I've just (August 2014) seen a report of a program that uses the command line
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication"
How does that work? I thought the first parameter was supposed to be the name of a DLL (mshtml), but how does rundll32 parse that command line?
rundll reference: http://support.microsoft.com/kb/164787
Answer
There's a great explanation of this here: http://thisissecurity.net/2014/08/20/poweliks-command-line-confusion/
To summarize using the same example of:
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";alert('foo');
- RunDll32
- Parses the command and decides the intended DLL is:
javascript:"\..\mshtml - Fails at loading that as an absolute path.
- Fails to find a match in the working directory or on the path.
- Fails to find a manifest
javascript:"\..\mshtml.manifestfor the module. - Calls LoadLibrary
- Parses the command and decides the intended DLL is:
- LoadLibrary
- Adds the extension and attempts to load
javascript:"\..\mshtml.dll - Treats this as relative, so it goes up from the fake
javascript:"\directory. - Searches for
mshtml.dllwhich it finds in the System directory. - Loads the DLL using RunHTMLApplication as the entry point.
- Adds the extension and attempts to load
- RunHTMLApplication
- Attempts to execute the command
";alert('foo'); - As that's invalid Javascript it calls GetCommandLine for the original command which returns
javascript:"\..\mshtml,RunHTMLApplication ";alert('foo'); - Attempts to open this URI so it asks the system how to handle the javascript protocol which is typically set to Microsoft HTML Javascript Pluggable Protocol in the registry.
- Then executes the Javascript:
"..\mshtml,RunHTMLApplication ";alert('foo');
- Attempts to execute the command
- Javascript
- The first statement creates a string and does nothing with it which is valid enough to not cause an error.
- Continues executing the rest of the script.