Teamspeak Fake Player via. PHP

Fabian · **Joined:** 24 Aug 2008 12:54 **Posts:** 1

Code:

<?php
/*
TeamSpeak Fake Player PHP
By: Fabian( DarK PhoEniX )

Credits:
Luigi - Explained me that stupid uninitialised buffers
Some other for hex2str and DecToHex32
*/
  function MyCRC32( $data )
  {
     $csum = dechex(crc32( $data ));
     
     $csum_string =   chr( hexdec(substr( $csum, 6, 2 )) );
     $csum_string .=  chr( hexdec(substr( $csum, 4, 2 )) );
     $csum_string .=  chr( hexdec(substr( $csum, 2, 2 )) );
     $csum_string .=  chr( hexdec(substr( $csum, 0, 2 )) );
     
     return $csum_string;     
  }
  function hex2str($hex)
  {
    for($i=0;$i<strlen($hex);$i+=2)
    {
      $str.=chr(hexdec(substr($hex,$i,2)));
    }
    return $str;
  }
  function BuildTeamSpeakString($string, $len)
  {
    if( strlen( $string ) > $len || strlen( $string ) > 255 )
        die( "String is too long..." );
    
    $ts_string = hex2str( strVal( dechex(strlen($string)) ) );
    $ts_string .= $string;

    for( $i = 0; $i < ($len - strlen($string)); $i = $i + 1 )
        $ts_string .= hex2str("00");
    
    return $ts_string;
  }
  function DecToHex32($number)
  {
      $i = 0;
      $hex = array();
  
      while($i < 8) {
          if($number == 0) {
              array_push($hex, '0');
          }
          else {
              array_push($hex, strtoupper(dechex(bcmod($number, '16'))));
              $number = bcdiv($number, '16', 0);
          }
          $i++;
      }
      krsort($hex);
      $imp_string = implode($hex);
      
      $ret_string =   substr( $imp_string, 6, 2 );
      $ret_string .=  substr( $imp_string, 4, 2 );
      $ret_string .=  substr( $imp_string, 2, 2 );
      $ret_string .=  substr( $imp_string, 0, 2 );
      return $ret_string;
  }
  
  if( !$_GET['ServerIP'] || !$_GET['ServerPort'] )
  {
    die( "No Target!" );
  }
  
  $TeamSpeakIP = $_GET['ServerIP'];
  $TeamSpeakPort = intVal($_GET['ServerPort']);
  
  $SessionID = hex2str("00000000");
  $PlayerID = hex2str("00000000");
  $FileName = '';
  
  $packet1 = hex2str("f4be");
  $packet1 .= hex2str("0300");
  $packet1 .= hex2str("00000000");
  $packet1 .= hex2str("00000000");
  $packet1 .= hex2str("01000000");
  $packet1 .= hex2str("00000000"); // CRC32
  $packet1 .= BuildTeamSpeakString("TeamSpeak",29);
  $packet1 .= BuildTeamSpeakString("PHP v.1337 By: Fabian",29);
  $packet1 .= hex2str("0200000020003C00");
  $packet1 .= hex2str("01");
  $packet1 .= hex2str("01");
  $packet1 .= BuildTeamSpeakString("",29);
  $packet1 .= BuildTeamSpeakString("",29);
  $packet1 .= BuildTeamSpeakString("TSPHP v1.0",29);
  
  $checksum = MyCRC32( $packet1 );
  for( $count = 0; $count < 4; $count = $count + 1 )
  {
      $packet1[16+$count] = $checksum[$count];
  }
       
  $udpsocket = fsockopen("udp://" . $TeamSpeakIP, $TeamSpeakPort);
  fwrite($udpsocket, $packet1);
  stream_set_timeout($udpsocket, 1);
  $response = ''.fread($udpsocket, 10000);
  $info = stream_get_meta_data($udpsocket);
  
   if ($info['timed_out']) {
       die("Timed Out!");
   }else{
   
       if( substr($response, 88, 4) == "\x01\x00\x00\x00" )
       {
           for( $count = 0; $count < 4; $count = $count + 1 )
           {
             $SessionID[$count] = $response[172+$count];
           }
           echo( "\n" );
           
           for( $count = 0; $count < 4; $count = $count + 1 )
           {
             $PlayerID[$count] = $response[8+$count];
           }
           
