Luigi Auriemma

Hey all.
not really a ''player'' but it goes into same topic i think ..
anyways i was trying to make some kind of fake login for flashchat, but packets just wont go into chatroom. i mean others wont even see simple message i send with packet editor.

can somebody help me lil bit with this ? It should be easy, but i just can't figure it out yet :S

I have seen that exist at least a pair of flashchats, about what of the two you exactly refer?
But are you 100% sure that what you would like is a "fake player" type tool?

i looked deeper in it yesterday and i found out that u can't send packets directly back into chat. I was trying to fill chatroom with ''fake persons''.
and i meant flashchat .. its the name of chatroom. since its flash-based then all versions should work a like. i have 4.7.5 i think...
http://www.tufat.com/s_flash_chat_chatroom.htm

anyways i was able to find out that cookie has nothing to do with admin commands. its all in ''id='' hash. changing that...u can change the following:
IP
color and other settings
admin, mod or user
..and other things.

what i dont understand is .. if i connect to flashchat and login with name ''test'' i get this ''id=617e2510f3c90bfc928e7a8339c0d6c7''
then ill logout .. refresh the chatroom and log back in using same name and settings, but id has been changed. ..so y does it change if i dont change anything ?!
ID does not keep the name in it, but it keeps all the other info.
so i logged in with ''test'' and then i logged in with ''test1''
i used packet from ''test'' and replaced the ID with ''test1'' packet's id. ...all the settings was changed to what i had on ''test''.

i also recorded my admin login packet...and using that ID i am able to boot, ban etc...i just have to login and then send the ''boot'' etc packet..without using admin password.

oh yeah and i used IP connector tool to send the data into flashchat.
actually its very easy...i was thinking to write a program/script in perl which will do the job - fill the chatroom with fake persons.
problem is ... im not really a perl programmer :shock:
maybe its easier to write cmd program like you, Luigi, did ?
one i just run in cmd ...specify where to connect and there it goes...

First i need to specify where to connect ?! right ?
Then i just specify the data which will be sent ?
and add ''keep-alive'' packet ? or something like that...

one more question ... is this ''flood control'' in flash ? ..i mean if i use something else..like IP connector will i be able to FLOOD the chatroom if admin has set ''flood control'' to like 3 seconds ?!?

Ok, I have taken a quick look to this chat and have created an experimental code which you can test:

http://aluigi.org/beta/flashchatz.zip

(if the link doesn't work copy it in the broeser or use mirror.aluigi.org)

It's very basic and has two types of works: player flooding and message flooding.
There is no support at the moment for joining specific rooms and the server must allow unregistered players, it's just a test.
Anyway the protocol doesn't seem very complex.

thanks i will test it.
anyways .. if u want to test in chatroom.
http://www.sx.brutalcore.co.uk/chat
not much ppl uses it...so if you want you can test there.

-i made quick test, but it doesnt seem to work. says ''something wrong''
i did ''flashchatz 1 site/path'' and then i tried ''flashchatz 1 ip'' and ''flashchatz 1 site'' ..anyways it was just for now ..ill see wht i did wrong.

i made intresting discovery. i recorded the ''join'' packet. then i disconnected from chatroom and logged in using proxy (so i can monitor whats going on). then i resent the ''join'' packet with Http connector...and this user popped up as a ''ghost'' ..unbootable and unbannable. like it didnt exist at all. when i resent this packet with edited name .. then another ''ghost'' popped up. and they never timed out either. only thing .. they didnt take room either. ..like total ghosts...only persons inside chat was able to see names. ..also i wasnt able to see any ip info when i did /whois on the ''ghost'' ..it just said ''name'' does not exist in any room.

Ok, solved.
It was just the URL since I used a fixed URI and so wasn't able to get getxml.php.
The link is the same of the previous post, be sure to redownload it (sometimes people reget the cache of the browser ih ih ih).

