Tinychat exploits and hacks

Researching, Proof of Concepts, Hacking, Console Modding and Hacking and more. No game hacking / modding here.

Tinychat exploits and hacks

Postby violence_action » Fri Jan 21, 2011 7:05 pm

Hey people,

I was wondering if someone could make a guide or give hints to mess around with Tⓘnychat.

It seems like the packets are encrypted and some changes only last a few seconds before you get kicked.

Thanx for reading.
violence_action
Newbie..
Newbie..
 
Posts: 10
Joined: Fri Jan 21, 2011 6:53 pm

Re: Tⓘnychat exploits and hacks

Postby Sethioz » Fri Jan 21, 2011 9:04 pm

more details plz. i have never even heard of this chat before.
i would need a place where to test, im not testing in public chatrooms, because they ban you for messing around. so i cant bother with those. i only hack those in controlled environment.

so if you can get it running in some freehosting or if you have hosting yourself, then i will give it a try myself.

additionally you should read other tutorials on how to hack chatrooms.
viewtopic.php?f=47&t=62 < flashchat
viewtopic.php?f=47&t=362 < pro chatrooms

also visit my knowledge database, there are some excellent tutorials on how to use commview or other tools to hack chatrooms and other applications.
User avatar
Sethioz
Admin
Admin
 
Posts: 4757
Joined: Fri Jul 27, 2007 5:11 pm
Location: unknown

Re: Tⓘnychat exploits and hacks

Postby violence_action » Fri Jan 21, 2011 10:31 pm

I'm sorry tinychat.com is a public chat. Thanks 4 your help, going to read those tutorials. Much appreciated.

Here are some packets after logging in twice with the same name (probably encrypted):

1st time:

00000000 43 00 13 77 00 00 23 14 02 00 04 6E 69 63 6B 00 C..w..#....nick.
00000010 00 00 00 00 00 00 00 00 05 02 00 0F 76 69 6F 6C ............viol
00000020 65 6E 63 65 5F 61 63 74 69 6F 6E ence_action.....


2nd time:

00000000 43 00 2F 2B 00 00 23 14 02 00 04 6E 69 63 6B 00 C./+..#....nick.
00000010 00 00 00 00 00 00 00 00 05 02 00 0F 76 69 6F 6C ............viol
00000020 65 6E 63 65 5F 61 63 74 69 6F 6E ence_action.....
violence_action
Newbie..
Newbie..
 
Posts: 10
Joined: Fri Jan 21, 2011 6:53 pm

Re: Tⓘnychat exploits and hacks

Postby Sethioz » Fri Jan 21, 2011 11:18 pm

packets are not encrypted, where did you got that idea from ? however it uses very strange protocol that i have never seen or heard before. it converts ascii into hex and then sends the packet.

i created a room and then sent a message containing "aliens"
here's what i captured with commview

Code: Select all
C..ô..:....privmsg.............97,108,105,101,110,115..
#573553,enÃ..._result...........


privmsg < this means the message obviously (private message, no idea why its private tho)
97,108,105,101,110,115 < aliens in HEX. use hex<>ascii converter if you want to convert between hex and ascii
97 > a
108 > l
and so on.

i cant really find anything to do in there, except flooding. i cant even see any mod/admin options. just change topic, which probably will work by using the actual mod packet. what are you looking to do exactly ?


UPDATE

i didnt see your post edit, why you say encrypted ? you can see everything in there.
it says "nick" and then your name "violence_action"
there is no sign of encryption.
User avatar
Sethioz
Admin
Admin
 
Posts: 4757
Joined: Fri Jul 27, 2007 5:11 pm
Location: unknown

Re: Tⓘnychat exploits and hacks

Postby violence_action » Fri Jan 21, 2011 11:28 pm

Thanks for your time and effort, i'm not an expert like you. So please forgive any mistakes i made. Thought it would be fun to mess around with chat people for a bit, especially those pesky ban happy mods ;). And learning something in the process.

Like becoming a mod in a room you're not supposed to, gaining access to passworded rooms, change fonts and topics, ect...
But i always get kicked after sending a changed packet. When i'm the only one in the chatroom the forced changes seem to be working more stable. That's why i thought there was some encryption, packet filtering, time based or checksum thingy going on.

It was really cool of you to take a quick glance at it, thanx.
violence_action
Newbie..
Newbie..
 
