Jump to content

Identifying Protocol Elements


Recommended Posts

I'm doing some research regarding the recent uTorrent exploit (http://www.securityfocus.com/bid/27321), attempting to figure out how to detect and block it on the wire. I've got packet captures of the exploit being run against a patched client, and I'm a bit confused as to what kind of packet I'm looking at, and what the fields are.

After sending out a normal handshake packet, with extension bytes 0x100000 and 0x1 set, the meat of the exploit comes in a packet that doesn't look a lot like I'd expect from the docs I've found (http://wiki.theory.org/BitTorrentSpecification). Its main components are:

* Two straight hex bytes, 0x14 and 0x00 (not sure what the endianness is there)

* The string "d1:ei0e1:md6:ut_pexi1ee1:pi0e1:v16599:"

* Several hundred 0xFF's that finish off the packet

The string there semeed like it was a Dictionary, but when I parse it according to the docs I have, it immediately doesn't make sense: the first "e" seems to be out of place, and even if it just ends the dictionary declaration, the element would end immediately afterwards with "i0e". I'm at a real loss as to what the heck the rest of the string represents.

Am I missing some important piece of documentation, or am I just reading the dictionary string wrong? I know that the "16599" is the important part of the exploit, based on the comments in the source code for it, but I'm at a real loss as to what it represents, what it should be in normal circumstances, and how to parse through a packet to that point. Any help in explaining the structure here would be greatly appreciated.


Alex Kirk

Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Create New...