~ Essays ~
         to essays    essays
(Courtesy of fravia's searchlore.org)



(¯`·.¸(¯`·.¸ Extension Identification Bug ¸.·´¯)¸.·´¯)
and IE Registry Manipulation 

by Doc~


published @ searchlores in June 2002

I received this per email, at the beginning of June. I read it with interest. Then I went downstairs and had a glass of white wine. Then the coin went down: "d-lling!". So I went upstair and printed for myself the stuff you will now read. Then I re-read it. Woha! Satori! I suddendly, fully aware of the ashaming delay, understood what this means :-)


Written by Doc~
Released in May 2002, published at http://www.searchlores.org in June 2002.
www.megasecurity.org
Extension Identification Bug and IE Registry Manipulation;
Public Release v1.0

This article and the opinions are the sole belief of the author, and not those of the website. The author acknowledges that there maybe some false information, the author releasing everything at this time fully believes everything to be true, and unless proved otherwise, should be taken so. By reading and or distributing this information you the user are responsible for any actions or responses that may occur, while copying or replicating situations mentioned in this paper.
Tested on:
IE 5.5
Windows 2000 sp2

This paper was previously not intended for public viewing. I've changed my mind so here you guys are.

History
Recently I was working on developing an advisory for some CLSID problems I came across, and figured out something quite interesting. Something the coders might be interested in. I'll start from the beginning just follow along hopefully everything will become clear by the time you reach EOF. First lets create our very own file extension. Our file extension is going to be called .mr so in your HKCR folder create a .mr
HKCR\.mr\
HKCR\.mr\ (Default) = MRFile
HKCR\.mr\ Content Type = application/x-mr

HKCR\.mr\
HKCR\.mr\ (Default) = MRFile
HKCR\.mr\ Content Type = application/x-mr
What is happening here is pretty simple. We are setting up an extension. Whenever you run an .exe it will check HKCR\.* for that extension. If it finds it, it will continue on with the instructions of how to handle the extension. Right now we are telling windows that if .mr extension is run that it is to find the instructions at MRFile. This is sort of like a pointer too the instructions. For those of us that are c++ oriented.
I ll run through the registry settings and what I mean by what. First you create a key HKCR\.mr\ The (Default) value should be MRFile (or your own extension etc). The (Default) string should be type REG_SZ we only deal with REG_SZ and REG_BINARY. Now Content Type is what explorer will use. I created my own content type application/x-mr, so for my Content Type = application/x-mr
Note that you can change Content Type to application/x-anything or application/anything or image/anything you get the idea this is what IE reads so it knows how to handle the file. I have fooled around with it and was able to create my own content type as well as download and run a file without the victim being prompted (well talk about it later ;) )

Next were are going to create a key HKCR\MRFile, the (Default) MRFile is what is displayed when you click the file once, in the left side of my computer, for example you click on a .html file it will say HTML Document in the left hand corner of my computer.
HKCR\MRFile\ (Default) = MR File
HKCR\MRFile\DefaultIcon\ (Default) = %SystemRoot%\System32\shell32.dll,-151
Note that, that entry will make all .mr files have the icon of a WordPad document...
HKCR\MRFile\Shell\
HKCR\MRFile\Shell\Open (Default) = &Open
Note that if you want to open with you can do something like &Open with &txtfile its up to you too fool around with that. That is one of many ways to utilize open with
HKCR\MRFile\Shell\Open EditFlags = 00 00 00 00
Stay tuned for changes on this key below
HKCR\MRFile\Shell\Open\command (Default) = C:\winnt\server.exe I recommend utilizing "%1" %* instead of the server location
HKCR\MRFile\Shell\
HKCR\MRFile\Shell\Open (Default) = &Open
Note that if you want to open with you can do something like &Open with &txtfile its up to you too fool around with that. That is one of many ways to utilize open with
HKCR\MRFile\Shell\Open EditFlags = 00 00 00 00
Stay tuned for changes on this key below
HKCR\MRFile\Shell\Open\command (Default) = C:\winnt\server.exe I recommend utilizing "%1" %* instead of the server location
Lets go through this entry-by-entry. We create the MRFile remember that HKCR\.mr pointed too MRFile. The HKCR\MRFile\ (Default) = MR File will be displayed on the right side of my computer when you select a .mr file it will show "MR File" You can change it too MR Document or what ever you want to see. The DefaultIcon key sets the default icon it is pretty self-explanatory. Things get interesting here the Open key's default value can be nothing if wanted. I m not fully sure why the &Open is used...But it can also be used to use the open_with command. For example you can do "&Open with &MRFile" file it will know to open file the file with MRFile instructions. By specifying the command (Default) value equaling server location every time a .mr file is run, the actual .mr file doubled clicked on wont execute only the file it points to will, I recommend using the "%1" %* instead of specifying a server location but both serve their purpose. You could instead of doing "%1" %* point to an .lnk file and from the .lnk file extension have it run the server so you are confusing the user even more.

Now we have our own executable file type we are half way there!