Posts: 10
Joined: Fri Jan 21, 2011 6:53 pm

Re: Tⓘnychat exploits and hacks

Postby Sethioz » Sat Jan 22, 2011 3:00 am

what do you mean works once ? and who kicks you from your own room ?
there is no time based packets either. only thing could be number of packet, but then it wouldnt work even once. you can bypass that by using intercepting proxy, like paros or webscarab (read on my wiki, there are detailed tutorials on how to use them).
like msn, there is a number in front of each packet that has to be 1 more than previous. if it doesnt match, then packet will be ignored by server.


if you have done some hacks or exploits, then post them here in detail. what you used and what you did.
User avatar
Sethioz
Admin
Admin
 
Posts: 4757
Joined: Fri Jul 27, 2007 5:11 pm
Location: unknown

Re: Tⓘnychat exploits and hacks

Postby violence_action » Mon Jan 24, 2011 1:43 am

I think the server kicks me, thanks for your explanation.

Please don't laugh all i've done is: typing a message in my own room, add to sendlist (WPE Pro), changing the color hex to something different, log into the victims room whilst recording my new open socket id and fire off the changed packet.

Changing ASCII Characters to ones which aren't allowed for the log on name (WPE Pro.) Kinda pathetic.

Every time i need a new open socket id to do my dirty work.

Now the real cool hacks, exploits, ect.. i've seen include:

A non static username, it kept changing real fast: from A to B to C to D to E, ect...
A bunch of numbers running down the screen, each of which had a slightly different colour.
A random guest becoming a mod changing room topics, closing cams and banning other mods.

Since this chat is videobased, the look on the faces of those who mocked and banned you in the past is priceless.
violence_action
Newbie..
Newbie..
 
Posts: 10
Joined: Fri Jan 21, 2011 6:53 pm

Re: Tⓘnychat exploits and hacks

Postby Sethioz » Mon Jan 24, 2011 1:53 am

i must be looking into wrong place, i cant even find color or anything else. all i found was the text i type as shown in the example packet i posted.

i need to test with somebody in order to make something. dont use WPE pro, its for game hacking. as i said, use webscarab and paros. you dont need socket ID with them, you can modify the packet before its sent.
User avatar
Sethioz
Admin
Admin
 
Posts: 4757
Joined: Fri Jul 27, 2007 5:11 pm
Location: unknown

Re: Tⓘnychat exploits and hacks

Postby violence_action » Mon Jan 24, 2011 2:25 am

Oh i see, please if you're busy or tired i really don't mind.
After typing TESTING1234 in the chat i captured this packet with WPE PRO:

00000000 43 00 3C B5 00 00 44 14 02 00 07 70 72 69 76 6D C.<...D....priv
00000010 73 67 00 00 00 00 00 00 00 00 00 05 02 00 20 38 sg............
00000020 34 2C 36 39 2C 38 33 2C 38 34 2C 37 33 2C 37 38 4,69,83,84,73,7
00000030 2C 37 31 2C 34 39 2C 35 30 2C 35 31 2C 35 32 02 ,71,49,50,51,52.
00000040 00 0A 23 38 38 38 37 36 38 2C 65 6E ..#888768,enll..

Tried many different colour hexes but only a few work like:
#FFFFFF, #33FFFF, #3333FF, #33FF33, #E53333, ect...

I will look into webscarab and paros, thanks for letting me know.
violence_action
Newbie..
Newbie..
 
Posts: 10
Joined: Fri Jan 21, 2011 6:53 pm

Re: Tⓘnychat exploits and hacks

Postby Sethioz » Mon Jan 24, 2011 2:38 am

uhm very strange, none of the intercepting proxys work on it. i have no explanation for that. even tamper data is not working (firefox addon).
only things that do work, are WPE pro and commview.
my only guess is that it is because this chat does not send full packets, just a small packet (piece of data) and thats it. or i have no clue in this matter, but i will find out whats happening.

and yes, now i did saw the color too.
you can make the changing name, by using WPE pro. record a name change, right click the packet and "add into send list", do that as many times as you want.
then in the send list, simply modify the packet and change your name in there, then select them all and send. WPE pro will send packets in the order they are in the send list.
so if first packet contains name "1" and last one contains "9", then it goes from 1 to 9, making your name change 1 2 3 4 ...
i tested and it works.

i have found something interesting from one of the packets.