Oh I have also tested it versus your chat so, yes, those fake players were mine ih ih ih

lol nice job...i almost crashed myself with it :shock: :D
..now one other question/discovery.

when i log into chat with ..lets say 2 names.
i use proxy for one. now .. i just need proxy to LOAD up chat...once the box appears with ''login'' then i can disable proxy and login...but proxy's ip will still be shown. ...is that means .. its really easy to bypass the ipban ?

LOL what else can be done :D ? ..as far as i know .. flash is very exploitable. you have the moderator pass too .. so you can try ..maybe you can make some kind of tool that lets you remotly boot, ban ..etc people LOL.
that would be really nice...
what i know is : its possible. i recorded the ''/kickout'' command .. and when i sent this packet again .. it kicked me out lol. note that i was using proxy, just to make SURE that my cookies or cache has nothing to do with this command.

<<<this guy here really needs to learn more C++ :shock:


EDIT...in other toughts...maybe u should remove it from public ? If some noobz will get this .. then all hell will brake loose lol.
i already crashed my browser with it.. or at least hide it from ''guest'' users ?

The effect you see when you disable the proxy is caused by the ID and (optionally) by the player number, those are the only parameters considered by the chat server, not the IP address.
That's why you are still admin also changing the IP address.

hmm .. so i need to steal admin's id lol ?
anyways .. if you get little time. maybe you can look into it ? one guy (Magic_Maker) said that in most chatrooms its possible to talk under other names lol. ..there should be some kind of pattern in IDs ?!

actually once I succeeded in that. i logged in with 2 browser ... for one i used proxy... then i edited something in ID and i was able to talk under other person's name.
actually i'm not surprised if its only one number or string that will tell chatroom who's admin.

lol i just kind a got stuck in it ... flashchat seems intresting thing to exploit.

Yes, the trick about refer Magic_Maker is just the "user" ID.
I'm very curious to know why the server doesn't identify the user from its ID (the hash you see in each packet) instead of the user ID... a programming mistery...

I think it does identify username by its ID...because when I changed it then i was able to talk under other name. ..only problem is that you cant just get any users id. ..maybe if you steal his cookie...actually that wont do either..cuz cookie doesnt contain ID.

This gave me one other GOOD idea, but I dont know programming so well.

Have you notice that .. when you use ''flashchatz'' ..and make about 5-10 fake persons (more will just crash the script on web browser lol) then only LAST joined person has the IP and ID ... if you do ''/whois'' on any other fake person then it will say ''(name) was not found in any room''

Those fake names will also be stuck there in chatroom. ..you cant boot them and you cant get any info on them.
..that gave me idea. Is it possible to make yourself ''invisible'' to chatroom ? So people will see your name and you can talk, but admins/moderators will not be able to get any info - also means ... NO booting, banning..etc.
I just dont understand why those fake users ''get stuck'' there.

there is
Error : uable to resolve hostname <www.sx.brutalcolore.co.ux>
Error : something wrong

i use it like that : flashchatz 1 www.sx.brutalcolore.co.uk/chat
a;so i try with http://www.sx.brutalcolore.co.uk/chat
but i had the same msg Error

you receive that message just because www.sx.brutalcolore.co.uk doesn't exist, probably that domain is dead.

that chat working i log in today on it and now i iam in it ..!!
another problem Error msg
Microsoft Windows XP [???????????? 5.1.2600]
(??) ???????????????????? ????????????????????, 1985-2001.

C:\Documents and Settings\User>cd\

C:\>cd 4

C:\4>cd\

C:\>flashchatz
"flashchatz" ???? ???????????????? ???????????????????? ?????? ??????????????
????????????????, ?????????????????????? ???????????????????? ?????? ???????????????? ????????????.

