Crash any teamspeak client (Windows / Linux / Mac?)

[ehthe]

Just use that image : https://bugreports.qt.io/secure/attachment/46674/BBF7096DCAF1CD03DE8364E14DB58939.BMP

I already confirmed that it crashes you when used in a channel description. Will do more testing

EDIT1 : Crashes also when on banner, so you can crash anyone/everyone that connects
EDIT2 : Crashes alson when on host button
EDIT3 : crashes yourself when trying to open it as avatar : We need a fix so that we can crash others . Tried to set it via yaqta it worked ! And it crashes

refs : https://codereview.qt-project.org/#/c/106929/
https://bugreports.qt.io/browse/QTB...ns.jira.gerrit-plugin:gerrit-reviews-tabpanel

 

[Kaptan647]

i cant use this as avatar My ts crashes

 

[newnameplz]

could try blocking yourself and setting it as avatar? or just use an external tool as suggested in OP

 

[ehthe]

could try blocking yourself and setting it as avatar? or just use an external tool as suggested in OP

I tried to block teamspeak from loading images (can't just block bmp) but it crashes

 

[Kaptan647]

Maybe we can set avatar with a lua script ?

 

[Kaptan647]

Or with clientquery ?

 

[ehthe]

I tried to set the avatar without clicking on myself but it seems the client always check the file before uploading it. (Which may mean that the server doesn't check jack shit)
Going to see if we can do it with lua. Thanks for the suggestion

 

[ehthe]

You can only check if a client has an avatar in lua it seems.
In c you can check and retrieve it : getAvatar(uint64 scHandlerID, anyID clientID, char* result, size_t maxLen);
So no chance here.

 

[Kaptan647]

what about clientquery ?

 

[ehthe]

what about clientquery ?

What do you mean ?

 

[Kaptan647]

There is a plugin called Clientquery. With this plugin you can connect your ts client via Telnet and send commands. For some reason my clientquery is not working but maybe you can try

 

[ehthe]

There is a plugin called Clientquery. With this plugin you can connect your ts client via Telnet and send commands. For some reason my clientquery is not working but maybe you can try

Ah yeah ! I didn't even remember it existed x)
But since it is a plugin it uses the c bindings so i don't think it'll work

help clientupdate
Usage: clientupdate ident=value...

Sets one or more values concerning your own client, and makes them available
to other clients through the server where applicable. Available idents are:

client_flag_avatar:          set your avatar

 

[Kaptan647]

i managed to fix this exploit for my client But i cant make this image my avatar. it says "invalid image selected. Failed to set avatar"

 

[ehthe]

How did you fix it ?

 

[Kaptan647]

i downloaded lastest version of qt and from C:\Qt\5.4\msvc2013_64\bin i took dlls and replaced it with teamspeaks dlls

 

[ehthe]

It seems that the clientupdate client_flag_avatar=blah cmd would work
But it always say file not found

 

[ehthe]

i downloaded lastest version of qt and from C:\Qt\5.4\msvc2013_64\bin i took dlls and replaced it with teamspeaks dlls

Could you please check to see if you need all the dlls or if you only need to change the Qt5Gui one ?

 

[Kaptan647]

it is not working. all dlls must be from same version
Download for dlls
https://mega.co.nz/#!FMFXXIDQ!PSmwVw_4OWk1Q5fQyl0Fycf3JwqV4UxKc6en3rZYKVE
Virustotal
https://www.virustotal.com/tr/file/...ca954c901fbab468cc275bff/analysis/1433426296/

 

[ehthe]

Well I tried the same thing on linux but it didn't work at all. Will retry.

 

[Asphyxia]

I have stepped through this using OllyDbg and I'm noticing that there is an "Integer division by zero" error, you will notice it at the bottom left in the status bar.

I am wondering if there is a way we can pull a quick TS3 client fix --- which allows the QT dll to fuck up, but the TeamSpeak 3 client shrugs off the error and keeps on going, to the next step --- our own error correction within the client basically. I know that's probably not very simple, I am going to look into it though. I am fairly certain that this occurs within the Qt5Gui, it shows at the top (title).

i managed to fix this exploit for my client But i cant make this image my avatar. it says "invalid image selected. Failed to set avatar"

I think that this is going to continue to happen. Unless we can bypass the image validity check within the client-side, either way this is going to require working with either a memory editor or hex editor to modify the TeamSpeak 3 client. We're going to either need to mod TS3 or create our own hook/injection to gain more access than the plugin/SDK allows to force an avatar update.
I can't imagine it being extremely complex though, our goal is to just JMP (I think) the image validity check and throw it at the server to set our avatar.