ts3server ping utility [Linux only]

[ehthe]

NO LONGER SUPPORTED. But should still work.

Releasing the first version of my tool

You will need the following packages for it to work : libqt5network5 (and libqt5core5)

This tool sends a special crafted UDP packet that appears to be a ping packet in the ts3 protocol. It then monitors the connection and wait for a reply until timeout is reached.

THIS DOES NOT SEND AN ICMP PING. IT SENDS A SPECIAL CRAFTED UDP PACKET. IT CAN DETECT IF YOUR TS SERVER CRASHED WHEREAS A SIMPLE PING CAN'T !

Options :

1. ip : ip of th server to check (no dns support).
2. port : port of the server to check (default to 9987).
3. timeout : time to wait before failing.
4. response validation : Whether to fail or not if reply is weird.
5. server type : Normal or SDK
6. ping type : short is a short ping with no special infos. Realistic sends versions info, and the server replies with more infos (unknown).
7. new! repeat : Number of pings to send, -1 for infinite
   
8. new! pause : Pause between pings, default to 1500ms

Example with voice.teamspeak.com (server is custom as you can see) :

ver 0.4 : x64
i386
VirusTotal 0.4 : https://www.virustotal.com/en/file/...20000e66a3b2a5fce2670abae4c8439fd92/analysis/ 0/57

 

[Asphyxia]

That's awesome, may I know what this does?
Does it literally just ping a TeamSpeak 3 server or does it open a connection to a server (fake user joining)?

 

[ehthe]

It doesn't connect to it. It just sends what I would call a ping packet : "TS3INIT1" or "TS3INSDK".

 

[Asphyxia]

It doesn't connect to it. It just sends what I would call a ping packet : "TS3INIT1" or "TS3INSDK".

Do you think it would be simple to initiate a successful "fake" connection to a server? That would be a big deal for us to have a fake player flooder.

 

[ehthe]

Do you think it would be simple to initiate a successful "fake" connection to a server? That would be a big deal for us to have a fake player flooder.

That would require a shitload of work x) (reversing the way the protocol is encrypted is way too difficult for me right now )

 

[Asphyxia]

It's okay enthe, I thought so.. I was looking into it a little while ago and I remember reading a tutorial on where to begin. It does seem like it would take quite a bit of work. Here are some starting points for anyone interested (Windows).

• Notepad ++
• The official Win32 client binary for TS3
• A recent version of mmBBQ

You will start off by hooking the used Windows network API: WSASendTo(…) and WSAReadFrom(…) --- you are trying to dump the stack arguments from the functions which are wsa_send and wsa_recv.

Throw the below source into your config.lua file.

-- MSDN: int WSARecvFrom( __in     SOCKET s, __inout  LPWSABUF lpBuffers, __in     DWORD dwBufferCount, __out    LPDWORD lpNumberOfBytesRecvd, ... );
local function wsa_recv(context)
    local buflen = context.arg32(2, "uint32_t**")[0];
    local buf = context.arg32(2, "char**")[1];
    local recv = context.arg32(4, "uint32_t*")[0];
    if recv > 0 then
        printf("[RECV] 0x%X", recv);
        hexdump(buf, recv);
    end
end
codecave.inject(nil, getProcAddress("ws2_32", "WSARecvFrom"), wsa_recv, codecave.INTERCEPT_RETURN)

The call to hook is sent from codecave.inject(…), you may want to read into http://luajit.org/ext_ffi_api.html

The above is your hex dump within a console.
Continue on to Step 2 here: http://www.blizzhackers.cc/viewtopic.php?p=4597974

[LINUX METHOD COMING SOON?]
enthe, perhaps you know of a similar way to do this within Linux?
If not, that is okay.
This may be of use: http://www.thegeekstuff.com/2012/03/reverse-engineering-tools/

Additionally, here is a list of software which helps with disassembling software: http://reverseengineering.stackexch...17/is-there-any-disassembler-to-rival-ida-pro

 

[Bluscream]

Cant install the dependencies :

[2015-06-10 01:49.28]  /home/root/Downloads
[root.roots-PC_Win8-1] ➤ apt-get install libqt5core5:i386
Trying to download file setup.bz2
Updated setup.ini
Package libqt5core5:i386 not found in cygwin mirror, trying cygwinports mirror
Trying to download file setup.bz2
Updated setup.ini

Package libqt5core5:i386 not found, exiting...