C:\>cd 2

C:\2>flashchatz

FlashchatZ 0.1
by Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org


Usage: flashchatz <attack> <URL>

Attack:
1 = user flooding
2 = message flooding


C:\2>flashchatz 1 www.sed.lg.ua:8080/chat

FlashchatZ 0.1
by Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org


Error: remote file is temporary unavailable (404)

Error: something wrong

C:\2>flashchatz 1 www.sed.lg.ua:8080/chat/

FlashchatZ 0.1
by Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org


Error: remote file is temporary unavailable (404)

Error: something wrong

i try it with http too ..!

About your previous error, you wrote the URL wrong that's why the host wasn't found: www.sx.brutalcolore.co.uk instead of www.sx.brutalcore.co.uk ih ih ih

About www.sed.lg.ua:8080/chat/, if it uses Flashchat this is not the exact URL because the getxml.php file is not there

thank you :)

do u really have to put port there ? ..or it doesnt work if its not 80 ?
i couldnt get in that chat at all ... dont understand russian either lol...or whtever it is. ..so maybe this site is buggy and fucked up lil bit ?!

my tool understands any type of URL:
http://host/uri
http://host:8080/uri
host:8080/uri
host/uri
... and so on

..btw does it actually crash index.php ? ..i tried in my test chatroom ..it ran for like 20 seconds and then said ..something wrong (stopped) when i tried to refresh page it said ''error 404, not found''....or its just because of mayor lag it causes ?

sincerely I don't know but is very strange since I have never tested more than 10 fake players on your test server 8-)
Probably Flashchat is more bugged than how much we think

nah this here (one i posted) is not test server lol ... i uploaded other one using other mysql .. and tested there...just in case if it fucks up MySQL db lol...
just a lil precaution cuz it happend before ... i was flooding something and then it fucked up MySQL db i was using ...
well it doesnt mess up SQL anyways..so no worrys.

program flood this kined of chat.. : http://www.xat.com/narutorpg

that site doesn't use Flashchat

can u please tell me what kind of chat thay use ???
cause i have this chat kind and some hackers attack me , thay can made them self admins in the chat without permission .!!
:D i wanna figure out how thay do that :) and if there is possible to make any flood for this kind of chat rooms ..
thank you :)

kind a out of topic .. but it should be really easy with packet editor. Im not programmer so i really cant write program for that chat :(
..actually about flashchat...also out of topic, but i hope its ok. tell us Luigi .. is it possible to get admin/mod in flashchat?! ..im pretty sure that it is possible, cuz its flash-based and its very vulnerable. Flashchat even keeps plain-text passwords in file (not in sql db). only problem is ... i cant download it. I never tried any tools, but i know theres tools that can copy whole website...if its possible, then you can simply get the file that holds admin pass LOL.

The step-by-step to follow for writing a join replicator (like "fake players") is usually ever the same:
- collect some initial packets from two different connections (connect, disconnect and reconnect)
- try to figure the protocol (the fields, at least the main fields) and if exist differences between the two sniffed sessions
- check if encryption/compression/bitfields are used
- replicate the packets (or the packet) until you get a different reply by the server (server full)

Now about Flashchat, I have never tested it, I limited only to write the experimental fake players tool which seems to work as far as I have understood from who has tested it but naturally as all the software it can be vulnerable to security bugs too (sql injection, XSS and others... but web bugs it's not my field).

...one other thing about flashchatz, using it will not fill the room ..even if limit is like 5 persons. as soon as new ''player'' joins previous one will become a ''ghost''. it is visible inside chat, but not from outside (external box you can use to preview whos inside chat)

Hey Luigi .. a src code plz ? I found a way how to patch/fix this, but i also found out that its possible to bypass that very easily. So i was thinking to edit src lil bit (since i cant change that part by editing .exe and .c files, it just wont work) Ofcourse it would take you 1-2 secs to fix/add option for it, but i wanna try it myself :)

flashchatz is now public in the relative Fake Players section (in case someone tries to get it from /beta/ and the link doesn't work)

A little update. it seems that it will stop after like 30 players.
but i changed something in source (hope you dont mind Luigi) ..changed the charset to ''123'' and now it seems that it goes on forever.
..tought that somebody may want to know that.