Slashdot Mirror

← Back to Stories (view on slashdot.org)

Obtaining Shell Access via AIM?

Posted by Cliff on from the terminals-pah!-that-would-be-too-easy dept.

Quicksilver31337 asks: "I have recently been faced with a challenge of getting shell access via a AIM(for mobile access purposes), where Perl would be used to recieve messages (prolly from specified users only) over AIM, and pass them as shell commands, and finally, returning output to the user over AIM again. Its seems to be possible to me (maybe using Net::AIM) and I was wondering if anyone has tried something similar with success. Thanks."

10 of 88 comments (clear)

  1. GAIM by MattCohn.com · · Score: 2, Informative

    http://gaim.sourceforge.net/ - GAIM is an open source Linux client. It shouldn't be hard to gut the code for everything needed to send/recive messages, connect, and anything else protocal related, and then just make your program act off that as if it were a string. I'm sorry I don't have more information, as I'm not experianced in that area and havn't tried it before... but that's what I would do if faced with the challenge.

    1. Re:GAIM by Anglophile · · Score: 5, Informative

      MattCohn's right in that Gaim is the program you want to use, but the good news is your don't even have to gut the code! Gaim supports perl plugins, which can even act as AIM Bots. So, what you could do (quite easily in fact - download Gaim, unpack and read the doc on Perl modding in one of the source code subdirectories) is write a bot that stays online, listens for your commands, and then executes them on your machine. However, you may want to be careful as someone could easily execute malicious code on your computer!

  2. Security? by tm2b · · Score: 5, Informative

    I know sounds obvious, but...

    You have considered the security aspects of this, right? You're adding whatever security issues AIM has onto your existing system. AIM is not exactly designed to have server-strength security in terms of authentication!

    You might be better off using a web-based approach - using client-side certificates, you can at least have some measure of strong authentication between your mobile user and your server. Even better would be to use SSH.

    I have a hard time thinking that you didn't consider these other options, so I'm really curious - what other factors are dictating an AIM-based solution? SSH is available for just about every platform.

    --
    "It is our blasphemy which has made us great, and will sustain us, and which the gods secretly admire in us." - Zelazny
  3. Very risky by ajuda · · Score: 4, Informative

    Do you really want to log into a shell using an unencrypted IM chat? There's a reason why SSH took over for telnet. I have a feeling that if a perl command were to automatically take commands without passwords, you would be in for a nasty suprise from script kiddies and crackers.

    I suppose you could use one time passwords and such... Also, rather than simply taking arbitrary commands from users, it might make sense to present a list of commands that will be accepted; it's just like that famouse joke:

    Question: How many people will need to run rm -rf / ?
    Answer: Just one.

  4. Jabber by gehrehmee · · Score: 4, Informative
    Completely ignoreing the security issues here, you might have better luck with Jabber.
    1. It'll get you aim connectivity transparently.
    2. It's all XML, so it has an inherent structure to it that's very clear.
    3. There are lots of library implementations, so you can program your stuff in perl, python, VB, java, C.. for windows, linux, mac... whatever you feel most comfortable with.
    4. There are lots of people who know what they're doing, and are typically more then willing to help.
    jabber.org should have everything you need, including links to client software to get you started, instructions on running your own server, and instructions on how to join in on jabber group chat: You can try joining the "jdev" channel on conference.jabber.org (that's jabber conferencing, NOT irc!).
    --
    "You know, Hobbes, some days even my lucky rocketship underpants don't help" -- Calvin
  5. I've done this. by FoxIVX · · Score: 5, Informative

    I did pretty much this exact thing as a proof of concept. You can download it from www.dontpokebadgers.com and modify it as you see fit.

  6. Example by mfos.org · · Score: 5, Informative

    Seeing as noone is really helping out, I'll give you a bit of example code. I have an AIM->Comment gateway for my blog.

    Here is an example that will try and execute any command sent to it in a message. You'll need to add the appropriate security features.

    #!/usr/bin/perl

    use Net::AIM;

    my $aim = new Net::AIM;

    print "Connecting to AIM server..\n";
    $aim->newconn ( Screenname => "your account",
    Password => "your password",
    AutoReconnect => 1
    ) or die "Connection failed. Fatal Error\n";

    my $conn = $aim->getconn();

    $conn->set_handler('im_in', \&got_message);
    print "Connected.\n";
    $aim->start;

    sub got_message
    {
    my ($self, $evt, $from, $to) = @_;
    my $args = $evt->args();
    my ($nick, $auto_msg, $msg) = @$args;

    $retval = `$msg`;

    $self->send_im($from, $retval);
    }

    --------------
    Simple as that

  7. Re:Example (you could also use perl plugins) by agnosonga · · Score: 5, Informative

    this is obviously very risky.
    I just thought id give you another possible answear.
    just load this up with gaim perl plugins

    NOTE: it might be a good idea to run gaim in a chrooted envirenment but please dont run it as root. (eliminating the rm -rf / problem)

    NOTE: this hasnt been tested (for obvious reasons I hope)

    my $gaim_version = GAIM::register("remote shell", 0.1,"goodbye", "");

    my $only_run_commands_from_user = "your username";

    my $user_name = GAIM::get_info(3,GAIM::get_info(1));

    GAIM::add_event_handler("event_im_recv","run_me" );

    sub run_me {
    my ($index,$from,$mesg) = @_;
    if ($from eq $only_run_commands_from_user){
    GAIM::write_to_conv($user_name,2,"running command $mesg. have a nice day :-D");

    open(PIPE, "$mesg | ");
    my $send_back = "Output of command: $mesg\n";
    while (){
    $send_back .= $_;
    }
    close(PIPE);
    GAIM::print_to_conv($index, $from, $send_back,0);
    }
    }

    sub goodbye {
    GAIM::write_to_conv($user_name,2,"Im dying");
    }

  8. yes you can do this... by toast0 · · Score: 3, Informative

    I have a project on sourceforge, shear that may serve as a head start towards your goal.

    Althought it doesn't currently do anything with the shell, it supports sending commands to an aimbot which then processes the command and does something useful.

    To play around with it, send toastsaimbot0 a message on aim.

    It is fairly easy to modify, and adding commands to do stuff you'ld like to do should not be too difficult.

    It supports authentication based on aim usernames, and will work on ICQ as well (on the odd chance you are in a situation where you can access icq but not aim)

    send me an email if you want more details, and/or help getting it to run.

    --
    Need a Catering Connection
  9. I use AIM to control Winamp from my cell phone! by cyberhobbs · · Score: 2, Informative

    Oddly enough, I use a combination of my AIM-enabled Nokia 3390 T-Mobile phone, Trillian Pro as my AIM client, with Winamp 2.x plugins, and it's built in word-matching abilities to control Winamp. For instance //next could change to the next song, as Tril Pro supports Winamp controlling as such through it's plugin. I can also launch MS Outlook from my mobile and any other program. Or set my status to away, or lock my workstation. I doubt any of this would ultimately be useful to you, but it's fun to turn the music on and off from another city... sorta...