Hack the Planet - TeamSpeak server

[Zundarian01]

Hey everyone,

I just recently visted this server and met one of the admins: B0Bster. He explained that the server (and client/bot) is completely self-written (i.e. they reverse engineered TS3). Proving this point will be difficult since it is similar to a zero knowledge proof (look it up if you don't know what that means). Therefore, the probability of the server really being self-written increases drastically with the number of crazy features: fake clients, client connection information and channel commander everywhere just to name some of them. Please don't make any statements if you don't understand how things really work. The server is definitively not working by making some lame memory adjustments with IDA or other tools like CheatEngine.

Kind regards from B0Bster

 

[bl4uni]

Such a waste of time, lol.

 

[fyfywka]

https://r4p3.net/threads/192-158-30-154-9988-is-a-scam.545/#post-3592

 

[0day]

Hey everyone,

I just recently visted this server and met one of the admins: B0Bster. He explained that the server (and client/bot) is completely self-written (i.e. they reverse engineered TS3). Proving this point will be difficult since it is similar to a zero knowledge proof (look it up if you don't know what that means). Therefore, the probability of the server really being self-written increases drastically with the number of crazy features: fake clients, client connection information and channel commander everywhere just to name some of them. Please don't make any statements if you don't understand how things really work. The server is definitively not working by making some lame memory adjustments with IDA or other tools like CheatEngine.

Kind regards from B0Bster

Trying to figure out how Cheat engine or IDA are lame lol.... Exactly how much experience do you have in the reversing/programming world lol?

 

[TiREX]

This is a listener for teamspeak 3 server
on like to http://pastebin.com/LW7xxv0A

and this is frontend

 

[MazeMcRoy]

This is a listener for teamspeak 3 server
on like to http://pastebin.com/LW7xxv0A

and this is frontend

Nice toolz you have
Good luck to get it run

The server is written in php.
I don't know why you guys think its memory stuff. Way too complicated.
Once you got the encryption stuff, and yeah it isn't that hard - Well for me as a beginner it was horrible but after all it is not that much, you can implement an own server.
The protocol is very simple.

 

[TiREX]

Nice toolz you have
Good luck to get it run

The server is written in php.
I don't know why you guys think its memory stuff. Way too complicated.
Once you got the encryption stuff, and yeah it isn't that hard - Well for me as a beginner it was horrible but after all it is not that much, you can implement an own server.
The protocol is very simple.

if you have decrypt/encrypt code write me on pw

 

[MazeMcRoy]

All you need can be found in my code linked above

 

[why-am-i-even-here]

The level of ignorance in this thread is amazing.

I'd just like to emphasize this point Zundarian01 made:

Therefore, the probability of the server really being self-written increases drastically with the number of crazy features: fake clients, client connection information and channel commander everywhere just to name some of them. Please don't make any statements if you don't understand how things really work. The server is definitively not working by making some lame memory adjustments with IDA or other tools like CheatEngine.

Exactly, you cannot introduce new behavior of this complexity by simply changing some bytes in memory. I think it should be obvious as to why that is the case.

Furthermore, I had the privilege to have some conversations with the aforementioned admin. He has detailed knowledge about code internals that go way beyond memory hacking. Them choosing PHP to re-implement the protocol might be a very... well, interesting choice, however they actually did it.

There is also the possibility of having a MMlike Tool between client requests and server responses.
This could be used to manipulate a those requests.

Definitely not. The protocol is encrypted. You would have to know the exact encryption routine and keys. And when you're at that stage, you might as well just re-implement the server, as these guys did.
By the way, encryption isn't the last hurdle. When you use MazeMcRoy's very handy dump hook and test some things, you'll quickly stumble over another hurdle. I won't go into detail about this though.

Such a waste of time, lol.

I wouldn't necessarily say so. In fact, I'd argue the opposite. Think of all the things you could do, if you can manipulate the data sent. And I'm not just talking about the obvious security concerns here.

 

[Asphyxia]

The level of ignorance in this thread is amazing.

I most certainly agree, most things pertinent to security-related topics are often faced with some levels of ignorance, oftentimes it is extreme ignorance. Unfortunately the biggest risk is when developers practice ignorance, then security ignorance is being mentioned in a forum of clients (software users) and that is following a 0-Day capable of infecting the 1,000,000 something users whom have TeamSpeak 3 installed. Surely there are other ways to tamper with the proper functioning of TeamSpeak 3 for example through manipulating the client-server architecture. This forum is for the public community with ANY LEVEL of interest in TeamSpeak 3 security. We have plans to expand our scope though.. check out this spooky-themed song (from 'Security of ignorance'):

Oh yeah, this is an awesome read to see why ignoring potential security risks is usually devastating:
http://windowsitpro.com/blog/your-biggest-security-threats-are-convenience-and-ignorance

 

[self.add()]

The level of ignorance in this thread is amazing.

