how is the font crash anything like the <!-- exploit, besides the fact that it uses html? maybe you misunderstood, after you overload the font buffer aim uses, sending a horizontal line will crash the client... On Sun, 7 Oct 2001 16:12:11 +1300, VeNoMouS wrote: i dont think your very clued on anything here my friend, > 1) Font Crash: windows aim stores recent font > names for instant messages, and i found that by > sending a lot of different fonts causes aim to pop up > with a font error, and after messing around i > discovered that lines "<HR>" crash the client (and in > some cases the OS) after the error has popped up, > making for a neat little crash if you send a few > hundred fonts with a horizontal line tacked on the end > =) this here sounds like the dos we have been talking about except its just <-- its a bof just like the line below > 2) File Crash: i'm not quite sure why this crashes the > client, but if you send a file with a very large filename, > the client crashes, and just closes on any nt based > OS well oviously they are coping the filename to an array which is only a certain size, its a simple out of bounds overflow ----- Original Message ----- From: Robbie Saunders <ihostat_private> To: <vuln-devat_private> Sent: Sunday, October 07, 2001 8:07 AM Subject: AIM Exploits > as a starter i'd like to correct some information about > the comment crash, the reason you can't paste it is > because it crashes the client, not because it's too > big... if it was too big you wouldn't be able to send it > an im. and it's been on aim filter and used by your > average aim user since early august > > the following exploits were found and implemented by > Robbie Saunders, although i believe the file crash > was used before me by `CodeDreamer` > > 3 other exploits: > 1) Font Crash: windows aim stores recent font > names for instant messages, and i found that by > sending a lot of different fonts causes aim to pop up > with a font error, and after messing around i > discovered that lines "<HR>" crash the client (and in > some cases the OS) after the error has popped up, > making for a neat little crash if you send a few > hundred fonts with a horizontal line tacked on the end > =) > > 2) File Crash: i'm not quite sure why this crashes the > client, but if you send a file with a very large filename, > the client crashes, and just closes on any nt based > OS > > 3) Icon Crash: aim doesn't check incoming buddy > icons to be under a certain height or width, so you > can send an edited .gif file that may be 1k but claims > to be very large (such as 10000x10000) and end up > freezing the aim client for a large period of time, and > on slow computers cause serious memory issues... i > have tested with larger values (like 65kx65k) but it > appears aim will pop up a memory buffer error > instead of crashing... and apparently sending corrupt > wav files will crash the client in the same manner > > If you're on windows you can use the software i > created to exploit these bugs (AIM Filter), it can be > found at http://www.ssnbc.com/wiz/ in software>aim > > aim filter is a local proxy that acts as both a server > and client, meaning you can implement the > crashes/features no matter what aim client you're on > (and it's easy to use too, just type commands like > aim.file.crash) _______________________________________________________ http://inbox.excite.com
This archive was generated by hypermail 2b30 : Sun Oct 07 2001 - 10:49:34 PDT