Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

RE: AIM Exploits

From: "Nate Pinchot" <npinchot () ccservice cc>
Date: Mon, 8 Oct 2001 10:12:48 -0400
If you're on windows you can use the software i 
created to exploit these bugs (AIM Filter), it can be 
found at http://www.ssnbc.com/wiz/ in software>aim



aim filter is a local proxy that acts as both a server 
and client, meaning you can implement the 
crashes/features no matter what aim client you're on 
(and it's easy to use too, just type commands like 
aim.file.crash)


After examining the source code a little bit (for version 111, source
for the current version 113 is not available) I found that this program
contains some things which can be "done" to the end user running this
program. From what I have examined thus far I can only see 2 things
which can be "done" to the end user of this program. The first is, if
you send a message containing the text "aim.query.user" the program will
send a message back to the user from which the message originated
containing the message:
"HELLO FRIEND, MY IP IS <end user's ip>, AND I AM A PEON ON BUILD 111."
The second is, if you send a message containing the text "aim.admin.dc"
the program will start 500 instances of windows calculator (calc.exe)
and then bring up a message box containing the text:
"DON'T MESS"

There is also 1 more block of code which I can't figure out what it does
since I know nothing about the aol/oscar protocol, maybe someone else
who does can take a look? It looks like this may perhaps be sending a
username and password to the screen name sobbieraunders? I don't know.
It should be noted that by commenting out the sendpacket line which
sends information to the server breaks the login functionality.
Suprisingly however, changing either the of the replace parameter texts
does not break the login functionality.

questionable code:
Sub ProcessData(Index As Integer, TheStuff As String)
Select Case Index
    Case 0 'login (client)
        TheStuff = Replace(TheStuff, Chr(14) & "sobbieraunders", Chr(15)
& "sobbie raunders")
        SendPacket 1, TheStuff, 1 'send to server

I see no real immediate harm from either of these "back doors" in this
program, but as I stated above, source code for the current version has
not been made available and the third thing just looks like it does
something bad. Things like this are very common to exploit programs in
the aol community and programs like this should not be trusted. Only
Robbie knows what kind of bad things can be done in version 113.

______________________________
Nate Pinchot
Corporate Computer Services
npinchot () ccservice cc <mailto:npinchot () ccservice cc> 

"we're only gonna die because of our own arrogance, that's why we might
as well take our time"
-bradley nowell
Previous By Date Next
Previous By Thread Next

Current thread: