Login/Register
Rundll32.exe javascript
Asked Answered
Solved javascriptmshtmlrundll32
S

1

9

I've just (August 2014) seen a report of a program that uses the command line

rundll32.exe javascript:"\..\mshtml,RunHTMLApplication"

How does that work? I thought the first parameter was supposed to be the name of a DLL (mshtml), but how does rundll32 parse that command line?

rundll reference: http://support.microsoft.com/kb/164787

Sunderance answered 5/8, 2014 at 5:0 Comment(1)
I'm curious as to how this is a down-voted question. This is a fascinating question. It is not necessarily something you'd run into every day writing programs, but is definitely an opportunity for someone to provide a detailed explanation of some very low-level stuff in Windows-land. (as @TheQwerty did below)Schwitzer
F
17

There's a great explanation of this here: http://thisissecurity.net/2014/08/20/poweliks-command-line-confusion/

To summarize using the same example of:

rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";alert('foo');
  1. RunDll32
    1. Parses the command and decides the intended DLL is: javascript:"\..\mshtml
    2. Fails at loading that as an absolute path.
    3. Fails to find a match in the working directory or on the path.
    4. Fails to find a manifest javascript:"\..\mshtml.manifestfor the module.
    5. Calls LoadLibrary
  2. LoadLibrary
    1. Adds the extension and attempts to load javascript:"\..\mshtml.dll
    2. Treats this as relative, so it goes up from the fake javascript:"\ directory.
    3. Searches for mshtml.dll which it finds in the System directory.
    4. Loads the DLL using RunHTMLApplication as the entry point.
  3. RunHTMLApplication
    1. Attempts to execute the command ";alert('foo');
    2. As that's invalid Javascript it calls GetCommandLine for the original command which returns javascript:"\..\mshtml,RunHTMLApplication ";alert('foo');
    3. Attempts to open this URI so it asks the system how to handle the javascript protocol which is typically set to Microsoft HTML Javascript Pluggable Protocol in the registry.
    4. Then executes the Javascript: "..\mshtml,RunHTMLApplication ";alert('foo');
  4. Javascript
    1. The first statement creates a string and does nothing with it which is valid enough to not cause an error.
    2. Continues executing the rest of the script.
Forwardness answered 21/8, 2014 at 13:16 Comment(5)
Either a very clever bit of programming, or an unutterable kludge, but exceptional all the same. Either way, not a supported technique and likely to get blocked soon.Sunderance
Still works today on updated windows 10. Not likely to be fixed any soon.Katrinka
Where is RunHTMLApplication documented ?Assemble
@ChefGladiator the invalid JavaScript starts with the double quotes, so it's technically an unclosed string. RunHTMLApplication is an undocumented method used by mshta.exe for opening hta files. The link in the answer does a much better job of explaining this.Forwardness
Thanks @Forwardness ... if you paste that string into the browser address bar, it will be executed with no complaints. Thus I might dare to call it a valid javascript code. This is part of the unfortunate "Windows Scripting Host" subsystem. I find it very useful.Assemble

© 2022 - 2024 — McMap. All rights reserved.