AOL Instant Messenger Heap Overflow

["Matthew Murphy" <mattmurphy () kc rr com>]

The previously reported AOL Instant Messenger heap overflow is restricted to
the "goim" handler.  The unchecked escaping is performed on the "screenname"
query string parameter.  The vulnerability is exploited when the user clicks
"Get Info" to request information on the buddy.

AIM dies with an access violation when trying to execute 0x656C6261.  As
there is nothing stored there, AIM faults and dies:

 EAX = 000000A0 EBX = 00000000 ECX = 00000003 EDX = 00A00000 ESI = 00C90A00
EDI = 010B3E90
 EIP = 656C6261 ESP = 0063F42C EBP = 6C696176 EFL = 00010206 CS = 017F DS =
0187 ES = 0187
 SS = 0187 FS = 2FAF GS = 0000 OV=0 UP=0 EI=1 PL=0 ZR=0 AC=0 PE=1 CY=0
 ST0 = +0.00000000000000000e+0000 ST1 = +0.00000000000000000e+0000
 ST2 = +0.00000000000000000e+0000 ST3 = +0.00000000000000000e+0000
 ST4 = +0.00000000000000000e+0000 ST5 = +1.95075000000000000e+0005
 ST6 = +4.30449203000000000e+0008 ST7 = +1.00000000000000000e+0000 CTRL =
027F STAT = 4020
 TAGS = FFFF EIP = 70CC8ECD CS = 017F DS = 0187 EDO = 70CC8E48

This vulnerability is really not a serious one, given the high level of user
interaction required for successful exploitation.  I tried to "spray" data
on the heap to overwrite other structures, but this proved useless.

"The reason the mainstream is thought
of as a stream is because it is
so shallow."
                     - Author Unknown