Tinychat is a sweet site that allows for simple chat, video conferencing, and screencasting. In this post, I'll detail how to hijack Tinychat screencasts by injecting images of your own.
Hrm, so it looks like the screencasting applet POSTs to "http://tinychat.com/sc". One would assume that the applet posts some sort of image data to that URL to update the broadcast "capturefps" times per second. There's also a number of parameters that are likely relevant to the /sc POST. Most suspicious are the username/userid attributes. Are these values authenticated or can anyone post screencast updates using the identify of another user? As we'll see, it is the latter.
If we yank down the ScreenCap.jar and disassemble CaptureArea.class, we gain more insight into the POST process:
The disassembly lists a number of the attributes already listed in the <param> fields and also the correct parameter name ("screenshot") and filename ("screenshot.jpg") for the JPG image data that we must send in a multipart/form-data POST to the /sc URI. So I whipped up some quick python to continually POST an image of my choosing (my cat) to the Metasploit Tinychat room under mubix's username:
What resulted was a successful hijack of the Tinychat screencast! Thankfully Sly was taking a screencast of the Tinychat screencast and later posted the video on YouTube. Here's a screenshot of the YouTube video of the screencast of the screencast (head explodes!) showing the cat image injection in action: