View Full Version : Critical Vulnerability Discovered in uTorrent
A vulnerability described as ‘critical’ has been discovered in versions of uTorrent and the official BitTorrent client. The ‘buffer overflow’ vulnerability can be exploited to compromise a user’s computer for the execution of arbitrary code. It is suggested that users should immediately update to uTorrent version 1.8 RC7 or higher. There is currently no fix for the official client.
...
... “the vulnerability is caused due to a boundary error in the processing of .torrent files. This can be exploited to cause a stack-based buffer overflow by tricking the user into opening a .torrent file containing an overly long ‘created by’ field”.
Critical Vulnerability Discovered in uTorrent | TorrentFreak (http://torrentfreak.com/critical-vulnerability-discovered-in-utorrent-080812/)
LOL u got to be kiddin me ?!! isnt uT a closed source client ?? how come out sources can access users hash info for example to compromise weak points off of the client
This is not the first time a potential vulnerability is discovered in uT ^^
It doesn't matter if the product is open or closed source, hackers can still find things like this just like every software can be cracked :top:
For example old versions of IE had this bug where loading an image with huge "width" and "height" values defined in the IMG tag of an HTML document would crash the browser...
Logitech is searching Milw0rm.
.................
aaahhhh only for version 1.7.7:(
Mmm... what did you want to do? :wink:
By looking in the peerlist I see that much people still use uT 1.7.7:).
@anon: nothing :wink2:
It always takes a while for new versions to spread. But this time there's a good incentive to update...
@anon: nothing :wink2:
Make sure that's how it stays :biggrin:
Make sure that's how it stays
anon of what tracker where you member of?:rolleyes2:
Many, but what does it have to do with this...?
I was thinking about uploading some torrents with a shellcode in it:wink:.
Edit: I edited my previous post maybe you understand why now.
How would it be run? :tongue:
How would it be run? :tongue:
My little secret:cool2:
*.torrent shell code execution exploit by Logitech is released* :biggrin:
@anon: I believe that anything could be done with any piece of software as long as it has a source code sheet !! anyway,hope no body else messes with uT since its my fave one at all times,secure,resource saving & very fast reliable bittorrent client !!
@Logitech: lol maybe u need to share with us (joking if u dont want to for sure) that little secret Hunny !! maybe injecting a torrent file with a shellcode will make it more secure ?? dont know im just guessing :biggrin:
Logitech's shellcode would run his favorite trojan when the torrent is loaded :O
Logitech's shellcode would run his favorite trojan when the torrent is loaded :O
damn are u serious ? :shockkk!: nah,dont want that secret bud,I give up :biggrin:
Logitech's shellcode would run his favorite trojan when the torrent is loaded :O
Poison Ivy or ProRAT:biggrin:
witch one should I choose?
Wait a second let's open a poll:top:
Never tried Prorat, but I have had some good experiences with PI :biggrin:
I had agreed with my contact we were going to use a RAT, then solved some of his PC problems with it from my comp... what did you think? :wink:
Also the server is 8kB and written in ASM :tongue:
But for me the best remote administration tool is RemotelyAnywhere: it takes having just a web browser to be able to control the remote PC (no "client" programs), and can get through firewalls. Too bad it isn't free.
lets install RealVNC it's easy in use.
You can even change how many bits colour(e.g. 8 bits) so you can even download and do things on that computer:).
although VNC software is easier it's more likely that a torrent is +-8kb then 5mb.
So what are we going to choose?
You can even change how many bits colour(e.g. 8 bits) so you can even download and do things on that computer:).
In RA you can go as low as grayscale (for 56K connections :biggrin:)
"So what are we going to choose?"
It's up to you :cool2:
...
RA is 12MB :tongue:
Is RA already server file or does it need to be installed also?
I have seen something about AV on uncle Mil page so It won't be hard to make a RAT tool undetectable
Is RA already server file or does it need to be installed also?
Needs to be installed, licenced, configurated, and installs a mirror driver. Not what you'd call undetectable :tongue:
"I have seen something about AV on uncle Mil page so It won't be hard to make a RAT tool undetectable"
If you mean Themida forget it :biggrin: It can make the smallest EXE megabytes big :mad2:
There is somthing that called editing the byte that contains the detection.
And themida is recognized by nod32 and some other anti-virus, because it's used for the things where we are talking about
"There is somthing that called editing the byte that contains the detection."
