Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #############################[yayo.org]###################################
- ###########[yayo.org]#####################################################
- ## ##
- ## [+] vulnerable software: aim express 7.0 ##
- ## [+] discovered by: pad aka padillac escobar ##
- ## ##
- ## [+] capabilities: bumping, password scrambling, account suspension ##
- ## [+] discovered on: 08/20/08 ##
- ## [+] partially patched on: 09/09/08 ##
- ## ##
- ## [+] notes: a few people have been asking for an explanation as to ##
- ## how i have been able to bump, reset and suspend aims ##
- ## over the past 22 days, but as i have been helping aol ##
- ## patch the exploit, i concluded that it would be ##
- ## unethical to fully disclose details of how it is done ##
- ## until the hole had begun being patched, and now ##
- ## that it has been, i invite you to read this text and ##
- ## learn the full details behind it all. yes, i'm aware ##
- ## that "aol hacking" is an art now considered as dead as ##
- ## it is lame, but in my defense this hole took me no ##
- ## longer than 10 minutes to discover. ##
- ## ##
- ###########[yayo.org]#####################################################
- #############################[yayo.org]###################################
- i coded an application entitled "padillac's aim bump v1" to do all
- of this work for me, but here are the technical details behind it:
- equip yourself with the packet sniffer of your choice
- (wireshark, live http headers for firefox, etc) and navigate to the
- new aim express 7.0 page
- http://o.aolcdn.com/aim/gromit/gm/aim_express/080815.1/WidgetMain.html
- sign in with an active aim screen name and wait for the response
- data which includes your unique "aimsid" key, and will look
- something like this: 001.34576232342.2073485731:example, "example"
- is where your screen name would show up.
- using aim express, send an instant message to your target.
- even if your target has privacy settings enabled and you are unable to
- send the instant message, he/she is now vulnerable to your attack.
- send the following to api.oscar.aol.com on port 80 numerous times
- GET /im/reportSPIM?f=amf3&aimsid=[aimsid-here]&r=1&t=[target-here]&spimType=abuse&spimEvent=user HTTP/1.0
- Host: api.oscar.aol.com
- see spimType=abuse? that's right, we're exploiting their "report"
- feature for instant message spam and abuse. at this point in your
- aim express session the "report" button will be disabled, but that
- doesn't stop us from submitting abuse reports directly to the server.
- there are two submission options for spimType, "spimType=spim" and
- "spimType=abuse". if your target has not sent you an instant message,
- sending the above header with "spimType=spim" will return this error:
- Target not allowed. The evilee had not previously acted on the eviler.
- but when we select "spimType=abuse" this error does not occur.
- it appears some of aol's developers forgot the harsh reality
- that for someone to "abuse" someone else over aol instant messenger,
- they must first send an abusive instant message to that person.
- now that we have submitted a number of abuse reports to aol, the
- next time our target sends an instant message to anyone, be it you
- or the queen of england, he/she will receive the following error message:
- "your screen name has been signed on from another location"
- he/she will be bumped offline immediately, and unable
- to sign back on for 1 to 5 minutes.
- i was capable of suspending and/or password scrambling aim accounts with
- this flaw by targeting the same person over and over again. changing the
- &r=1 value to &r=2, &r=3, &r=4 and so on after each abuse report
- submission. aim express 7.0 causes the "r=" value to raise 1 digit per
- abuse submission, but to my knowledge limits you to only 2 abuse report
- submissions per session. directly submitting these abuse report headers
- to the server bypasses this limitation.
- and if you're curious, "disgust" was suspended (unsuspended now), "dianaz",
- "anything" and "bangin" were password scrambled.
- thanks for reading.
- love,
- pad
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement