The IKat - Interactive Kiosk Attack Tool - excellent online resource. Head your Kiosk in its direction and use their online tools for escaping your sandbox!

http://ikat.ha.cked.net/

And tips retrieved from Paul Craig’s Defcon presentation “Hacking Internet Kiosk’s” available at:

http://defcon.org/images/defcon-16/dc16-presentations/defcon-16-craig.pdf

1- Accesing the filesystem through a Browser’s Url bar, or whatever control which may provide us with a way of browsing the filesystem. Different representations for a sample c:\windows string:

File:/C:/windows File:/C:\windows\ File:/C:\windows/ File:/C:/windows
File://C:/windows File://C:\windows/ file://C:\windows C:/windows
C:\windows\ C:\windows C:/windows/ C:/windows\
%WINDIR% %TMP% %TEMP% %SYSTEMDRIVE% %SYSTEMROOT% %APPDATA% %HOMEDRIVE% %HOMESHARE%

2- if We find a View Dialog, or Open File dialog, navigate the filesystem look for cmd.exe - try to execute it, drag and drop a file to cmd.exe to spawn it.

3- Internet Explorer’s ‘image toolbar’ which pops up when you click on a large image. File/Save, Print, Mailto, or even “Open My Pictures”

4- Keyboard shortcuts - besides the obvious, well.. some more obvious probably: CTRL-B, CTRL-I, CTRL-H, CTRL-L, CTRL-O, CTRL-P, CTRL-S

5- Hidden Kiosk menu! Try to guess the combo (CTRL-ALT-F8, F9?)

6- The about: protocol handler. about:<a href=c:\windows\”>Click-Here</a> may work

7- The Shell protocol handler: Shell:Profile,Shell:ProgramFiles,Shell:System,Shell:ControlPanelFolder,Shell:Windows

8- Shell with classid, i.e.: shell:::{21EC2020-3AEA-1069-A2DD-08002B30309D}

additionally, by self experience, the kiosk may come with a full multimedia keyboard. Make use of every single multimedia button! It will probably make things easier/faster. Not to mention you should press the buttons 100 times in a row - you will be amazed at how many race conditions there are.

Peeeeace