:O
"And themida is recognized by nod32 and some other anti-virus, because it's used for the things where we are talking about"
Even after editing the section name? :tongue:
hey Logitech !! u still thinking of picking up ur next victim ?? hehe anyway,try that RA app,its amazing u know (anon was playing chess in my PC 1 week ago :biggrin:),its just as simple as digging up a PC for injecting ur server file
:biggrin:
But how can he inject a 12MB msi in a .torrent? :eek3: You also need to know who to connect to [IP address], and his Windows username and password, remember? :wink:
OK now im getting some new ideas !! :biggrin: Hey Logitech,can you compress that shellcode a little bit ? I mean to minimize its actuall running size to less than 1mb,that way it would be reasonable if linked to a pack sized @ 20GB+ (u know once u see a 900KB torrent file,you won't be shocked since you already know you are l33ching alot here),maybe Im having a day dream since I don't know how that shellcode works anyway,but I do know that everything's possible lately,if you could do that with ur shellcode then it would be such a piece of art :top:
compressing 12mb to 1mb is some hard compress technique.
@Reppy: that'd mean modifying the .torrent, which changes its infohash = tracker won't recognize it, 0 peers and seeds as its hash is different, also other peers won't have that torrent. Pretty impossible :/
@Logitech: KGB archiver :biggrin: But it takes A LOT of time to unpack :frown:
Well,I don't know the parameters of it to tell if it could be done or not but I was wondering since it sounds Cool to inject such a shellcode into a .torrent file without getting it to be Huge !! Anyway,I believe that some one else already discussed such a process before somewhere so lets see if we can find such a modified torrent file someday
P.S: Yeah KGB is a Monster compressor/decompressor regarding large sized files
so lets see if we can find such a modified torrent file someday
For now there are virused "cracks" and "releases" in public trackers and indexes :mad2: Or trojans that run along "good" content so that you never know you're infected and if so, keep on sharing the torrent :icon_angry[1]:
LOL thats why a protection cycle should be injected someday into torrent files (presented in small bytes) just to assure secure p2ping !! I guess maybe uT would include a small shellcode checked into one of its coming releases so that it detects if that torrent file is infected with any malicious objects
I guess maybe uT would include a small shellcode checked into one of its coming releases so that it detects if that torrent file is infected with any malicious objects
Like an antivirus scan?
We can use "Run this program when the download finishes" (torrent properties -> Advanced) to have our AVs scan a torrent after it's finished :top:
yeah I know that function its normal,I meant that a sophisticated malicious objects checker that will do a ms scan inside the hash info within the .torrent file (to prevent any bad shellcodes to further generate any bad items)
Mmm, a kind of mini-antivirus designed specifically to detect .torrent shellcode threats, should they become widespread, it's a good idea.
Just like Winalign is a kind of mini-defragger in Win98 system :tongue:
LOL yeah hope we can see that mini-buster soon in any of the Bittorrent trackers :top:
It's a good idea.
But I think this isn't necessary on the "good" ALT. :wink:
In the ones you can trust ^^
I would say on every tracker without open signups.
No one is going to get an invite (and even become an uploader) just to post one infected *.torrent file and get banned.
Yes, you're right with that, it'd a stupid thing to do in those cases.
Plus the IP to connect to embedded in the .torrent would surely be spread and DDoSed, and the uploader's personal info posted (depending on the tracker).
What's the heck then ?? If a smart coder took his time to hide this shellcode wisely in the torrent file that no one would feel anything happened to his PC (since no alerts are shown by any AV),then how come he will be detected ? guys,im talking about a very complicated situation here,just keep up with me !! :biggrin:
But even if it was undetectable, it'd be noticed that after loading that torrent, weird things start to happen to your computer, which don't when booting in Safe Mode [well, it depends on how the trojan manages to run with Windows], even with network support, when all this doesn't happen with other (non-infected) torrents...
[well, it depends on how the trojan manages to run with Windows], even with network support, when all this doesn't happen with other (non-infected) torrents...
