becos your talking bout sending a lot of font requests , which is basicly <!-- if you think bout it, hell it could be XXXXXX for all it cares, its a bof (buffer overflow) on its input by the looks of things ----- Original Message ----- From: First Last <ihostat_private> To: VeNoMouS <venomat_private>; <vuln-devat_private> Sent: Sunday, October 07, 2001 5:13 PM Subject: Re: AIM Exploits > how is the font crash anything like the <!-- exploit, besides the fact that > it uses html? maybe you misunderstood, after you overload the font buffer > aim uses, sending a horizontal line will crash the client... > > On Sun, 7 Oct 2001 16:12:11 +1300, VeNoMouS wrote: > > i dont think your very clued on anything here my friend, > > > 1) Font Crash: windows aim stores recent font > > names for instant messages, and i found that by > > sending a lot of different fonts causes aim to pop up > > with a font error, and after messing around i > > discovered that lines "<HR>" crash the client (and in > > some cases the OS) after the error has popped up, > > making for a neat little crash if you send a few > > hundred fonts with a horizontal line tacked on the end > > =) > > this here sounds like the dos we have been talking about except its just > <-- > its a bof just like the line below > > > > 2) File Crash: i'm not quite sure why this crashes the > > client, but if you send a file with a very large filename, > > the client crashes, and just closes on any nt based > > OS > well oviously they are coping the filename to an array which is only a > certain size, its a simple out of bounds overflow > > ----- Original Message ----- > From: Robbie Saunders <ihostat_private> > To: <vuln-devat_private> > Sent: Sunday, October 07, 2001 8:07 AM > Subject: AIM Exploits > > > > as a starter i'd like to correct some information about > > the comment crash, the reason you can't paste it is > > because it crashes the client, not because it's too > > big... if it was too big you wouldn't be able to send it > > an im. and it's been on aim filter and used by your > > average aim user since early august > > > > the following exploits were found and implemented by > > Robbie Saunders, although i believe the file crash > > was used before me by `CodeDreamer` > > > > 3 other exploits: > > 1) Font Crash: windows aim stores recent font > > names for instant messages, and i found that by > > sending a lot of different fonts causes aim to pop up > > with a font error, and after messing around i > > discovered that lines "<HR>" crash the client (and in > > some cases the OS) after the error has popped up, > > making for a neat little crash if you send a few > > hundred fonts with a horizontal line tacked on the end > > =) > > > > 2) File Crash: i'm not quite sure why this crashes the > > client, but if you send a file with a very large filename, > > the client crashes, and just closes on any nt based > > OS > > > > 3) Icon Crash: aim doesn't check incoming buddy > > icons to be under a certain height or width, so you > > can send an edited .gif file that may be 1k but claims > > to be very large (such as 10000x10000) and end up > > freezing the aim client for a large period of time, and > > on slow computers cause serious memory issues... i > > have tested with larger values (like 65kx65k) but it > > appears aim will pop up a memory buffer error > > instead of crashing... and apparently sending corrupt > > wav files will crash the client in the same manner > > > > If you're on windows you can use the software i > > created to exploit these bugs (AIM Filter), it can be > > found at http://www.ssnbc.com/wiz/ in software>aim > > > > aim filter is a local proxy that acts as both a server > > and client, meaning you can implement the > > crashes/features no matter what aim client you're on > > (and it's easy to use too, just type commands like > > aim.file.crash) > > > > > > > _______________________________________________________ > http://inbox.excite.com > > >
This archive was generated by hypermail 2b30 : Sun Oct 07 2001 - 10:52:16 PDT