Activex potential BOF

From: me (deros68@yahoo.com)
Date: Thu Mar 06 2008 - 15:34:54 EST


All,

I was running the COMRAIDER package on one of my not
so secure - (but you must use the company supplied
PCs) and found several BOF in Activex (no surprise).
However, I am puzzled and want to learn more about why
I cannot get the BOF to trigger via simple HTML/JS
file when viewed by IE

The XML generated by COMRAIDER is shown below (first
code snippet)

-------------------XML generated by COMRAIDER
-------------
<?XML version='1.0' standalone='yes' ?>
<package><job id='DoneInVBS' debug='false'
error='true'>
<object
classid='clsid:999999999999999999999999999999999999'
id='target' />
<script language='vbscript'>

'File Generated by COMRaider v0.0.133 -
http://labs.idefense.com

'Wscript.echo typename(target)

'for debugging/custom prolog
targetFile = "C:\Program Files\Common
Files\9999999999999999999999999999999999999999999.dll"
prototype = "Function aaaaaaaaaaaaaaaaaaaa ( ByVal
hinstResource As Long ) As Long"
memberName = "zzzzzzzzzzzzzzzzzzzz"
progid =
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
argCount = 1

arg1=2147483647

target.zzzzzzzzzzzzzzzzzzzz arg1

</script></job></package>
----------------------------------------------

Using the above value & -1 an exception is generated
in the DLL shown above. EIP is not overlaid but l
will run Olly and see if I can get control. - later

I checked if the AX control is allowed in our IE by
doing the following: point IE at the HTML file below
The file resides in a trusted ZONE site.

----------------------yesorno.html---------------------

<body>
<object
classid="clsid:999999999999999999999999999999999999"
id="test"></object>
</body>

---------------------------------------------------

My IE page did not display the "test" variable and it
did not display any error messages. I can also view
(in iE) the complete source of the HTML file. I am
assuming that this means that I can load this control
in IE ??

COMRAIDER does FIND this control when I run it looking
for IE loadable ax - and - the KILLBIT is NOT set.

Ok - I then created several variants in JS and pointed
my IE browser at them - each one got a
"Error on page" and nothing else. There are 2 ways I
tried to get the BOF to occur a "spawn" command and a
"check" command in JS.

I think that I am missing the correct way to pass the
parameter to the Activex control as a "BSTR"
I also used " for the ' below and tried removing
various whitespace. Maybe I need to define the
arguments as a number value ?

Anyone see my dumb mistake ?

------------- test1.html ----------------------
html>
<head> This is a test -
<script language="JavaScript">

var arg1 = '-1';

function spawn2()
{
        o2obj.zzzzzzzzzzzzzzzzzzzz(arg1);
}

</script>
</head>

<body onload="spawn2()">
<object ID="o2obj" WIDTH=0 HEIGHT=0
  
classid="clsid:999999999999999999999999999999999999"

</object>
</body>
</html>
--------------------------------------------------

-------------Test2.html-------------------------
<html>
 <head> This is a test -
  <script language="JavaScript" DEFER>
    function Check() {
     var x = '2147483647' ;
     
     var obj = new
ActiveXObject("999999999999999999999999999999999999");
    

     obj.zzzzzzzzzzzzzzzzzzzz(x);
    }
  </script>

 </head>
 <body onload="JavaScript: return Check();" />
</html>
-----------------------------------------------

      ____________________________________________________________________________________
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:27 EDT