You got a good point here pal ! thats exactly what I meant with that simulation,just to improve a smart trojan that won't run till the whole file gets downloaded so that the user don't feel what happen to his PC,just think that some ads got him infected !! That way,the trojan developer would accidently inject those trojans & spread the harmful file around the net in no time :tongue: (being a devil lately I know :biggrin:)
You got a good point here pal ! thats exactly what I meant with that simulation,just to improve a smart trojan that won't run till the whole file gets downloaded so that the user don't feel what happen to his PC,just think that some ads got him infected !! That way,the trojan developer would accidently inject those trojans & spread the harmful file around the net in no time :tongue:
So as long as you don't give the infected user a way to know you're there (not directly controlling his input, for example), it's OK? :biggrin: File transfer and registry editing, etc.? :biggrin:
(being a devil lately I know :biggrin:)
That's true, Rep... :wink2:
But it's fantastic that you become interested in computer security matters. Therefore you can learn new things, possible attack ways and how they can be prevented/countered... stuff like this that's always useful :wink:
So as long as you don't give the infected user a way to know you're there (not directly controlling his input, for example), it's OK? :biggrin: File transfer and registry editing, etc.? :biggrin:
don't forget that any cracker/coder who just invent for harmfull purposes is the ONLY one who knows who's there & who's not !! so for sure it would be reasonable for him to inject himself inside victim's PC with a quite well made simulation of his own just to stay for the couple of seconds he needs to get the job done,that's how things work,I guess... :biggrin:
That's true, Rep... :wink2:
But it's fantastic that you become interested in computer security matters. Therefore you can learn new things, possible attack ways and how they can be prevented/countered... stuff like this that's always useful :wink:
yeah sure,im starting to like the whole thing (won't hurt anybody for sure) but the thing is that I need a quite good teacher to learn some trix :tongue:
won't hurt anybody for sure
This is what allmost everyone says.
After you know one and other you will become something they refferer to "Grey Hat".
If I should think of the best possible way to hide sometime in a torrent.
Just make a torrent file for example. Step Brothers.
Find a way that the server.exe file is not showed in the file list and not counted to the complete file size.
And when it download the server.exe file that is counted by the trowed away download(don't know what the real name is).
When you do something like this It will look like you just downloaded some corrupt bytes while you actually downloaded server.exe
If you do it like this (or slight different) the .torrent file won't be like 12mb and you don't have to find somekind of way to compress the torrent file.
Aurion leave reppy alone. LEAVE HIM ALONE.
He haven't done you anything LEAVE HIM ALONE.
Find a way that the server.exe file is not showed in the file list and not counted to the complete file size.
And when it download the server.exe file that is counted by the trowed away download(don't know what the real name is)
and that way should be called ?? :tongue: I do want to get into this part especially that reducing a .torrent file size to a normal 20~100kbs is something great (for sure when it also includes those bad bytes known as the shellcode) and challengeable that every coder should learn...
If you do it like this (or slight different) the .torrent file won't be like 12mb and you don't have to find somekind of way to compress the torrent file
Good Boy,you got to understand me now :klatsch_3:
Aurion leave reppy alone. LEAVE HIM ALONE.
He haven't done you anything LEAVE HIM ALONE.
I didn't do anything to hom Boy !! Im just sad to leave such a decent Username :wink:
This is what allmost everyone says.
After you know one and other you will become something they refferer to "Grey Hat".
A grey hat, in the hacking community, refers to a skilled hacker who sometimes acts legally, sometimes in good will, and sometimes not. They are a hybrid between white and black hat hackers. They usually do not hack for personal gain or have malicious intentions, but may or may not occasionally commit crimes during the course of their technological exploits.
Yes, it would more or less apply to this exploit and how we plan to use it...
If I should think of the best possible way to hide sometime in a torrent.
Just make a torrent file for example. Step Brothers.
Find a way that the server.exe file is not showed in the file list and not counted to the complete file size.
And when it download the server.exe file that is counted by the trowed away download(don't know what the real name is).
When you do something like this It will look like you just downloaded some corrupt bytes while you actually downloaded server.exe
If you do it like this (or slight different) the .torrent file won't be like 12mb and you don't have to find somekind of way to compress the torrent file.
Like "wasted" data in uT, but having it being recorded to the HDD and run from there? It's a nice idea, if it's possible.
Aurion leave re**y alone. LEAVE HIM ALONE.]
He haven't done you anything LEAVE HIM ALONE.
It's too late man :biggrin: Au has won the battle :cool2:
@Aurion: it depends on the torrent's size. .torrent metadata can weight as little as 242B or as much as 142kB (in this case, the extra shellcode KBs will surely pass unnoticed :tongue:)
It's too late man :biggrin: Au has won the battle :cool2:
LOL Hell yeah,he got wated already :tongue:
@Aurion: it depends on the torrent's size. .torrent metadata can weight as little as 242B or as much as 142kB (in this case, the extra shellcode KBs will surely pass unnoticed :tongue:)
hmm,sounds like its going to happen soon,that what I meant earlier guys,just to get the main .torrent file's fram to a lesser size than the shellcode's itself,so that a normal .torrent file would flow among trackers,downloadable,injected with that shellcode in just a few bytes to get unnoticed :klatsch_3:
Say our shellcode's size is 8kB. Here's when it'd be noticeable:
http://img53.imageshack.us/img53/5540/1notpc4.gif
(the torrent's content is 36KB)
And here's when it wouldn't :cool2:
http://img53.imageshack.us/img53/4070/2notfr4.gif
(torrent's content = 28.4GB)
for sure,the difference is such a noticeable big one,oh well.. but still it can be compressed by somehow,anon I do believe that everything could be done regarding PC sneaks-in/backdoors :biggrin:
But it's already 8kB, and it's written in Assemb-
oh wait, I didn't try UPXing it, which would make it even smaller. :cool2:
[PI] :tongue:
but if you try upxing the torrent/ injected file it can be that the file maybe stop with working.
