> > It's possible to disable someone's ICQ sounds using this HTML code : > ><IFRAME src="blank.scm"></iframe> Some time ago I have discovered the same thing about .scm files. I have even written a little proggie [http://www.sztolnia.pl/hack/neihoicq/prep.pas] that may be useful for people who want to test this little 'feature' prepared for users by IE and ICQ joined together. Generally, it is possible to save any file on a victim's hard disk using this 'exploit'. I tried my best to improve the idea and to use the mentioned 'feature' to become a little bit more nasty, but unfortunately couldn't force .wav file to do anything but opening winamp zillions of times :) here's my full explaination [commented now and updated] that I was about to put on a home page right after I discovered it [and still had a hope that I will be that one who will finally destroy the world :>]: ---------- Sorry for my bad lingo, but it's late here :) neihoicq - marriage of ICQ and IE makes it possible to read (comment: sorry dude, didn't work this time :|) local files (btw. neiho means: hello in cantonese =o) - this is just a word or two for my little, cute la femme Chinoise :) Synopsis There're ICQ files with .scm extension (.scm states for ICQ Sound Scheme). If used in malicious way, they let others save (comment: should be read local, if worked out :) files into ICQ user's machine into a specific directory Description When you want a new Sound Scheme, you may go f.ex. to ICQ home page and download one there. Apart from it, you may also save your own Sound Scheme directly from ICQ (click Main, click Preferences, click Alerts and Notifications, click Sounds) and later share it with others. Every .scm file is made of .wav sounds and they're written in a very unique way. So unique that one may guess the structure of the .scm file in a second just by taking a look inside. They are made of a simple header [really trivial structure - read prep.pas for details] and later, just raw .wav files inside, written one by one. The problem with .scm files is that they may be freely opened in IE [tested with 6.0]. There won't be any dialog box asking if you want to open or save a file. IE will open the file, download it and then push it forward to ICQ [must run]. ICQ will check the content of .scm file and will eventually save all the extracted .wav files into a directory. This directory is known and is usually easy to predict. ICQ stores files into "C:\Program Files\ICQ\Sounds\xyz\" where "xyz" is a name of the given .scm file (when loaded locally) or the name with index, starting with [1] f.ex.: "C:\Program Files\ICQ\Sounds\neihoicq[1]\" By creating "enhanced" Sound Scheme we may write any file we want to that mentioned directory. However things are not that easy, because there's one problem. These files are saved always with the names that are given by ICQ not by us. (ICQ creators tried to avoid some malicious usage probably). Anyway, it is still possible to save any file we want there and we still know the full path and the filename. There's a list of .wav file names that ICQ uses internally to play sounds. I won't list them here, but if you are curious, you know where to search for them already :) [I write auth.wav only] Files that may be helpful: - prep.pas - A little tool written in Pascal that helps creating your own .scm file http://www.sztolnia.pl/hack/neihoicq/prep.pas - neihoicq.scm - my dummy scm file http://www.sztolnia.pl/hack/neihoicq/neihoicq.scm Credits Menashe Eliezer from Finjan Software for his support Adam Blaszczyk [02-05-23] [en/pl] Home page/Domowa http://www.mykakee.com [02-06-06] [pl] Pirotechnika http://pyro.pieklo.org [02-04-27] [pl] Sztolnia, FAQ p.c.p. http://www.sztolnia.pl
This archive was generated by hypermail 2b30 : Mon Jul 15 2002 - 22:29:07 PDT