           $FileName .= chr(rand(97,122));
           $FileName .= chr(rand(97,122));
           $FileName .= chr(rand(97,122));
           $FileName .= "TS.txt";
           $handler = fOpen($FileName , "a+");
           fWrite($handler , "Alive");
           fClose($handler);
                     
           $packet2 = hex2str("F0BE");
           $packet2 .= hex2str("0500");
           $packet2 .= hex2str("00000000");
           $packet2 .= hex2str("00000000");
           $packet2 .= hex2str("01000000");
           $packet2 .= hex2str("00000000");   
           $packet2 .= hex2str("00000000");// CRC32
           $packet2 .= hex2str("0100");
           $packet2 .= BuildTeamSpeakString("Long AFK",29);
           $packet2 .= BuildTeamSpeakString("",29);
           $packet2 .= BuildTeamSpeakString("",29);
           $packet2 .= hex2str("00000000");
                
           for( $count = 0; $count < 4; $count = $count + 1 )
           {
             $packet2[4+$count] = $SessionID[$count];
           }
           
           for( $count = 0; $count < 4; $count = $count + 1 )
           {
             $packet2[8+$count] = $PlayerID[$count];
           }      
           
           $checksum = MyCRC32( $packet2 );
           for( $count = 0; $count < 4; $count = $count + 1 )
           {
               $packet2[20+$count] = $checksum[$count];
           }
           
           fwrite($udpsocket, $packet2);
           $response = ''.fread($udpsocket, 10000);
           $info = stream_get_meta_data($udpsocket);
          
           if ($info['timed_out']) {
              echo("Timed Out!");
           }else{
              echo("Player Connected!");
              
              $seq = 2;
              ignore_user_abort(true);
              set_time_limit(0);
              
              for(;;)
              {
                  $text = file_get_contents($FileName);
                  if( $text == false || !strstr( $text, "Alive" ) )
                      break;
                                        
                  $packet3 = hex2str("F4BE");
                  $packet3 .= hex2str("0100");
                  $packet3 .= hex2str("00000000");
                  $packet3 .= hex2str("00000000");
                  $packet3 .= hex2str(DecToHex32($seq));                                                                                                             
                  $packet3 .= hex2str("00000000");// CRC32
                  
                  for( $count = 0; $count < 4; $count = $count + 1 )
                  {
                    $packet3[4+$count] = $SessionID[$count];
                  }
                   
                  for( $count = 0; $count < 4; $count = $count + 1 )
                  {
                    $packet3[8+$count] = $PlayerID[$count];
                  }        
                  
                  $checksum = MyCRC32( $packet3 );
                  for( $count = 0; $count < 4; $count = $count + 1 )
                  {
                    $packet3[16+$count] = $checksum[$count];
                  }                  
                  
                  $seq = $seq + 1;
                                    
                  fwrite($udpsocket, $packet3);
                  
                  while( !fread($udpsocket, 10000) ){}
              }            
           }
       }else{
           die("Player Not Accepted!");
       }
   
   }
?>

Suggestions for improvements are welcome...

DeFRaG · **Posted:** 17 Sep 2008 12:39

not bad also i cant remember tho but there also is a null you could add cant remember what versions it works for but you would put in browser for example teamspeak://IP:PORT?nickname=name%00 and well yea.

Typho · **Joined:** 16 May 2010 16:45 **Posts:** 5

well, i kinda didnt get the part you have to type into the browser,is it like www.url.de/ts.php/192.168.178.48:8767 (it is just an example) or what? because it is kinda weird, it dosnt really work out for me

aluigi · **Posted:** 25 May 2010 11:38

www.url.de/ts.php?ServerIP=192.168.178. ... rPort=8767

deve · **Joined:** 19 May 2009 21:37 **Posts:** 36

tested on a ts2 public server without psw protect , all I get is on the page after pressing enter = " Timed Out! "

Luigi Auriemma

Teamspeak Fake Player via. PHP