I want to know if there is a way to open a exe file from client side with jQuery or JavaScript.
I tried with windows.open("..") but it didn't work.
Asked
Active
Viewed 4,600 times
-4
ROMANIA_engineer
- 54,432
- 29
- 203
- 199
Vito Ferrulli
- 201
- 3
- 10
-
20no you can't. For security reasons – Dalorzo Aug 18 '16 at 16:21
-
2Why do you want to run an executable on the machine of someone using your webpage? – Ken Bellows Aug 18 '16 at 16:32
-
Generally speaking you can only run an exe with a server side language, with that being said, there is nothing stopping you from calling a server side script using a client side language. – MCMXCII Aug 18 '16 at 16:34
1 Answers
3
First off, Dalorzo is correct - you cannot escape the sandbox of a browser without earning lots of money. Recently Pinky Pie won over $60k from Google for performing such a task on Google Chrome.
http://blog.chromium.org/2012/05/tale-of-two-pwnies-part-1.html
However, sometimes I ask questions to try to find out-of-the-box solutions, so I'm assuming that you have a legitimate use-case for this question. I can help you think of a "hack" solution if you have a legitimate use for this. I'll probably get downvoted to oblivion for this response, but theoretically you could do this...
Back in college, I took a computer forensics class in which I wrote a chat web application which would forensically clean a user's computer from having ever accessed the chat webpage. This was done through the user running an executable they could download from the site. However, I wanted to have the users to not have to run the executable every time so I wanted a sandbox escape like you're asking about.
It's messy, but if your users are a participating party they can modify their computer to allow executables to be run from Chrome webpages.
Please Note: This will make your computer less secure, I only ever did it on Virtual Machines or Lab Machines. Reconsider whether you actually wanna try this or not.
Step One: Create a Chrome custom browser:
This is the python that I eventually compiled to a packed *.exe that accomplished creating a Google Chrome custom browser.
import sqlite3 as lite
con = lite.connect('C:\Users\USERNAME\AppData\Local\Google\Chrome\User Data\Default\Web Data')
c = con.cursor()
#idmax = c.execute('SELECT MAX(id) FROM keywords')
#c.execute("INSERT INTO keywords VALUES('cleanupeverybodyeverywhere','cleanupeverybodyeverywhere','','forensichat://C:>Windows>System32>calc.exe',0,'',0,0,'',0,'',0,0,'',0,'','','','','','','','','')")
c.execute("SELECT * FROM keywords WHERE short_name='cleanupeverybodyeverywhere'")
foo = c.fetchall()
if foo == []:
c.execute("INSERT INTO keywords (short_name,keyword,url,favicon_url) VALUES ('cleanupeverybodyeverywhere','cleanupeverybodyeverywhere','forensichat://C:>Windows>System32>calc.exe','')")
con.commit()
con.close()
Note that now when I open a Chrome tab and use the custom browser cleanupeverybodyeverywhere to run the key forensichat and it will open calc.exe as proof of concept.
Step Two: Modify your Windows Registry:
import _winreg as wreg
import getpass
user = getpass.getuser()
key = wreg.CreateKey(wreg.HKEY_CLASSES_ROOT, '')
wreg.SetValue(key,'forensichat',wreg.REG_SZ,'URL:forensichat Protocol')
# Create new subkey
kkey = wreg.CreateKey(wreg.HKEY_CLASSES_ROOT, 'forensichat')
wreg.SetValueEx(kkey, 'URL Protocol', 0, wreg.REG_SZ,'')
# Create new value
wreg.CreateKey(wreg.HKEY_CLASSES_ROOT,"forensichat\shell")
nkey = wreg.CreateKey(wreg.HKEY_CLASSES_ROOT,"forensichat\shell\open")
wreg.SetValue(nkey,"command",wreg.REG_SZ,'C:\Users\\'+user+'\Downloads\\forensicleaner.exe')
key.Close()
Note that I'm creating a key called forensichat which will run the exe found in the user's Downloads folder.
Of course, I ended up cleaning this all up and packing it so Anti-Virus wouldn't flag it, next thing I know Google Chrome has marked the site lol. It's still up if you wanna check it out - check Secure Chat and Repeat Customer. Chrome will flag it, but there's obviously ways around that.
atschaal
- 355
- 1
- 14