Recent Posts
- Export Address Table Filtering (EMET v2)
- Time of check, time of use
- MalwareDomains.com Serving Malware
- Scary monsters (and super creeps)
- Happy exploit wednesday!
- All you can spray
- Update: PDF sploits in the wild
- PDF sploits in the wild
- Vuln: OpenSSL 'ssl3_get_key_exchange()' Use-After-F..
-
OpenSSL 'ssl3_get_key_exchange()' Use-After-Free Memory ..
- Vuln: Linux Kernel Controller Area Network Protocol..
-
Linux Kernel Controller Area Network Protocol Local Priv..
- Vuln: Wireshark 0.8.20 through 1.2.8 Multiple Vulne..
-
Wireshark 0.8.20 through 1.2.8 Multiple Vulnerabilities ..
Categories
Comments
- abhi:Hi, I go
- k`sOSe:sorry for that,
- ftk:can you reuploa
- Vincent:Yup, 403.
- DG:403 Forbidden f
- k`sOSe:yep, exactly. t
- Thierry :"assuming
- h4x0r:Yeahhh ! i,m w
- snip:All work and no
- testonly:hi, i tried thi
- k`sOSe:hello w0lf, tha
- w0lf:hello frist of
- k`sOSe:Hi send9, feel
- k`sOSe:heya snip, than
- send9:Nice. I don
- snip:Guido, questa m
- fXsTar:Infernet eXplod
- k`sOSe:yeah indeed, my
- nopper:w00ting club :)
- k`sOSe:well said patri
- k`sOSe:thx
- sweet :cool shit you g
- k`sOSe:Fossi in te ci
- devon:Appena fixano r
Exploiting BitTorrent
Posted on 2008-10-08 12:26:43 in PornoSecurity
Hi there, i want to tell you about a buffer overflow in the BitTorrent client. Dont worry it is already patched :) This BitTorrent vulnerability hasn't gained much media attention and i really dunno why, the BitTorrent client is installed on so many clients that exploiting this vulnerabily on a large scale could allow someone to build a very large botnet. That's the reason why i will not publish any exploit code for now. Fortunately exploiting this vuln is not so simple as it seems, actually it's pretty hard to achieve stable, windows version independent arbitrary code execution.
The overflow is stack based and the better way to achieve code execution is through the Structured Exception Handler. So you first overwrite the SEH with the usual pop,pop,ret pointer that must be unicode friendly and must be located in bittorrent.exe module, this way your retaddr can be the same through different windows version. Another particularity is that you can't jump the SEH pointer when you fall on your buffer due to the unicode expansion(you could jump only 0 byte ahead) and the fact that conditional jump opcodes are all filtered so your return address should point to a pop,pop,ret and must also be executed without crashing the application. So it must also be a NOP from the attacker perspective.
Then you could think that you can use the venetian method to build a shellcode on the stack and execute it, right? Well, you can't! There's not enough space to execute anything useful. One thing you can do is to use a venetian decoder to build an egghunter that search through the heap for your buffer. That's what I've done.
Again you could think that's all: find your buffer, jump to it and use the venetian technique to build your shellcode.... unfortunately you can't, the memory region where your code resides is not writable anymore!
The trick I used is to write after the egghunter a small decoder that push the buffer on the stack decoding it in its original form. Basically it starts from the end and copy byte a byte omitting \x00 then push ESP and finally return.
Here is a live demonstration, enjoy! :)
2008-10-30 16:15:12
snip: Guido, questa mi e' davvero piaciuta ;-) soprattutto il filmato chiaro anche per un niubbo come me.2008-10-31 06:49:41
send9: Nice. I don't have very many skills with any kind of memory corruption (other than basic EIP overwrites), but I found a potentially exploitable overflow that the company has not responded to (.2 versions have already been released, still there.) Are you interested in investigating it further? I can send you the details if you like, it's actually pretty laughable that it exists.2008-10-31 17:31:40
k`sOSe: heya snip, thanks ;)2008-10-31 17:33:49
k`sOSe: Hi send9, feel free to send me details to lists-_AT_-keamera.org. I'm always looking for a new vuln to play with, maybe we can make a good sploit together :)