Identifying Protocol Elements

[schnarff]

I'm doing some research regarding the recent uTorrent exploit (http://www.securityfocus.com/bid/27321), attempting to figure out how to detect and block it on the wire. I've got packet captures of the exploit being run against a patched client, and I'm a bit confused as to what kind of packet I'm looking at, and what the fields are.

After sending out a normal handshake packet, with extension bytes 0x100000 and 0x1 set, the meat of the exploit comes in a packet that doesn't look a lot like I'd expect from the docs I've found (http://wiki.theory.org/BitTorrentSpecification). Its main components are:

* Two straight hex bytes, 0x14 and 0x00 (not sure what the endianness is there)

* The string "d1:ei0e1:md6:ut_pexi1ee1:pi0e1:v16599:"

* Several hundred 0xFF's that finish off the packet

The string there semeed like it was a Dictionary, but when I parse it according to the docs I have, it immediately doesn't make sense: the first "e" seems to be out of place, and even if it just ends the dictionary declaration, the element would end immediately afterwards with "i0e". I'm at a real loss as to what the heck the rest of the string represents.

Am I missing some important piece of documentation, or am I just reading the dictionary string wrong? I know that the "16599" is the important part of the exploit, based on the comments in the source code for it, but I'm at a real loss as to what it represents, what it should be in normal circumstances, and how to parse through a packet to that point. Any help in explaining the structure here would be greatly appreciated.

Thanks,

Alex Kirk

[The8472]

the first e is a literal 'e', the key for the encryption flag. The 16599: indicates that a 16599 bytes long string follows, probably overflowing the buffer for version-strings.

[Firon]

You'd also need to decrypt packets to block it properly, because it can and does work with encrypted connections.