Code: Select all
var tinychat = function () {
var flashvars = { roomVar: tinychat.room, embedMode: "true", pageVar: window.location, pageVarSuper: tinychat.urlsuper, askJoin: tinychat.join, nickVar: tinychat.nick, noOper: tinychat.oper, noOwner: tinychat.owner, nickChange: tinychat.change, loginVar: tinychat.login, bcastVar: tinychat.bcast, apiVar: tinychat.api, autoop: tinychat.autoop, colorVar: tinychat.colorbk, fbautoVar: tinychat.fbauto, noguestVar: tinychat.noguest, topicVar: tinychat.topic, extDomain: document.domain, logoVar: tinychat.logo, proSiteVar: tinychat.site, keyVar: tinychat.key, vidVar: tinychat.tcdisplay, langVar: tinychat.langdefault, playMode: tinychat.play };
    var params = { quality: "high", scale: "noscale", allowFullScreen: "true", wmode: "transparent", allowScriptAccess: "always", menu: "false", salign: "t" };
    var attributes = { id: "tinyembed", align: "top", width: "100%", height: "100%" };
    if (/Firefox[\/\s](\d+\.\d+)/.test(navigator.userAgent)){


i think it is what i think it is, all available functions of tinychat. im not yet sure how to use them, but im sure these have something to do with being able to have admin/mod rights.
for example the one "tinychat.noguest" cought my eye. like the "tinychat.nick" seem to be a command, for example "nick" is the command that changes nick, if you look at the packets when changing your name.
or like "tinychat.colorbk" should be background color, again i dont know how to change any of this. it also might be just a client sided source of the chat, but if you are able to change client, it means you can send modified packets without actually modifying them.
like if you change your default color to something else, using firebug.
dont take this too seriously, because it is just a tought, i never confirmed any of this.
doesnt matter what it is, nick definetly is a command and can be used in a packet.


another thing you can use to capture packets and modify them, is proxocket (check my wiki for tutorials and such)
i used proxocket to capture the whole sequance. once you find something good, you can make permanent filters using proxocket.


do you have msn or something ? pm it to me, so we can test sometime.
User avatar
Sethioz
Admin
Admin
 
Posts: 4757
Joined: Fri Jul 27, 2007 5:11 pm
Location: unknown

Re: Tⓘnychat exploits and hacks

Postby violence_action » Wed Jan 26, 2011 2:10 am

Can't believe how much you know about this stuff, you clearly know what you're talking about unlike me.

If i ever can return the favour, much obliged sir. Pm sent.
violence_action
Newbie..
Newbie..
 
Posts: 10
Joined: Fri Jan 21, 2011 6:53 pm

Re: Tⓘnychat exploits and hacks

Postby Curator » Sun Feb 06, 2011 10:23 pm

Hello, I'm looking for people interested in researching Tinychat for further exploits. The name and color manipulation is definitely interesting, but Tinychat as a whole is a total piece of shit. It's the most used free Flash-based live stream chat around at the moment, and there are many more exploits waiting to be discovered, from Flash-based flaws to network security issues. It should be very possible to see the IPs of users, and more. I found a few very interesting things myself, but a lot more research needs to be done.

If you're interested in working on this, please send me a PM, and we can exchange MSNs or whatever.

Thanks.
Curator
Newbie..
Newbie..
 
Posts: 1
Joined: Sun Feb 06, 2011 10:18 pm

Re: Tⓘnychat exploits and hacks

Postby Sethioz » Mon Feb 07, 2011 12:04 am

how about posting what you have found so far ? try keeping new discoverys on forum, if ppl come up with good exploits, i might just write wiki article of tinychat exploiting.
as about msn, check your PM
User avatar
Sethioz
Admin
Admin
 
Posts: 4757
Joined: Fri Jul 27, 2007 5:11 pm
Location: unknown

Re: Tⓘnychat exploits and hacks

Postby violence_action » Fri Feb 11, 2011 12:10 am

Looks like this guy is changing the name of the room into the target room using firebug, whilst running his own code.

http://www.youtube.com/watch?v=afRjKmfM ... re=related
violence_action
Newbie..
Newbie..
 
