ActiveX (II) in IE Security Series)
0x00 use Fuzz Tool
ActiveX has a considerable number of Fuzzer. This time we are using an old-fashioned but weak-performing open-source Fuzzer: COMRaider. The reason for selecting it is that it is a graphical Fuzzer with simple interface elements. However, it is weak because it has too few test cases and is outdated (but you can add them manually ). There are many more powerful tools than AxMan, such as AxMan Fuzzer, but the AxMan interface is really useless, so I still use this to demonstrate it ......
COMRaider can be downloaded at https://github.com/dzzie/comraider. The COMRaider installation page is shown in. The start button is perfectly hidden to the right, and is in the same color as the background.
Click Start to Start Fuzz Step 1-select ActiveX. Here we select "Choose from controls that shoshould be loadable from IE ".
Right-click Scan New. In the list, Select a plug-in that you are not pleasing to the eye, and click the "Select" button to view the details of the plug-in.
All the methods and attributes of ActiveX can be viewed in the pop-up window. Remember to click "Show only fuzzable" and remove the previous check. The gray content displayed on the left of the list cannot be fuzz, and the black content can be fuzz. It can be seen that COMRaider cannot Fuzz any method without passing in parameters.
All the methods and attributes of ActiveX can be viewed in the pop-up window. Remember to click "Show only fuzzable" and remove the previous check. The gray content displayed on the left of the list cannot be fuzz, and the black content can be fuzz. It can be seen that COMRaider cannot Fuzz any method without passing in parameters.
Yes. The file you edited is a VBScript file. Therefore, follow the VBS syntax. As to why VBS is used, when COMRaider released the first version (the tears of the Times) VB was still very popular, so that COMRaider was written in VB.
For example, we add parent. lngs. add 65535 to Long Args, so that 65535 will be used as a testcase during the Fuzz Long type parameter.
0x01 how to test logic problems
This section describes how to use COMRaider to discover logical vulnerabilities and write PoC. Take this control as an example.
Loaded File: F:\Windows\SysWOW64\QoePlug.ocxName: QOEPLUGLibLib GUID: {15144D65-D22E-4768-8980-7411EF722FDE}Version: 1.0Lib Classes: 1 Class QOEPLUGGUID: {B2F9A248-3AB5-493F-A7F8-5B7A9D026ED2}Number of Interfaces: 1Default Interface: _DQOEPLUGRegKey Safe for Script: TrueRegKey Safe for Init: TrueKillBitSet: False
It includes the following methods and attributes:
Interface _DQOEPLUG : IDispatchDefault Interface: TrueMembers : 43 strOsName strCpuName strNetLoad strCpuUsage strMemSize strMemUsage strProxyServer strDnsServer strNumComputer strTraceInfo strProcessInfo strKillPid strDnsName strConnectIp strUrl strMultiDownLoadUrl strDnsTime strConnectTime strUrlTime strMultiDownLoadResult strVersion strDownloadUrl strDownloadTime GetOsName GetCpuName GetNetLoad GetCpuUsage GetMemSize GetMemUsage GetProxyServer GetDnsServer GetNumComputer GetTraceInfo GetProcessInfo KillProcId GetDnsTime GetConnectTime GetUrlTime GetMultiDownLoad StartMultiDownLoad StopMultiDownLoad GetVersion GetDownloadTime
Click one of the items to view the definition of the item.
When displaying information, COMRaider uses the VB mode to display the method name. If you have used VB, you can simply remember this mode if you have never used it:
Sub function name (parameter name As type name, parameter name 2 As type name 2 ......) Function Name (parameter name As type name, parameter name 2 As type name 2 ......) As Return Value Type
Sub corresponds to a method without return values, which is roughly equivalent to the void function name in C ++ (type name parameter name, type name 2 parameter name 2 ......)
Function corresponds to a Function with a returned value, which is roughly equivalent to the name of the return type Function in C ++ (type name parameter name, type name 2 parameter name 2 ......)
If one item can be Fuzz, right-click and choose Fuzz member or directly Fuzz Library, which will Fuzz all its members.
COMRaider uses Windows Scripting Host for Fuzz. The generated file is of the wsf type (WSF is a text document containing XML Code ). The testcase structure generated by COMRaider is similar to the following. Therefore, if the PoC code of a vulnerability outside shows a familiar parameter name and code style, you don't need to think about it. It must be the credit of COMRaider :).
<?XML version='1.0' standalone='yes' ?><package><job id='DoneInVBS' debug='false' error='true'><object classid='clsid:B2F9A248-3AB5-493F-A7F8-5B7A9D026ED2' id='target' /><script language='vbscript'> 'File Generated by COMRaider v0.0.134 - http://labs.idefense.com 'Wscript.echo typename(target) 'for debugging/custom prologtargetFile = "F:\Windows\SysWOW64\QoePlug.ocx"prototype = "Invoke_Unknown strDownloadTime As String"memberName = "strDownloadTime"progid = "QOEPLUGLib.QOEPLUG"argCount = 1 arg1=String(3092, "A") target.strDownloadTime = arg1 </script></job></package>
Right-click testcase and select Test Exploit in IE to Test the corresponding code. You can also manually generate code that can be loaded in ie. As shown in the above code, you can click it to get the middle from the beginning to the end:
<object classid='clsid:B2F9A248-3AB5-493F-A7F8-5B7A9D026ED2' id='target' /><script language='vbscript'>arg1=String(3092, "A")target.strDownloadTime = arg1</script>
COMRaider cannot verify logical vulnerabilities. Therefore, manual intervention is required during mining. Take GetCpuName as an example. Although this is a method without return values, we can also see that this ActiveX has a strCpuName attribute. Let's concatenate the two.
PoC:
<object classid='clsid:B2F9A248-3AB5-493F-A7F8-5B7A9D026ED2' id='target' /><script language='vbscript'>target.GetCpuNamealert(target.strCpuName)</script>
Verify it in IE. You can find that the CPU is old and you should change the computer.
0x02 How does Fuzzer know ActiveX information?
How does Fuzzer enumerate attributes and methods? There is a general method, which is described as follows:
First, CoCreateInstance creates an instance and queries its IObjectSecurity interface. If this interface is implemented, check whether Safe for init and Safe for script bits are set, it will be written to the test configuration later. Call GetTypeInfo in IDispatch to obtain the ITypeInfo interface to expand the relevant content;
The ITypeInfo interface provides access to the following: The set of function descriptions associated with the type. for interfaces, this contains the set of member functions in the interface. the set of data member descriptions associated with the type. for structures, this contains the set of members of the type. the general attributes of the type, such as whether it describes a structure, an interface, and so on.
In short, the ITypeInfo interface provides member functions, member variables, and common attributes (whether a struct and an interface are defined) for this interface ).
Call GetDocumentation on TypeInfo to obtain the number of functions, call GetFuncDesc to obtain the function description for each function, and then obtain the function name, return value, parameter quantity, and parameter.
Because COMRaider is also open-source, you can also download its code and view its implementation methods.