It happened to be before.
I packed a .dll that was recognized and then the main program that used that .dll couldn't read it anymore.
I packed a .dll that was recognized and then the main program that used that .dll couldn't read it anymore.
Did your packing program strip the relocation tables from the DLL?
Like 99% of programs won't work if those are removed...
The .dll just have to be in the same dictory as the main program.
Maybe you know the program WPE PRO.
The .dll just have to be in the same dictory as the main program.
Yes, I knew this :smile:
I meant that if you enable the option "strip reloc tables" in your packing program, the app using the (now packed) DLL most likely won't work.
So you can disable that option to increase compatibility while still being able to compress the .dll :top:
Maybe you know the program WPE PRO.
Winsock packet editor?
Winsock packet editor?
yea, that is it.
I use it for a online game I often play.
It's funny what you can do with a packet editor when used good:biggrin:.
Oh yes, I do ;/
Specially in those where like 90% of the processing is done client-side: the weakest weapon can hit for 99999 damage, you can teleport, etc...
the weakest weapon can hit for 99999 damage, you can teleport, etc...
LOL are serious ? (sorry for interruption guys) hope I knew you anon 1 year ago,I could have used lots of help tho :tongue: anyway,we still can go further with that later if you want
Yes, I am :smile:
And I think you would have wanted it to cheat at Silkroad! :tongue:
Anyway don't get me wrong, I know what packet editing is and does, but am not experienced with it...
:google: ^^
LOL nah,It's ok then but yeah right,I wanted lots of help @ SRO getting a Bot engine to work by cracking it rather than paying a couple of bux to buy credit hours !! anyway,I can pass you the hex code of the old cracked version of that bot later :top:
WPE is more for server sided things.
You record that you hit monster A.
Put it in the send list and send it continuously with a delay of eg 50.
Now you will hit continuously monster A with a delay of fifty instead of the normal 500 delay.
I use it on a game called mu online.
I can dc people in a little spot around me, duping jewels and other funny things.
But we are going very off topic now.
WPE is more for server sided things.
You record that you hit monster A.
Put it in the send list and send it continuously with a delay of eg 50.
Now you will hit continuously monster A with a delay of fifty instead of the normal 500 delay.
I use it on a game called mu online.
I can dc people in a little spot around me, duping jewels and other funny things.
But we are going very off topic now.
nah,you don't (at least for me),hold on a second,you mean that you can dupe Gold,Items ...etc ?? also by doing that,can you for example respawn a monster in a certain are ?? btw,you said server sided thing:do you mean that those stats you simulate won't be for the real record thing on the server side ?? I mean,if you for example a LVL 1 character,can you boost yourself to LVL 100x in a real situation ?? I mean that everyone on the same server see you as LVL 100x ?? I really want to fully understand that since things would rise up again from ashes by then :tongue: (can get your fortune)
...
Now you will hit continuously monster A with a delay of fifty instead of the normal 500 delay.
I use it on a game called mu online.
I can dc people in a little spot around me, duping jewels and other funny things.
I have played Mu too :smile: But all the cheating I did can be resumed to using an autoclicker to attack and rise stats faster, and a simple left/right-click bot. "Mu Proxy" programs for 1-hit-kills and the such exist, but I have never been able to get any of them to work...
@Aurion: yes, you can dupe items (for the server I play you had to open your vault, and move an item to it as you held D and pressed C, T, C, T, C, T).
As regarding level-advancing cheats, yea, everyone will see you as the level you have "advanced" too.
But we are going very off topic now.
That's right :redface:
Let's get back in-topic everyone! :smile:
In the old days when you killed a monster there was a packet send that contained the information that you killed monster A.
You just recorded that and send it over and over again.
But they found out about it and patched it as soon as possible.
There is at least a bug in GS 1.0.0.8 or 1.0.0.16 that you can use a packet editor to level up.
And what I meant with server sided, you can send things to the server and by editing it you can confuse the server.
Cheat Engine is client sided everything you do with CE only affecting you.
With WPE you send things to the server and that could lead to a change.
In the old days when you killed a monster there was a packet send that contained the information that you killed monster A.
You just recorded that and send it over and over again.
But they found out about it and patched it as soon as possible.
