I've just (August 2014) seen a report of a program that uses the command line
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication"
How does that work? I thought the first parameter was supposed to be the name of a DLL (mshtml), but how does rundll32 parse that command line?
rundll reference: http://support.microsoft.com/kb/164787
There's a great explanation of this here: http://thisissecurity.net/2014/08/20/poweliks-command-line-confusion/
To summarize using the same example of:
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";alert('foo');
javascript:"\..\mshtml
javascript:"\..\mshtml.manifest
for the module.javascript:"\..\mshtml.dll
javascript:"\
directory.mshtml.dll
which it finds in the System directory.";alert('foo');
javascript:"\..\mshtml,RunHTMLApplication ";alert('foo');
"..\mshtml,RunHTMLApplication ";alert('foo');