From: me (deros68@yahoo.com)
Date: Thu Mar 06 2008 - 15:34:54 EST
All,
I was running the COMRAIDER package on one of my not
so secure - (but you must use the company supplied
PCs) and found several BOF in Activex (no surprise).
However, I am puzzled and want to learn more about why
I cannot get the BOF to trigger via simple HTML/JS
file when viewed by IE
The XML generated by COMRAIDER is shown below (first
code snippet)
-------------------XML generated by COMRAIDER
-------------
<?XML version='1.0' standalone='yes' ?>
<package><job id='DoneInVBS' debug='false'
error='true'>
<object
classid='clsid:999999999999999999999999999999999999'
id='target' />
<script language='vbscript'>
'File Generated by COMRaider v0.0.133 -
http://labs.idefense.com
'Wscript.echo typename(target)
'for debugging/custom prolog
targetFile = "C:\Program Files\Common
Files\9999999999999999999999999999999999999999999.dll"
prototype = "Function aaaaaaaaaaaaaaaaaaaa ( ByVal
hinstResource As Long ) As Long"
memberName = "zzzzzzzzzzzzzzzzzzzz"
progid =
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
argCount = 1
arg1=2147483647
target.zzzzzzzzzzzzzzzzzzzz arg1
</script></job></package>
----------------------------------------------
Using the above value & -1 an exception is generated
in the DLL shown above. EIP is not overlaid but l
will run Olly and see if I can get control. - later
I checked if the AX control is allowed in our IE by
doing the following: point IE at the HTML file below
The file resides in a trusted ZONE site.
----------------------yesorno.html---------------------
<body>
<object
classid="clsid:999999999999999999999999999999999999"
id="test"></object>
</body>
---------------------------------------------------
My IE page did not display the "test" variable and it
did not display any error messages. I can also view
(in iE) the complete source of the HTML file. I am
assuming that this means that I can load this control
in IE ??
COMRAIDER does FIND this control when I run it looking
for IE loadable ax - and - the KILLBIT is NOT set.
Ok - I then created several variants in JS and pointed
my IE browser at them - each one got a
"Error on page" and nothing else. There are 2 ways I
tried to get the BOF to occur a "spawn" command and a
"check" command in JS.
I think that I am missing the correct way to pass the
parameter to the Activex control as a "BSTR"
I also used " for the ' below and tried removing
various whitespace. Maybe I need to define the
arguments as a number value ?
Anyone see my dumb mistake ?
------------- test1.html ----------------------
html>
<head> This is a test -
<script language="JavaScript">
var arg1 = '-1';
function spawn2()
{
o2obj.zzzzzzzzzzzzzzzzzzzz(arg1);
}
</script>
</head>
<body onload="spawn2()">
<object ID="o2obj" WIDTH=0 HEIGHT=0
classid="clsid:999999999999999999999999999999999999"
</object>
</body>
</html>
--------------------------------------------------
-------------Test2.html-------------------------
<html>
<head> This is a test -
<script language="JavaScript" DEFER>
function Check() {
var x = '2147483647' ;
var obj = new
ActiveXObject("999999999999999999999999999999999999");
obj.zzzzzzzzzzzzzzzzzzzz(x);
}
</script>
</head>
<body onload="JavaScript: return Check();" />
</html>
-----------------------------------------------
____________________________________________________________________________________
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:27 EDT