Nice write-up. I love finding little exploits like that.
On my first day in jail I took a look at the law library PC. It was a Windows Vista machine locked down to only allow one law application to run. So I hit Print and went into the print settings for the HP Laserjet. In there it has a button to click for ordering new supplies from hp.com. Hitting that bypassed the lockdown and opened up IE. From there I just used the file:// protocol like this guy to browse to explorer.exe and launch Windows Explorer and gain full control of the desktop.
I love stories like these that leverage practical tricks such as percent-encoding the URL to bypass the filter URL filter.
I love technical writeups about masterfully overwriting structures on the heap, etc. as much as anyone else, but I find more “simple” hacks/workarounds equally exciting.
On my first day in jail I took a look at the law library PC. It was a Windows Vista machine locked down to only allow one law application to run. So I hit Print and went into the print settings for the HP Laserjet. In there it has a button to click for ordering new supplies from hp.com. Hitting that bypassed the lockdown and opened up IE. From there I just used the file:// protocol like this guy to browse to explorer.exe and launch Windows Explorer and gain full control of the desktop.