Posts: 10
Joined: Fri Jan 21, 2011 6:53 pm

Re: Tⓘnychat exploits and hacks

Postby Sethioz » Fri Feb 11, 2011 9:53 pm

i cant bother with video, some lame music and shit quality.
but firebug can come in handy yes, i need live testing as i said before, but it seems like no1 is up for it. live testing is only possible if somebody wants to do this with me over msn.
User avatar
Sethioz
Admin
Admin
 
Posts: 4757
Joined: Fri Jul 27, 2007 5:11 pm
Location: unknown

Re: Tⓘnychat exploits and hacks

Postby Hyflex » Mon Feb 14, 2011 3:56 am

Sethioz wrote:i cant bother with video, some lame music and shit quality.
but firebug can come in handy yes, i need live testing as i said before, but it seems like no1 is up for it. live testing is only possible if somebody wants to do this with me over msn.


I've tried using webdevloper and also tried to play with headers but can't do anything
Hyflex
Newbie..
Newbie..
 
Posts: 1
Joined: Wed Feb 09, 2011 4:31 am

Re: Tⓘnychat exploits and hacks

Postby Sethioz » Mon Feb 14, 2011 9:25 am

what webdeveloper ?
try firebug, its the best thing there is. i used firebug in some of the missions of hackthissite
User avatar
Sethioz
Admin
Admin
 
Posts: 4757
Joined: Fri Jul 27, 2007 5:11 pm
Location: unknown

Re: Tⓘnychat exploits and hacks

Postby notthurnow » Fri Feb 18, 2011 5:22 pm

i am running the embedded code on my own server... i've tried editing the flash script with firebug but I can't seem to get the auto-op function to work.. it seems like it's running some kind of checksum verification.. can anyone tune in on this?
Code: Select all
<html>
<head></head>
<body>
<object data="http://tinychat.com/tinychat.swf" id="tinyembed" type="application/x-shockwave-flash" width="100%" align="top" height="730"><param value="high" name="quality"><param value="noscale" name="scale"><param value="true" name="allowFullScreen"><param value="true" name="menu"><param value="t" name="salign"><param value="roomVar=WHATEVEROOM&amp;embedMode=true&amp;pageVar=http://tinychat.com/temproom&amp;askJoin=auto&amp;nickVar=NEWMOD&amp;apiVar=list&amp;autoop=NEWMOD&amp;estDomain=tinychat.com" name="flashvars"></object>
</body>
</html>
(sorry about spacing, for some reason enter's not working properly for me here.). From my understanding the pageVar= should be the room i'm actually a moderator in, and the auto-op should be my already existing, what i believe to be, md2 checksum. The roomVar is for the room you're trying to terrorize. When I join the room I don't ever get mod powers, can someone help out a bit here? You'll have to sign in an account and test on your own room so that you have that unique autoop checksum or whatever it is.
notthurnow
Newbie..
Newbie..
 
Posts: 1
Joined: Fri Feb 18, 2011 5:10 pm

Re: Tⓘnychat exploits and hacks

Postby Sethioz » Sat Feb 19, 2011 3:07 pm

as you said AutoOp changed, so it must be something like user id. however there is UID (user identification) seperate, but AutoOp is more like an administartor / moderator rights id. in any case, server generates it randomly. when it expires, gets deleted ..etc then server gives you new one. for example look into URL of my forum (when you are right here).
you will see "&sid=" at end and then long number. thats the session id.
i assume autoop is something similar. i dont think it can be seen at all.
just like on my forum, you can steal my cookie and gain access to my account, but you wont be able to change password or any settings that require password. its same behind that autoop. im sure there is a way to steal it.
we can talk in msn about it and test it out, how it works.
User avatar
Sethioz
Admin
Admin
 
Posts: 4757
Joined: Fri Jul 27, 2007 5:11 pm
Location: unknown

Re: Tⓘnychat exploits and hacks

Postby asadnow2k » Sat Apr 09, 2011 5:02 am

i found this website.. if any one having this tool, kindly share with us!

http://tinychathack.info/

TinyChat Hack v3.1 is now available!
Features:
1-Flood room's with over 200 bot's.
2-Close down user's from broadcasting.
3-Track user ip address.
4-Join room's even if there's password.
5-Ban user's from the room.
6-Spam bot
7-Room lagg
8-Your username will have a star in the room like you are moderator of all the channels(you can enable and disable it).
9-Hide your username in the room , you can chat but they can't see your name on the list room.
10- Free update.


If you don't like it you can cancel your payment (you have 3 day's).
asadnow2k
Newbie..
Newbie..
 
Posts: 1
Joined: Sat Apr 02, 2011 2:06 pm

Next

Return to PC / Website / Console / Others > Hacking / Cracking / Exploits / Research

Who is online

Users browsing this forum: No registered users and 2 guests

cron