I'd just like to emphasize this point Zundarian01 made:



Exactly, you cannot introduce new behavior of this complexity by simply changing some bytes in memory. I think it should be obvious as to why that is the case.

Furthermore, I had the privilege to have some conversations with the aforementioned admin. He has detailed knowledge about code internals that go way beyond memory hacking. Them choosing PHP to re-implement the protocol might be a very... well, interesting choice, however they actually did it.



Definitely not. The protocol is encrypted. You would have to know the exact encryption routine and keys. And when you're at that stage, you might as well just re-implement the server, as these guys did.
By the way, encryption isn't the last hurdle. When you use MazeMcRoy's very handy dump hook and test some things, you'll quickly stumble over another hurdle. I won't go into detail about this though.



I wouldn't necessarily say so. In fact, I'd argue the opposite. Think of all the things you could do, if you can manipulate the data sent. And I'm not just talking about the obvious security concerns here.

You are mistaken. All of this is possible my memory editing. And if you say

you cannot introduce new behavior of this complexity by simply changing some bytes in memory

you should really go back and increase your knowledge on memory editing and what's possible with it.

Spoiler: Extremely said

You can basically turn your notepad into a small game by changing "bytes in the memory" if you have enough knowledge about Assembly.

I was able to recreate a good portion of it and then stopped since I didn't care enough.
Also a tool between server and client would work since you don't have to manipulate all packets. You can choose to edit specific ones. I've worked on recreating online game servers by sniffing packets and decrypting them etc.
You have to look into structures etc.
Sometimes it's easier to just manipulate parts of the known packets because you don't know all structures.

This is only interesting because you can find or set up exploits with a manipulated server. And this is possible by memory editing.
I highly doubt that TS3 Server is actually self-written and would stick with it being done by manipulating the memory since, as I said, I could recreate a good amount of it by just doing that.

 

[Asphyxia]

I don't understand why people would choose PHP to implement such "hacks".

My assumption: the original author (probably only knew PHP and) found the ts3admin class and put together this awful piece of code. How can someone have the nerve to demand 10 bucks for a piece of shit software like this that basically is a rip-off of someone else's work? What a pathetic script kiddy.

Ironically after that post, a TeamSpeak 3 server that has supposedly been rewritten from scratch in PHP is discussed. Personally, I think HTP or the members involved in making the PHP TeamSpeak 3 server should demonstrate evidence rather than just a test server. Like @self.add() mentioned, anyone could tweak things with the server without rewriting the whole server process. The effort/work that goes into recreating an entire server for it to be "just because" seems rather bizarre. There is no apparent motive, nothing mind-blowing has been done with it other than some obvious values tweaked and PHP is really just an odd language to choose for a TeamSpeak 3 server recreation.

Science says to believe it once you see it (test results and the whole trial), just showing the test results is simply not enough. With that being said, it makes no sense to dismiss the awareness of individuals on this forum simply because a supposed PHP developer claims to know internal code. I myself have had the awkward experience of discussing the server project with individuals in the HTP TeamSpeak server, I am rather skeptical although how serious they sound it makes no sense for it to be fake.

Conclusion: Did they rewrite a TeamSpeak 3 server in PHP? Maybe, there is no conclusive proof/evidence that shows for certain.

 

[bl4uni]

I wouldn't necessarily say so. In fact, I'd argue the opposite. Think of all the things you could do, if you can manipulate the data sent. And I'm not just talking about the obvious security concerns here.

Yes, I was talking about the "optic" things like "OMG everybody has channelcommander thats sooooo kewl. And look the server is running since 100years OMG THATS SO ROFLCOPTER." If someone was professionally exploiting this, I'd congratulate that person.

 

[fyfywka]

they could not make a server in PHP, you at least know what is PHP?

 

[Asphyxia]

they could not make a server in PHP, you at least know what is PHP?

People do crazy shit, see: http://sourceforge.net/projects/php-ircd/
I have seen many IRC bots written in PHP also.

 

[why-am-i-even-here]

Interesting responses. Let's go through them bit by bit.

they could not make a server in PHP, you at least know what is PHP?

Yes, I do. Quite well actually. Please elaborate, why it would be impossible to write a TeamSpeak server in PHP. I'll happily disprove your points.

Yes, I was talking about the "optic" things like "OMG everybody has channelcommander thats sooooo kewl. And look the server is running since 100years OMG THATS SO ROFLCOPTER." If someone was professionally exploiting this, I'd congratulate that person.

