RE: AIM Exploits

From: Nate Pinchot (npinchotat_private)
Date: Mon Oct 08 2001 - 07:12:48 PDT

Next message: Konrad Rieck: "phpBB 1.4.2, Remote user is able to modify SQL query."

Previous message: J. Wagner: "[ASGUARD-LABS] TYPSoft FTP Server v0.95 STOR/RETR Denial of Service Vulnerability"
Maybe in reply to: Robbie Saunders: "AIM Exploits"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>If you're on windows you can use the software i 
>created to exploit these bugs (AIM Filter), it can be 
>found at http://www.ssnbc.com/wiz/ in software>aim

>aim filter is a local proxy that acts as both a server 
>and client, meaning you can implement the 
>crashes/features no matter what aim client you're on 
>(and it's easy to use too, just type commands like 
>aim.file.crash)

After examining the source code a little bit (for version 111, source
for the current version 113 is not available) I found that this program
contains some things which can be "done" to the end user running this
program. From what I have examined thus far I can only see 2 things
which can be "done" to the end user of this program. The first is, if
you send a message containing the text "aim.query.user" the program will
send a message back to the user from which the message originated
containing the message:
"HELLO FRIEND, MY IP IS <end user's ip>, AND I AM A PEON ON BUILD 111."
The second is, if you send a message containing the text "aim.admin.dc"
the program will start 500 instances of windows calculator (calc.exe)
and then bring up a message box containing the text:
"DON'T MESS"

There is also 1 more block of code which I can't figure out what it does
since I know nothing about the aol/oscar protocol, maybe someone else
who does can take a look? It looks like this may perhaps be sending a
username and password to the screen name sobbieraunders? I don't know.
It should be noted that by commenting out the sendpacket line which
sends information to the server breaks the login functionality.
Suprisingly however, changing either the of the replace parameter texts
does not break the login functionality.

questionable code:
Sub ProcessData(Index As Integer, TheStuff As String)
Select Case Index
    Case 0 'login (client)
        TheStuff = Replace(TheStuff, Chr(14) & "sobbieraunders", Chr(15)
& "sobbie raunders")
        SendPacket 1, TheStuff, 1 'send to server

I see no real immediate harm from either of these "back doors" in this
program, but as I stated above, source code for the current version has
not been made available and the third thing just looks like it does
something bad. Things like this are very common to exploit programs in
the aol community and programs like this should not be trusted. Only
Robbie knows what kind of bad things can be done in version 113.

______________________________
Nate Pinchot
Corporate Computer Services
npinchotat_private <mailto:npinchotat_private> 

"we're only gonna die because of our own arrogance, that's why we might
as well take our time"
-bradley nowell

Next message: Konrad Rieck: "phpBB 1.4.2, Remote user is able to modify SQL query."
Previous message: J. Wagner: "[ASGUARD-LABS] TYPSoft FTP Server v0.95 STOR/RETR Denial of Service Vulnerability"
Maybe in reply to: Robbie Saunders: "AIM Exploits"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Oct 08 2001 - 22:04:11 PDT