Arch Linux

firecat53

Member

From: Lake Stevens, WA, USA

Registered: 2007-05-14

Posts: 1,542

Website

Security of an AIM bot

Wondering if anyone had any experience with the security of AIM bots. I'm using the code from here to test out the todo.sh system. I'm not a programmer (other than casually ) and I don't know much about AIM. Any thoughts?

Here's the code:

#!/usr/bin/perl
 
# TODO.SH AIM Bot
# Author: Gina Trapani (ginatrapani@gmail.com)
# Release date: 6/23/2006
# Last updated: 7/29/2006
# License: GPL, http://www.gnu.org/copyleft/gpl.html
# Version: 0.5
# More info: http://todotxt.com
 
use warnings;
use strict;
use Net::OSCAR qw(:standard);
 
# =========BEGIN CONFIGURATION============
my $screenname = 'yourbot';  # Your bot AIM nickname
my $password = 'yourbotpasswd'; # Your bot AIM pasword
my $commander = 'youraimname'; # Your AIM name; separate multiple commanders with comma no space
my $todoscript = '/home/you/todo.sh -p -v -f';# Path to todo script with options
my $linebreakchar = '<br />';   # Defaults to HTML line breaks
# =========END CONFIGURATION==============
 
 
print "TodoBot v0.5 is starting...\n";
print "Visit todotxt.com for help and the latest version.\n";
 
my $oscar;
# Additional variables for multiple commanders
my @commanders;
my $elt;
my $is_there;
 
$oscar = Net::OSCAR->new();
$oscar->set_callback_im_in(\&im_in);
$oscar->signon($screenname, $password);
 
while(1)
{
    $oscar->do_one_loop();
}
 
sub im_in {
    my($oscar, $sender, $message, $is_away, @commanders, $is_there, $elt) = @_;
    print "[AWAY] " if $is_away;
    print "$sender: $message\n";
 
    # Some AIM clients send HTML, we need
    # to convert it to plain text
    # remove tags
    $message =~ s/<(.|\n)+?>//g;
    # convert "'s
    $message =~ s/"/\"/g;
    my $response = "\n";
 
    # Check to see if commander is in the allowed list.
    # This is not the most efficient way; but given that the list of allowed
    # commanders is going to be small and its only going to do it once every
    # command, the response time should not be affected drastically
    @commanders = split(',',$commander);
    $is_there = 0;
    foreach $elt (@commanders) {
  if ($elt eq $sender) {
   $is_there = 1;
   last;
  }
    }
 
    if ($is_there) {
 
    my $checkfordel = substr($message, 0, 3);
    print "$todoscript $message\n";
    if ($message eq "die") {
      $oscar->send_im($sender, "I'm out! See ya!");
      $oscar->signoff();
      exit();
    }
    open FH, "$todoscript $message |" or $response = "The Todo bot go BOOM! Please check the path to your todo script is correct.";
    while(<FH>) {
      chomp;
      $response = $response.$_.$linebreakchar;
    }
    close FH;
    chomp($response);
    if (($response eq "\n") || $response eq "") {
      $response = $response."Nothing to display for command todo $message."
    }
   } else {
    $response = "You are not the boss of me.";
   }
   print "$screenname: $response\n";
   $oscar->send_im($sender, $response);
   
}

Thanks!
Scott

---

Github

juster

Forum Fellow

Registered: 2008-10-07

Posts: 195

Re: Security of an AIM bot

Cool bot!  You will want to escape special bash characters so commanders don't slip in a '&& cat /etc/passwd' or what not into the message.  Something like:

$message =~ s/([\\~`!@#$&;"'|!])/\\$1/g;

I think you need two \'s for the \\$1 but I can't remember.  There might be more characters listed in the bash manpage.

firecat53

Member

From: Lake Stevens, WA, USA

Registered: 2007-05-14

Posts: 1,542

Website

Re: Security of an AIM bot

Hey, thanks for the tip!  I also run the bot as user www-data (same as the web server).  I also found and added the following code so it will run as a daemon in the background:

..........
$oscar->set_callback_im_in(\&im_in);
$oscar->signon($screenname, $password);

use POSIX qw(setsid);
chdir '/';
umask 0;
open STDIN, '/dev/null';
open STDERR, '>/dev/null';                                              
defined(my $pid = fork);
exit if $pid;
setsid;

while(1)
{
    $oscar->do_one_loop();
}
.........

Thanks!
Scott

---

Github

juster

Forum Fellow

Registered: 2008-10-07

Posts: 195

Re: Security of an AIM bot

Nice daemonization!  One minor piece of advice.  The 'defined(my $pid = fork)' won't do anything.  defined() returns true (1) or false (0) depending on if the argument has a defined value.

I think you need something like

die "fork failed: $!" unless defined( my $pid = fork );

Because fork returns undef (the undefined literal used by perl) if there was an error, 0 if we are currently in the parent process, and the process id if we are in the child process now.  Now you can have an error message if something goes wrong, but you should put this before you redirect STDERR to /dev/null or else you won't be able to see the error message.