Sorry I misunderstood you. Glad we're on the same page.

Ironically after that post, a TeamSpeak 3 server that has supposedly been rewritten from scratch in PHP is discussed.

Don't get me wrong here. I still hate PHP with a burning passion. Just because I dislike a language, doesn't mean that it couldn't actually be used for advanced things. If it should be used is a different question. Nevertheless, that doesn't imply that I endorse their choice. I always found and still find it kind of ridiculous, even after they explained their reasons, which were understandable.

Personally, I think HTP or the members involved in making the PHP TeamSpeak 3 server should demonstrate evidence rather than just a test server.

It's not like they have to prove anything to anyone. In fact I'd find it flattering, if people wouldn't believe me.

The effort/work that goes into recreating an entire server for it to be "just because" seems rather bizarre.

Well, we even flew to the moon just so we beat the Russians. And the effort required to do such a thing is immense.
I don't want to disclose too many personal details about the dev(s), so I'll keep it vague. They have their understandable motives and they have the necessary knowledge.

...simply because a supposed PHP developer claims to know internal code. I myself have had the awkward experience of discussing the server project with individuals in the HTP TeamSpeak server, I am rather skeptical although how serious they sound it makes no sense for it to be fake.

They don't claim to, they do. I have talked to them about the encryption and they told me verifiable details you couldn't just guess or claim to know.
Not everyone on there knows how the protocol works in detail. Depending on who you've spoken to you might have heard some non-sense, I'll admit that.

You are mistaken. All of this is possible my memory editing. And if you say "something is not possible by simply changing some bytes in the memory" you should really go back and increase your knowledge on memory editing and what's possible with it.

It is easy to manipulate static / long-living heap memory, yes. That would be a server banner URL, channel list, etc.
It would be significantly harder to dynamically manipulate stack frames / heap memory right before the server would send packets to the client. If you had a scanner running that would indefinitely reiterate over the memory and would apply hacks where necessary you would inevitably encounter race conditions and we'd see "glitches" from time to time.
It would be downright impossible to implement new behavior - which they did - by simply continuously scanning and manipulating the heap.

The only feasible "hack" would be actually patching the binary, just like MazeMcRoy does with his packet dumper. Thus bringing me back to my original point: if you're in a position add new behavior of this complexity, you already gained enough knowledge to implement the server yourself.

There's an important distinction to be made between trivial memory patching and adding wholly new behavior. For that, you inevitably have to write new code. Either by patching the binary or implementing the server yourself.

Fun fact: we ran into an edge-case they didn't implement correctly. If they were using the original TS server, we would not have encountered an error.

I was able to recreate a good portion of it and then stopped since I didn't care enough.

Okay, then tell me: how would you go about setting the channel commander flag for every client? Keep in mind that the flag doesn't switch. It's set to channel commander right away.
Or even harder: how would you add the "Seclevel xx" client description. It displays the actual security level of the client identity.

Also a tool between server and client would work since you don't have to manipulate all packets. You can choose to edit specific ones. I've worked on recreating online game servers by sniffing packets and decrypting them etc.

This doesn't refute my argument. To actually change or sniff bits of information you have to know the cryptographic functions, as you just said yourself.

You have to look into structures etc.
Sometimes it's easier to just manipulate parts of the known packets because you don't know all structures.

You still need to crack the encryption first. Furthermore, this doesn't apply at all here. As previously mentioned (and proven) the wire protocol is a simple ASCII protocol, i.e. ServerQuery with a few additional commands. No need (or even possibility) to work with binary structures.

This is only interesting because you can find or set up exploits with a manipulated server.

I can give you a whole host of reasons why this is interesting - not only for exploiting vulnerabilities.

And this is possible by memory editing.

Only to a limited extent as explained above.

...as I said, I could recreate a good amount of it by just doing that.

Well yeah. If that's the case, go ahead and prove it. And while you're at it, I'd like to see your ideas regarding implementing the additional behavior I expanded on above.

 

[why-am-i-even-here]

You can basically turn your notepad into a small game by changing "bytes in the memory" if you have enough knowledge about Assembly.

I didn't see your spoiler for some reason.

Anyway. You're talking about patching the code, which I mentioned in my reply. This isn't basic memory manipulation with which you can only change simple data values.

 

[fyfywka]

php not asynchronous
how do you imagine the sound transmission through the php?

 

[why-am-i-even-here]

Ever heard of an event loop?

 

[MazeMcRoy]

modern software always use epoll in linux which is just an event loop ..
i can handle thousands of packets in a second. no problem. The cpu waste on async handling is much higher and the throughput is much lower.
But hey get a new argument we can destroy and show us your awesome skills