- #Transmission torrent windows script install#
- #Transmission torrent windows script code#
Highlight the torrent and click the 'Toggle Inspector' icon in the upper left. Click the 'Open Torrent' icon in the upper left and select the malicious file from step #1. Open a web browser and navigate to the web based client. That scripts checks through the RPC interface if there are any other torrents still downloading. It boasts a well documented library interface that is easy to use. It runs on embedded devices as well as desktops. With that, you could write a script that is executed after one (any) torrent is finished downloading, as you do now. libtorrent is a feature complete C++ bittorrent implementation focusing on efficiency and scalability. In Transmission select Edit->Preferences then click the 'Web' tab Transmission offers an RPC interface that lets you communicate with Transmission programmatically. #Transmission torrent windows script install#
Install and start up the Transmission client. Create a malicious torrent file (Example below) that includes arbitrary script elements in the name, comment, or authored by elements. Malicious script elements in the torrent name are easily visible via the desktop client, but malicious elements in the 'created by' or 'comments' elements are more difficult for end users to detect. This presents some barrier, but is easy bypassed by injecting event driven elements in the display. This means malicious scripts must be crafted to exploit the way in which content is dynamically rendered. Or if you need a cli program specifically you can look into aria2. 
The information displayed via the Transmission web client is loaded via AJAX calls and is entirely event driven. You should be able to add torrents to running Deluge and Transmission instances via cli by running their respective cli programs e.g. Transmission 2.50 on Fedora 17 was tested and shown to be vulnerable, but Transmission is a cross platform tool so it is possible versions for other operating systems (such as Mac, Windows, and other Linux) are vulnerable as well. This could lead to privacy compromises (such as if the script "phoned home" to another URL with client information) or client side attacks (such as drive by downloads).
#Transmission torrent windows script code#
torrent file into Transmission and viewing the web client could be subject to arbitrary script injection, allowing an attacker to run arbitrary code in the context of the victim's web browser. torrent files that are loaded into the client resulting in an arbitrary script include (or cross site scripting (XSS)) vulnerability.Ĭlients loading a maliciously crafted. Unfortunately this web based client doesn't sanitize text from. Transmission includes functionality to enable a web based display of the application. Transmission ( ) is a popular, cross platform, open source BitTorrent client. OSVDB: 84242 Description of Vulnerability
0 kommentar(er)
