9

I've just (August 2014) seen a report of a program that uses the command line

rundll32.exe javascript:"\..\mshtml,RunHTMLApplication"

How does that work? I thought the first parameter was supposed to be the name of a DLL (mshtml), but how does rundll32 parse that command line?

rundll reference: http://support.microsoft.com/kb/164787

david
  • 2,435
  • 1
  • 21
  • 33
  • 1
    I'm curious as to how this is a down-voted question. This is a fascinating question. It is not necessarily something you'd run into every day writing programs, but is definitely an opportunity for someone to provide a detailed explanation of some very low-level stuff in Windows-land. (as @TheQwerty did below) – Ryan Ransford Aug 21 '14 at 13:28

1 Answers1

17

There's a great explanation of this here: http://thisissecurity.net/2014/08/20/poweliks-command-line-confusion/

To summarize using the same example of:

rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";alert('foo');
  1. RunDll32
    1. Parses the command and decides the intended DLL is: javascript:"\..\mshtml
    2. Fails at loading that as an absolute path.
    3. Fails to find a match in the working directory or on the path.
    4. Fails to find a manifest javascript:"\..\mshtml.manifestfor the module.
    5. Calls LoadLibrary
  2. LoadLibrary
    1. Adds the extension and attempts to load javascript:"\..\mshtml.dll
    2. Treats this as relative, so it goes up from the fake javascript:"\ directory.
    3. Searches for mshtml.dll which it finds in the System directory.
    4. Loads the DLL using RunHTMLApplication as the entry point.
  3. RunHTMLApplication
    1. Attempts to execute the command ";alert('foo');
    2. As that's invalid Javascript it calls GetCommandLine for the original command which returns javascript:"\..\mshtml,RunHTMLApplication ";alert('foo');
    3. Attempts to open this URI so it asks the system how to handle the javascript protocol which is typically set to Microsoft HTML Javascript Pluggable Protocol in the registry.
    4. Then executes the Javascript: "..\mshtml,RunHTMLApplication ";alert('foo');
  4. Javascript
    1. The first statement creates a string and does nothing with it which is valid enough to not cause an error.
    2. Continues executing the rest of the script.
TheQwerty
  • 190
  • 2
  • 5
  • Either a very clever bit of programming, or an unutterable kludge, but exceptional all the same. Either way, not a supported technique and likely to get blocked soon. – david Aug 25 '14 at 02:42
  • Still works today on updated windows 10. Not likely to be fixed any soon. – karliwson Mar 21 '17 at 14:07
  • Where is `RunHTMLApplication` documented ? – Chef Gladiator Oct 15 '20 at 18:00
  • @ChefGladiator the invalid JavaScript starts with the double quotes, so it's technically an unclosed string. `RunHTMLApplication` is an undocumented method used by `mshta.exe` for opening hta files. The link in the answer does a much better job of explaining this. – TheQwerty Oct 16 '20 at 02:58
  • Thanks @TheQwerty ... if you paste that string into the browser address bar, it will be executed with no complaints. Thus I might dare to call it a valid javascript code. This is part of the unfortunate "Windows Scripting Host" subsystem. I find it very useful. – Chef Gladiator Oct 17 '20 at 06:13