                                                                                                                         ✔
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
[2015-06-10 01:50.04]  /home/root/Downloads
[root.roots-PC_Win8-1] ➤ apt-get install libqt5core5
Package libqt5core5 not found in cygwin mirror, trying cygwinports mirror

Package libqt5core5 not found, exiting...

                                                                                                                         ✔
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
[2015-06-10 01:50.12]  /home/root/Downloads
[root.roots-PC_Win8-1] ➤ apt-get install libqt5network5:i386
Package libqt5network5:i386 not found in cygwin mirror, trying cygwinports mirror

Package libqt5network5:i386 not found, exiting...

                                                                                                                         ✔
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
[2015-06-10 01:50.28]  /home/root/Downloads
[root.roots-PC_Win8-1] ➤ apt-get install libqt5network5
Package libqt5network5 not found in cygwin mirror, trying cygwinports mirror

Package libqt5network5 not found, exiting...

Also cant open the file:

[2015-06-10 01:49.10]  /home/root/Downloads
[root.roots-PC_Win8-1] ➤ ./sender_32_final
bash: ./sender_32_final: cannot execute binary file

 

[ehthe]

snip

You seem to have quite a special environment. Try to install a fresh ubuntu/debian in a vm.

EDIT : "cygwin" Here's your problem

 

[ehthe]

snip

Yeah i knew about the blizzhacker tutorial unfortunately it never worked for me (tried on 7 and xp). Concerning linux there is Frida but I haven't tried it yet.

 

[ehthe]

New version 0.2 uploaded !
CHANGELOG : Fixed a mixup between ping types.

 

[Bluscream]

You seem to have quite a special environment. Try to install a fresh ubuntu/debian in a vm.

EDIT : "cygwin" Here's your problem

I never had problems using this environment
I run a TS3 server and several other scripts and stuff for testing there all over the day :/

 

[ehthe]

I never had problems using this environment
I run a TS3 server and several other scripts and stuff for testing there all over the day :/

I believe the executable won't run because I implemented some security features to prevent people from stealing my work.
But nonetheless you should be able to install qt5 on your system !

 

[Supervisor]

Sorry for a asking this, it may be a stupid question.. but.. where is the point of creating a ping tool? This is already built in in Linux and windows..

 

[ehthe]

Sorry for a asking this, it may be a stupid question.. but.. where is the point of creating a ping tool? This is already built in in Linux and windows..

This tool is nothing like a ping tool on linux or windows. It sends a crafted UDP packet, not a standard ICMP ping !

EDIT : added precisions and example in first post.

 

[ehthe]

New version 0.3 uploaded !
CHANGELOG : Fails when the user enters an invalid ip (Instead of trying to send a ping anyway).

 

[Bluscream]

I still dont get what it does

P.S. Is that only for ubuntu? I dont find the dependencies for Debian :c

 

[ehthe]

I still dont get what it does

P.S. Is that only for ubuntu? I dont find the dependencies for Debian :c

I added some precisions in the first post.
It is for linux in general, I think I could even compile it for mac or freebsd without too much hassle (you just need qt5)

 

[Zajao]

Is it compatible with linux-x64 versions?
Debian7x64 for example
libqt5network5:i386 - this make me think that no

I also can't find these dependencies for Debian

 

[ehthe]

Is it compatible with linux-x64 versions?
Debian7x64 for example
libqt5network5:i386 - this make me think that no

I also can't find these dependencies for Debian

It is compiled in 32bits. If you're on 32bits just install libqt5network5 without the :i386 bit. If you're on x64 keep the :i386 bit.

(https://packages.debian.org/sid/libs/libqt5core5a)
https://packages.debian.org/sid/libs/libqt5network5

 

[ehthe]

New version 0.4 uploaded !
CHANGELOG : Added loop and pause args.