lnk-files

[ian.vitek () INFOSEC SE (Ian Vitek)]

After reading about Windows hidden extensions, written by Jim Murray, I sat down
and tried to construct all of them. Nothing funny about that.
After some more testing I tried to link two lnk-files together (with a hex
editor) so they were poining at each other on a Windows NT 4.0. After updating
the explorer (F5) the utilization went up to 100% and explorer crashed and
restarted.
Then I put together a lnk-file pointing at a non existing very long file name (
"A" x 2004 . ".txt" ). Explorer restarted when I moved into the directory.
I put together a new lnk-file pointing at a non existing file with a very long
extension ( "test." . "A" x 2003 ). Got a Dr. Watson ( 0xc0000005 Address:
0x77f8eae4 ) when trying to open the link. Pointing to ( "test." . "B" x 2003 )
gives Dr. Watson ( 0xc0000005 Address: 0x77c43850 ). Same as the old long
extension?

Does anyone know what the osd-files do? They are under %windir%\Downloaded
Program Files and have a desktop.ini pointing to CLSID
{88C6381-2E85-11D0-94DE-444553540000}. They look like XML documents...

Work to do: Find a lnk or other extension not running explorer and try to
manipulate them to get a real buffer overflow or other unexpected result.

//Ian Vitek, Infosec
mailto:ian.vitek () infosec se