AIM AWAY MSG sploit
author: mandragore
Compiler/ReadME: illwill
Credit:
Discovery is credited to Ryan McGeehan and Kevin Benes.
Matt Murphy is credited with discovery as well.



INSTRUCTIONS:
Extract Files in Zip
from commandline type:
c:\>aim-away.exe >owned.txt
open owned.txt and paste contents
into IM window and send to someone
with an away message on. You
Should be able to connect to them
on port 1180

Use Netcat:
nc -v xxx.xxx.xxx.xx 1180


- Peace Out
illwill


-------------------------------------------------------------------------
p.s. quick and simple patch to avoid someone doing this to your AIM

======= neuteraimurl.reg =======
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\aim]
"CLSID"="{3050F406-98B5-11CF-BB82-00AA00BDCE0B}"
======= neuteraimurl.reg =======

or download the newest AIM beta release

-------------------SPLOIT INFO:-------------------------------------------
The vulnerability is caused due to a boundary error within the handling
of "Away" messages and can be exploited to cause a stack-based buffer
overflow by supplying an overly long "Away" message (about 1024 bytes).
A malicious website can exploit this via the "aim:" URI handler by
passing an overly long argument to the "goaway?message" parameter.

Successful exploitation allows execution of arbitrary code on a user's
system when e.g. a malicious website is visited with certain browsers.

The vulnerability has been confirmed in version 5.5.3595. Other versions
may also be affected.

very nice find dude! this 1 could be big!

really great work ILLwill :>
thx a lot

Interesting, thanks for the detailed advisory + exploit

Nice, I tried it out with a buddy and AIM would say its too many characters and GAIM sends it but it is "refused by client". Maybe I'm missing a step or something. Or AIM patched it already O_o

Nice Job M8 sadly im a msn freak hehe

doesnt work. Buffer overflow crashes aim alright, but spawns no shell. Anyone else figure it out?

Hmmm i also tryed it...i conected direct to aim friend...then both turned firewals of
and i when to the exe and i got error???
Strange!and my aim crashed!!i didnt even got to the part where the exe makes a text file!!

yea tells me the msg is too long
it gets refused

witch port is aim anyway?

well, i'm able to crash myself, i guess thats a start, however if i try to send the message to someone else it says that there are too many characters, if i try to get rid of some of the A's, it will paste in, and about 3/4 of the message turns into a hyperlink automatically and i get a message saying its to many characters when i try sending. i'm going to see if i can disable whatever is causing it to turn into a link. i crashed myself by putting the link in my Mozilla address bar. (i had to get rid of some of the A's before mozilla would even think about using it though) great exploit, i'm sure someone here will figure out how to get it working properly.

----edit----
forgot to mention, if i do insert text from file, i can insert the entire owned.txt file, however it can't be sent.

hyperlink gets cut off before the code anyway (tried doing it while DCd)

btw- you will only see the other's IP if you're directly connected, 5190 is the AIM servers.. 4443 is the DC port unless it changed

anyone get it to work?