Since we are mad elite I m going to show you how to make it so that the new file extension is downloaded and run by explorer no prompting...Were going to have to make some registry entries so bear with me. First we want to fully create the content type so that explorer and any other Internet protocol program can handle it. We will add these entries:
HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-mr HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-mr (Default) = (value not set) HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-mr Extension = .mr you can make the application/x-mr anything you please as long as it points to an extension. Hypothetically you could modify an existing type to execute your file type that is not recommended because I fore see errors

HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-mr HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-mr (Default) = (value not set) HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-mr Extension = .mr you can make the application/x-mr anything you please as long as it points to an extension. Hypothetically you could modify an existing type to execute your file type that is not recommended because I fore see errors
Alright basically we are creating the type so that when IE receives the Content Type part of the header it will search the data base and find application/x-mr, x-mr points to the .mr extension in HKCR\.mr\ this intern points to MRFile and we are brought back to the file instructions. Now to utilize this to update your server with a new version you must use the "%1" %* as the command instead of the server location. Because if you have the server location instead of "%1" %* it will run the old server and not update with the new one.
After much testing I found the correct key needed to make it execute. As the above keys don't help towards the actually downloading and executing they serve other purposes as I have found out the hard way lol. HKCR\MRFile EditFlags = 00 00 01 00
So simple but yet so complex. ;)
**Note that the above example works on IE 5.5 and was not tested on any other version. It *should* work on IE 6 and I haven't even thought of testing it on netscape that is up too you guys. Send me results though I am intrested.

As I started to write this section I figured something else out. So your in luck I m going to give you to brilliant examples. We will take it from least brilliant to most brilliant. I m going to show the registry entries that need to be made or that are important.
HKCR\lnkfile\ Note the nevershowext just thought you might take a peek at it ;)
HKCR\lnkfile\shell
HKCR\lnkfile\shell\open\
HKCR\lnkfile\shell\open\command
HKCR\lnkfile\shell\open\command (Default) = file location

A couple things to cover first is that I don't know why there isn't a handler in the command key it is the way my registry was. Secondly adding the server's location is one way of running it but that means that all .lnk files will run an invisible file (the server) making it awful suspicious. But this example doesn't accour when clicking desktop links. I don't know why. What you must do is create a file and rename it too a .lnk that will make it run the (Default) value. I m currently working on a method to run the executed file and to run the server at the same time.
Note this is nothing to get too excited over in my opinion at least. But this is one way to allude AV's as well you can create for example c:\winnt\kernel32.lnk which will execute an exe or .mr file. Or if you wanted you could make DLL's executable and see the results, it's up to you to test that idea. With registry knowledge the ideas are endless...
Anyway moving right along...This idea hasn't been tested but very hypothetically it should work! If you test it please e-mail me to let me know how it went.

Basically we are upping the anty in this next trick. Instead of a .lnk file why not pick a file extension windows starts up automatically...catching on? Here's a hypothetic example... (I would not be scared to try this just back up your registry no guarantees)
Now HKCR\sysfile consist of relatively no registry entries...so did .lnk and it worked. The only concern is if you modify it will it stop the .sys from loading and just execute the server, how ever yoru server could then startup those needed .sys files as I stated above I m currently working on away to run both at once. The results of testing this I can't predict nor will I try too.
HKCR\sysfile\
HKCR\sysfile\shell\
HKCR\sysfile\shell\Open
HKCR\sysfile\shell\Open\command
HKCR\sysfile\shell\Open\command (Default) = server location
maybe point it to an .lnk file to fool the user?
Lets go through some strings stored in the HKCR\sysfile\. The EditFlags key is very important as it decides if IE will download without prompting, I can only imagine what this version of EditFlags does, and the NoOpen key is awful suspicious. If you have a second computer I encourage you to test it. I will contribute extra information if you e-mail me. I m curious to see if this works.

Misc.
I did discover how to figure out what the file extension's CLSID would be. The CLSID makes the extension more real and increases the possibilities and ways to call the file. You can run applications from the web using window.open=file:///clsid::/clsid ...I didn't include how to find the CLSID but if you are interested e-mail me.
EOF

I came up with a couple more pages of start-ups like using control panel and CLSID alias's to startup the files. I don't feel they are qualified. There is much I have found but wont release because its "not good enough" this is my contribution too you guys. Enjoy it will probably be my last.
Thanks.
No one is perfect if there is false information or spelling and grammatical errors please e mail me and help me correct them I am firmly against false information and have gone to great lengths to verify everything mentioned above        -> E mail -> http://tnt2.ath.cx:5080/kernel32/xxx_drneo_xxx@yahoo.com?subject=false info/error
Thanks goes to the following people in no special order:
Cyberfly, M_R and Magus(Thanks for all your help and support :-) ), weed(congrats bro), SilenceGold, dragnet, Elektik, #tnt, Connected, and ap0calaps. Also a huge thank you too Olympus(http://www.lithiumrat.org/) for developing proof of concept code, and to mf4(areyoufearless.com) for also developing code, and for both of their constant programming help. I would like to thank ·=[KïÐ ÄRCåÐê]=· for letting me borrow and publish his code. If you have been forgotten I m sure I was having a memory lapse thanks to you too.


Petit image
Bk:flange of myth 
(c) 1952-2032: [fravia+], all rights reserved