15 SCHandler Warning Error from ChanClients: convert error
27/09/2015 21:54:15 SCHandler Warning Error while parsing packet: undefined error
Last edited:
Asphyxia.Cell
Member
- Aug 13, 2015
- 25
- 28
- 45
\r is a return carriage or something, \n is a new line. Can be found inside the reference, I'm guessing it is maybe a unicode (character) issue. If we could get this to happen on server join, that would be awesome.
- Apr 25, 2015
- 1,845
- 2
- 2,199
- 327
I think the term crash is misleading, it simply triggers a disconnection due to a convert error. If it disconnected you from the server, that is what it does. This should not be overlooked though, imagine if we found a way to inject this into our username somehow? Someone clicks our name, they disconnect.
YOU CAN'T DISABLE NICKNAMES.
Last edited:
- Apr 30, 2015
- 933
- 1,014
- 217
Did not work for me.
Does anyone have a ts3server.sqlitedb that i could test with ?
EDIT : tested by directly injecting it in the db, did not work.
Managed to get those when connecting to the right server :
Still couldn't reproduce it.Code:27/09/2015 21:54:15 SCHandler Warning Error from ChanClients: convert error 27/09/2015 21:54:15 SCHandler Warning Error while parsing packet: undefined error
Same results,
(3.0.11.4 Windows Server (3.0.18 Windows Client))
Probber
VIP
- Sep 17, 2015
- 26
- 26
- 48
Same Result by me too.
- Apr 26, 2015
- 1,029
- 896
- 216
PHP 5.4.45-0+deb7u1 (cli) (built: Sep 13 2015 17:25:45) I believe
- Apr 26, 2015
- 1,029
- 896
- 216
I didn't test it on localhost but from a raspberry to a blank 3.0.11.4
Anyhow doesn’t anyone have a sqlitedb that is affected by that so that I can look into it ?
Probber
VIP
- Sep 17, 2015
- 26
- 26
- 48
I have one, i have made a screenshot for you: https://gyazo.com/8050fa77b0657eeeff9b795d0047882cI didn't test it on localhost but from a raspberry to a blank 3.0.11.4
Anyhow doesn’t anyone have a sqlitedb that is affected by that so that I can look into it ?
still cannot reproduce the exploit. This channel on my server is from Rayger_x
- Apr 26, 2015
- 1,029
- 896
- 216
Thanks
Probber
VIP
- Sep 17, 2015
- 26
- 26
- 48
Okay i could reproduce the exploit i used the hexadecimal from the exploited channel and copied it into another channel.
This is the hexadecimal for the exploit just change the description through sqlitedatabase and it will work:
EDIT:
Well, i got the PHP Script working, just try this String via the PHP-Script:
This is the hexadecimal for the exploit just change the description through sqlitedatabase and it will work:
Code:
cb de c1 cb de 20 d1 c2 ce c9 20 cf c0 d5 cb c0
c2 c0 d8 0d 0aEDIT:
Well, i got the PHP Script working, just try this String via the PHP-Script:
Code:
ËÞÁËÞ ÑÂÎÉ ÏÀÕËÀÂÀØ\r\nAsphyxia.Cell
Member
- Aug 13, 2015
- 25
- 28
- 45
Now let's try setting username to that shit if possible? Or description or anything.
- Apr 26, 2015
- 1,029
- 896
- 216
Seems like the culprit here is
You can set it as channel description (crash when click on channel) or channel topic (crash when connecting). You cannot set it as a channel name :
You can change D8 to something else (not anything) and it will still crash.
You can set it as channel description (crash when click on channel) or channel topic (crash when connecting). You cannot set it as a channel name :
Setting it as any server property doesn't do anything.
Last edited:
- Apr 25, 2015
- 1,845
- 2
- 2,199
- 327
If we can figure out more information about the convert error, perhaps that would give us some insight as to how we could trigger a convert error in the username/description. It sure would be amazing to trigger a disconnect on name select. That would be overpowered as fuck.
0D is the hex value for a carriage return which is the \r in PHP.
Refer to this: http://www.cisco.com/c/en/us/td/docs/ios/12_2/configfun/command/reference/ffun_r/frf019.pdf
D8 looks like Ø.
My assumption is that the topic line is expecting to return a single line, when that does not happen there is a conversion error. This should be tried with changing the user's description.
0D is the hex value for a carriage return which is the \r in PHP.
Refer to this: http://www.cisco.com/c/en/us/td/docs/ios/12_2/configfun/command/reference/ffun_r/frf019.pdf
D8 looks like Ø.
My assumption is that the topic line is expecting to return a single line, when that does not happen there is a conversion error. This should be tried with changing the user's description.
Last edited:
Probber
VIP
- Sep 17, 2015
- 26
- 26
- 48
The Problem that we have is, that the Exploit only can set through the server query and this only via PHP-Script. I tryed to set the Exploit without Query but so far without success.
Edit: I setted the Exploit in the Clientdescription via the SqLiteDatabase nothing crashed. If we could create temporary channel via the Server Query Quest that would be great!
I writed a Lua Plugin which changes the topic of the current channel but the exploit doesnt work its still only working via PHP -.-
Edit2: I got a idea, we can just use the local client query via the Client Query Plugin but we need to get the PHP API working with that.
Edit: I setted the Exploit in the Clientdescription via the SqLiteDatabase nothing crashed. If we could create temporary channel via the Server Query Quest that would be great!
I writed a Lua Plugin which changes the topic of the current channel but the exploit doesnt work its still only working via PHP -.-
Edit2: I got a idea, we can just use the local client query via the Client Query Plugin but we need to get the PHP API working with that.
Last edited: