Rundll32.exe javascript

david picture david · Aug 5, 2014 · Viewed 9.2k times · Source

I've just (August 2014) seen a report of a program that uses the command line

rundll32.exe javascript:"\..\mshtml,RunHTMLApplication"

How does that work? I thought the first parameter was supposed to be the name of a DLL (mshtml), but how does rundll32 parse that command line?

rundll reference: http://support.microsoft.com/kb/164787

Answer

TheQwerty picture TheQwerty · Aug 21, 2014

There's a great explanation of this here: http://thisissecurity.net/2014/08/20/poweliks-command-line-confusion/

To summarize using the same example of:

rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";alert('foo');
  1. RunDll32
    1. Parses the command and decides the intended DLL is: javascript:"\..\mshtml
    2. Fails at loading that as an absolute path.
    3. Fails to find a match in the working directory or on the path.
    4. Fails to find a manifest javascript:"\..\mshtml.manifestfor the module.
    5. Calls LoadLibrary
  2. LoadLibrary
    1. Adds the extension and attempts to load javascript:"\..\mshtml.dll
    2. Treats this as relative, so it goes up from the fake javascript:"\ directory.
    3. Searches for mshtml.dll which it finds in the System directory.
    4. Loads the DLL using RunHTMLApplication as the entry point.
  3. RunHTMLApplication
    1. Attempts to execute the command ";alert('foo');
    2. As that's invalid Javascript it calls GetCommandLine for the original command which returns javascript:"\..\mshtml,RunHTMLApplication ";alert('foo');
    3. Attempts to open this URI so it asks the system how to handle the javascript protocol which is typically set to Microsoft HTML Javascript Pluggable Protocol in the registry.
    4. Then executes the Javascript: "..\mshtml,RunHTMLApplication ";alert('foo');
  4. Javascript
    1. The first statement creates a string and does nothing with it which is valid enough to not cause an error.
    2. Continues executing the rest of the script.