[Full-disclosure] Re: Window's O/S

From: Dave Korn (davek_throwaway_at_hotmail.com)
Date: 11/24/05

Next message: Dude VanWinkle: "Re: [Full-disclosure] Return of the Phrack High Council"

Previous message: Dave Korn: "[Full-disclosure] Re: Window's O/S"
In reply to: Marek Isalski: "Re: [Full-disclosure] Window's O/S"
Next in thread: Gilles DEMARTY: "Re: [Full-disclosure] Re: Window's O/S"
Reply: Gilles DEMARTY: "Re: [Full-disclosure] Re: Window's O/S"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: full-disclosure@lists.grok.org.uk
Date: Thu, 24 Nov 2005 14:58:54 -0000

Marek Isalski wrote in news:s385b72e.070@mail.smuht.nwest.nhs.uk
>>> create an folder on deskop and name it as "notepad".
>>> open internet explorer > go to view > source code > this will open the
>>> contents of notepad folder....!!
>> Even better: rename any exe to notepad.exe ;)
>
> Is this IE being so stupid as to run with a CWD of Desktop and
> effectively doing a system("notepad")?

Yep.

> That'd explain explorer opening up folders called Notepad, and .exe files
> being run. Bet it also works on MS Word documents (without a .doc
> extension, probably), and any other magically executable file...
>
> Certainly cmd.exe as notepad on the desktop suggests the CWD is your
> Desktop (so presumably IE's CWD is also Desktop).

Yep. You can't see that it's the cwd, but process explorer will show you
it has a handle to desktop open.

> Are there any other external apps IE is stupid enough to run without a
> full path prefix? That could be fun too! :-)

Dunno, but I'll tell you something I spotted the other day.

Copy calc.exe to the root of your C:\ drive, and rename it to
"Program.exe".

Fire up a recently-updated RealPlayer. Watch two instances of calc.exe
appear. Close RealPlayer again. Watch two more instances of calc.exe
appear.

Another un-quoted path with spaces in it. Phj33r!

cheers,
DaveK

-- 
Can't think of a witty .sigline today.... 
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Next message: Dude VanWinkle: "Re: [Full-disclosure] Return of the Phrack High Council"

Previous message: Dave Korn: "[Full-disclosure] Re: Window's O/S"
In reply to: Marek Isalski: "Re: [Full-disclosure] Window's O/S"
Next in thread: Gilles DEMARTY: "Re: [Full-disclosure] Re: Window's O/S"
Reply: Gilles DEMARTY: "Re: [Full-disclosure] Re: Window's O/S"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]