Rants on business, science, technology, society, politics, police, and justice, plus life hacks and tricks, since 2003. header image 2

New York Public Library pwn3d with HTML Help and Jump to URL

January 26th, 2007 · No Comments

The other day, I was near Times Square, and I desperately needed to check my email account so that I could get the phone number of a person I was meeting. I didn’t have my laptop on me, so the free wireless in Bryant Park (or open wi-fi elsewhere) was out of the question. I thought the New York Public Library might have internet access, and indeed they did. Unfortunately, the room with public internet terminals was fully packed, even at 2PM on a Tuesday. The librarian said I’d need to register for a library card, and that once I received it, there’d be a 90 minute wait to use the public PCs. I didn’t have 90 minutes, so I had to get more creative. Fortunately, I noticed there were some other PCs closer to the lobby that had Internet explorer icons on their desktops. These PCs blacklisted Gmail and almost every other service I could think of – except one.

0. Install LogMeIn Free on a PC and leave it connected to the Internet. If you’re like me, you already had this, or something similar, set up so that you can access you’re stuff while you’re on the road.

1. Go to NY Public Library at 42nd & 5th. This may also work at other public libraries. This may also work at your school, or your job. Please note, however, that if you get arrested, expelled, fired, shunned by friends and family, or beaten with reeds, that I cannot be held responsible.

2. On third floor, room 315, there are research and database computers. These computers are like electronic card catalogs and journal indices. They are networked, they have internet access, and they do not require a user to authenticate themselves with a library card or otherwise. As an aside, you can use these terminals to perform serious research rather easily, since you can access the full texts of a number of peer reviewed journals.

3. On the desktop, there is a shortcut to Internet Explorer that has been named “Databases”. Open the “Databases” shortcut, which launches a locked-down Internet Explorer window, sans address bar, toolbars, and other basic functionality.

3a. For cover, open something in one of the research databases. This step is optional. Seeing as how it seemed like homeless people were sleeping at the terminals next to me, this may be completely unnecessary.

4. Hit the “F1” key to launch Internet Explorer help. If you’re a l33t h4x0r that regularly is involved with pwning or using pwn3d machines, you’re probably thinking either: a) I know exactly where this is going, or b) I didn’t even know Internet Explorer help could possibly be useful for anything.

5. Click the yellow “?” and paper logo in the upper left corner of the help window. For the n00bs reading this, you’re clicking the icon on the left in the title bar of the help window. The title bar is the (typically blue) bar at the top of the window that also includes minimize, maximize, and close (“X”) buttons on the right hand side.

6. Select the curiously placed “Jump to URL…” command. If you’ve never used this feature of HTML help, well, you’re not alone. I’d never heard of it until I read about an unrelated Windows XP escalation of privilege exploit. A commenter wrote that it was possible to use “Jump to URL…” to launch a command prompt window on machines without a Start … Run capability. This alone is a useful hack on its own, so be sure to try it the next time you encounter a locked down PC. If you’ve used “Jump to URL…” before, you’ve probably pwn3d plenty of PCs already. Note: if you’ve used “Jump to URL…” for some legitimate purpose, please comment on this and let everyone know what the reasoning for having this feature might be, aside from allowing exploits like this.

7. In the “Jump to URL…” dialog box, enter:

8. The LogMeIn homepage appears in the right pane of the help window. Drag the left pane’s border to resize the left pane and make it small, if you wish. Now you can log into your LogMeIn account.

9. Select the computer you wish to connect to. You will be prompted to install the Remote Access Components ActiveX control. These PCs allow you to install this particular ActiveX control. I suspect that the ActiveX control runs in the same permission level as the user, which is pretty locked down. However, the Remote Access Components control that LogMeIn uses doesn’t require Administrator privileges, so it seems to work. I don’t recall, but it may also be digitally signed by Microsoft, which could fully explain why this works at all.
10. Log into your PC and enjoy! At this point, using my home internet connection, I was able to check my email, sign on to AIM, and waste forty minutes surfing the web before my meeting.

Don’t go getting into trouble with this. NYPL: time to update your proxy server’s blacklists – it should only take a few seconds!

Tags: Computers · pwn3d! (Hacks and Tricks) · Technology · Urban Exploration, Infiltration, & Security

0 responses so far ↓

  • There are no comments yet...Kick things off by filling out the form below.

Leave a Comment