Penetration Testing mailing list archives
Activex potential BOF
From: me <deros68 () yahoo com>
Date: Thu, 6 Mar 2008 12:34:54 -0800 (PST)
All, I was running the COMRAIDER package on one of my not so secure - (but you must use the company supplied PCs) and found several BOF in Activex (no surprise). However, I am puzzled and want to learn more about why I cannot get the BOF to trigger via simple HTML/JS file when viewed by IE The XML generated by COMRAIDER is shown below (first code snippet) -------------------XML generated by COMRAIDER ------------- <?XML version='1.0' standalone='yes' ?> <package><job id='DoneInVBS' debug='false' error='true'> <object classid='clsid:999999999999999999999999999999999999' id='target' /> <script language='vbscript'> 'File Generated by COMRaider v0.0.133 - http://labs.idefense.com 'Wscript.echo typename(target) 'for debugging/custom prolog targetFile = "C:\Program Files\Common Files\9999999999999999999999999999999999999999999.dll" prototype = "Function aaaaaaaaaaaaaaaaaaaa ( ByVal hinstResource As Long ) As Long" memberName = "zzzzzzzzzzzzzzzzzzzz" progid = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" argCount = 1 arg1=2147483647 target.zzzzzzzzzzzzzzzzzzzz arg1 </script></job></package> ---------------------------------------------- Using the above value & -1 an exception is generated in the DLL shown above. EIP is not overlaid but l will run Olly and see if I can get control. - later I checked if the AX control is allowed in our IE by doing the following: point IE at the HTML file below The file resides in a trusted ZONE site. ----------------------yesorno.html--------------------- <body> <object classid="clsid:999999999999999999999999999999999999" id="test"></object> </body> --------------------------------------------------- My IE page did not display the "test" variable and it did not display any error messages. I can also view (in iE) the complete source of the HTML file. I am assuming that this means that I can load this control in IE ?? COMRAIDER does FIND this control when I run it looking for IE loadable ax - and - the KILLBIT is NOT set. Ok - I then created several variants in JS and pointed my IE browser at them - each one got a "Error on page" and nothing else. There are 2 ways I tried to get the BOF to occur a "spawn" command and a "check" command in JS. I think that I am missing the correct way to pass the parameter to the Activex control as a "BSTR" I also used " for the ' below and tried removing various whitespace. Maybe I need to define the arguments as a number value ? Anyone see my dumb mistake ? ------------- test1.html ---------------------- html> <head> This is a test - <script language="JavaScript"> var arg1 = '-1'; function spawn2() { o2obj.zzzzzzzzzzzzzzzzzzzz(arg1); } </script> </head> <body onload="spawn2()"> <object ID="o2obj" WIDTH=0 HEIGHT=0 classid="clsid:999999999999999999999999999999999999" </object> </body> </html> -------------------------------------------------- -------------Test2.html------------------------- <html> <head> This is a test - <script language="JavaScript" DEFER> function Check() { var x = '2147483647' ; var obj = new ActiveXObject("999999999999999999999999999999999999"); obj.zzzzzzzzzzzzzzzzzzzz(x); } </script> </head> <body onload="JavaScript: return Check();" /> </html> ----------------------------------------------- ____________________________________________________________________________________ Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Activex potential BOF me (Mar 06)