schnarff Posted January 31, 2008 Report Share Posted January 31, 2008 I'm doing some research regarding the recent uTorrent exploit (http://www.securityfocus.com/bid/27321), attempting to figure out how to detect and block it on the wire. I've got packet captures of the exploit being run against a patched client, and I'm a bit confused as to what kind of packet I'm looking at, and what the fields are.After sending out a normal handshake packet, with extension bytes 0x100000 and 0x1 set, the meat of the exploit comes in a packet that doesn't look a lot like I'd expect from the docs I've found (http://wiki.theory.org/BitTorrentSpecification). Its main components are:* Two straight hex bytes, 0x14 and 0x00 (not sure what the endianness is there)* The string "d1:ei0e1:md6:ut_pexi1ee1:pi0e1:v16599:"* Several hundred 0xFF's that finish off the packetThe string there semeed like it was a Dictionary, but when I parse it according to the docs I have, it immediately doesn't make sense: the first "e" seems to be out of place, and even if it just ends the dictionary declaration, the element would end immediately afterwards with "i0e". I'm at a real loss as to what the heck the rest of the string represents.Am I missing some important piece of documentation, or am I just reading the dictionary string wrong? I know that the "16599" is the important part of the exploit, based on the comments in the source code for it, but I'm at a real loss as to what it represents, what it should be in normal circumstances, and how to parse through a packet to that point. Any help in explaining the structure here would be greatly appreciated.Thanks,Alex Kirk Link to comment Share on other sites More sharing options...
The8472 Posted January 31, 2008 Report Share Posted January 31, 2008 the first e is a literal 'e', the key for the encryption flag. The 16599: indicates that a 16599 bytes long string follows, probably overflowing the buffer for version-strings. Link to comment Share on other sites More sharing options...
Firon Posted January 31, 2008 Report Share Posted January 31, 2008 You'd also need to decrypt packets to block it properly, because it can and does work with encrypted connections. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.