Microsoft Explorer html-based folders (Level= Script Kiddie)



*****************************************************************************************************************************
Crim3 is no longer a member of Hack3z since he found out that the founder of this group used defacings of websites to promote the clan. This kind of activity bothers me at great length and I will no longer support any hacking crew. At a certain age you discover that you can only trust yourself
*****************************************************************************************************************************

What is in this text:
---------------------

This text will explain an exploit that shows the threat of a single folder on your comp with wright access for
everyone (like the homedir of your free FTP server") or auto a ccepting files with your chatclient.
The exploit has only been tested on W2K machines and it involves triggering a sent virus without the need to click on it.
The way this is done is by exploiting the html based folders in windows.

The problem is exactly the same as the execution of virii in outlook based emails.


HTML Based folders under windows:
---------------------------------

Windows constructs it's explorer screens using HTMl code. This code is stored in the *.htt files. The global (default)
file used is desktop.htt located (for w2k) in
"c:\documents and settings\USERNAME\Application Data\Microsoft\Internet Explorer witch is usually protected. However, you
can create a different *.htt layout file for each folder. You can do this quickly thrue the menu. Now, all that the wizart
does is creating a new file called folder.htt and one called desktop.ini. Other additional files are also created depending
on the type of layout you have chosen. The desktop.ini file is placed directly within the folder itself and the folder.htt
file is placed within a subdirectory called 'Folder settings'. All files are hidden, so make sure you have the
"show hidden files enabled" option switched on.
Now that we have are custom folder we are going to take a look at both the folder.htt file and the desptop.ini


Desktop.ini:
------------

When opening the file it will look a lot like this:

[{5984FFE0-28D4-11CF-AE66-08002B2E1262}]
PersistMoniker=file://Folder Settings\Folder.htt
PersistMonikerPreview=%WebDir%\folder.bmp
[ExtShellFolderViews]
{5984FFE0-28D4-11CF-AE66-08002B2E1262}={5984FFE0-28D4-11CF-AE66-08002B2E1262}
[.ShellClassInfo]
ConfirmFileOp=0

We are not going to bother with the CLSID's because they have no value for the article (although looking up the clsid of a
bat file in the registry and switching the command for EDIT with that of RUN has some uses too *grin*)
the only thing of importance here is the PersistMoniker

The PersistMoniker= this is the file containing the layout and here it states the folder.htt in the folder setttings
directory.
If you did check out the CLSID in the registry you would have found the default path for the PersistMoniker
(folder.hht) as it is stated above.


The HTML Layout: Folder.htt
---------------------------

Open the file with your favorite html editor (preferably a plain text editor).
Here you have the code that builds your folder layout (written in the bombastic and overkill way as only microsoft can)

The page starts with defining a load of variables that have pretty well chosen names, so you can start changing things to
your likings a bit here.

The first large chunk of code is all dedicated to the layout and is all javascript. I wouldn't temper with the code unless
you really, REALLY know what you are doing. Most of this code is unrelevant (i said MOST; (the onlcick and keypress
events are handeled in here)) and describes how the window should handle textsizes and positioning on events like a
resizing of the screen

The fun starts with the function "function Load()", witch is, as you may have guessed, the function that is triggered when
the folder is opened. (look for it using F3 or CTRL-F). Whatever code you wanted added to the page do it here.

Then the actual HTML code starts


Now that we have everything, what can we do with it?:
-----------------------------------------------------

The uses are as limited as vbscript,javascript,perl,asp,... So there are a lot of things that you can use this for.
I use it for securing personal folders by either deleting the entire contence of the folder.htt file (returning an empty
page when the folder is opened with explorer) or embedding a script that triggers a virus or send me an email notifying that
someone has opened the folder. The uses can be used for good or for bad. Take for instantance all those guys that have
auto accept enabled on their chat clients; try sending a trojan with the desktop.ini and an altered htt file that triggers
the virus when the folder is opened? Or ad a frame with links to standard forms used in your company.
One of the most powerfull options is embedding another file located on the net enabeling you to use an ASP or Perl script
in the folder. for instance:
<IFRAME src="http://intraserver/scripts/ASP/sendmail.asp?sender=?Foldername@remotehost"></IFRAME>


that's it

Best regards

*****************************************************************************************************************************
Crim3 is no longer a member of Hack3z since he found out that the founder of this group used defacings of websites to promote the clan. This kind of activity bothers me at great length and I will no longer support any hacking crew. At a certain age you discover that you can only trust yourself
*****************************************************************************************************************************
Credits

Crim3 (there's nothing wrong with not knowing, not learning bothers me)
For more info: Criminal_insect at hotmail dot com