Because they could detect you sent the "monster X killed" message even if it hadn't spawned yet, right?
There is at least a bug in GS 1.0.0.8 or 1.0.0.16 that you can use a packet editor to level up.
And what I meant with server sided, you can send things to the server and by editing it you can confuse the server.
Like getting some reserve stat points, open the WPE, issue an /addstr XX (to add strength pts.) command in-game and have WPE record the packet sending this to the server. Then kill some mobs and send the packet again, but modifying the amount of added points. :tongue:
Cheat Engine is client sided everything you do with CE only affecting you.
With WPE you send things to the server and that could lead to a change.
Correct :)
CE is to modify RAM, right? So that you can give yourself 9999 ammo/health/armor, and things like that, but always client-side.
The level up bug had nothing to do with /addstr.
/addxxx is a nice command tough, with that command you don't have to click like hell or logout -> go to the main site -> add points -> login.
They totaly removed the packet monster xx is killed.
The only thing I know of that CE affected more people was on gunz making the map Stairway in channels that it shouldn't have.
The level up bug had nothing to do with /addstr.
I know, was just mentioning it ^^
/addxxx is a nice command tough, with that command you don't have to click like hell or logout -> go to the main site -> add points -> login.
Yep, it makes all your point-adding needs easier :biggrin:
But when you feel too lazy to type it, the best option is to use an autoclicker and start pimping up your stats :tongue:
In the old days when you killed a monster there was a packet send that contained the information that you killed monster A.
You just recorded that and send it over and over again.
But they found out about it and patched it as soon as possible.
OK,now can you do that in any online game ?? I mean if you have the game setup directory,can you patch the client's exe file so that you just level up that character in no time ? or else dropping whatever items you might want (including special amounted ones too) !! Jus tell me man what you are really capable of doing since I told ya we would make a forune doing that :tongue:
It'd depend on whether it's easier to edit the game's EXE or its packets... and how good its anti-cheat protection is (GameGuard, etc...).
... and how good its anti-cheat protection is (GameGuard, etc...).
nah,don't worry about that,GameGuard became like a b*** who just flows around coders without any single glitch,they always used to provide a cracked copy of it along with the NODC Client
GameGuard is technically a rootkit. It starts along Windows, constantly runs a service, installs a .sys driver and tries to prevent its termination.
All that doesn't make its disabling and uninstallation any difficult task, as proven by the many patches around the Net that remove it and skip its in-game checking. -> Doing this is probably good for your computer and its overall performance and security.
Well,you may be right,but I don't think that Turning it off would give you more security & performance stability since most of the Online games I've played required turning GG on all the time,I mean when using legal clients ONLY
Yes, of course you are unable to play when turning GG "off" (it's always there anyway) and haven't patched your game client.
I was talking about both removing GG completely and patching your game to skip checking for it, which can be illegal.
Anon, reverse engineering products that you only use for yourself is allowed, but if you spread it and it's reversed engineerd without permission of the owner it can be illegal.
It depends on where you live. It can range from totally allowed, to only allowed for private use as you mentioned, or always forbidden.
This is why some EULAs mention that should your local laws confict with what the document states ("for example: reverse engineering is always allowed"), you're not allowed to install the program without the author's written consent.
There was also a guy that reverse engineered creative drivers to make them work on vista.
He released it and it became quite popular and so was asking if people would donate him money so he could buy cards and then reverse engineer it.
Creative sued him, because he reverse engineered there product and then spread it.
The guy didn't get sued because he received some money for it reverse engineering.
Now the guy is still allowed to reverse engineer it so it can work on other platforms except one sound series(don't know witch exactly).
nah,I don't think that if a company wants to sue some one,then I will fail due to far places or different cultures,as long as you have that mentioned in your policy then it's OK with ya to take your revenge from someone who already faked your products (wethere reverse engineering or even fake manufacture it)
And he didn't even do it for profit, he just asked for money to be able to buy more SFX cards and continue hacking the drivers for everyone.
If I were Creative, I would have even asked if it was OK to host his drivers in the official website instead of trying to disrupt his efforts :biggrin:
Well, at least now he's allowed to continue his work with certain card series.
well,but if you asked for authorization tho you won't take the green light easily,instead just expand your playground wisely among different forums/hosts just to prove that you already did something good for them
And even if they say no, the app/driver would have already been widely spread... :tongue:
RemoveWGA and Microsoft spring to mind :cool2:
that's the point tho :biggrin: just to toss your inventions over the BIG net :tongue: in order to get some extra nice credits
Powered by vBulletin® Version 4.2.5 Copyright © 2024 vBulletin Solutions, Inc. All rights reserved.