Home page logo

pen-test logo Penetration Testing mailing list archives

Activex potential BOF
From: me <deros68 () yahoo com>
Date: Thu, 6 Mar 2008 12:34:54 -0800 (PST)


I was running the COMRAIDER package on one of my not
so secure - (but you must use the company supplied
PCs) and found several BOF in Activex (no surprise). 
However, I am puzzled and want to learn more about why
I cannot get the BOF to trigger via simple HTML/JS
file when viewed by IE

The XML generated by COMRAIDER is shown below (first
code snippet)

-------------------XML generated by COMRAIDER
<?XML version='1.0' standalone='yes' ?>
<package><job id='DoneInVBS' debug='false'
id='target' />
<script language='vbscript'>

'File Generated by COMRaider v0.0.133 -

'Wscript.echo typename(target)

'for debugging/custom prolog
targetFile = "C:\Program Files\Common
prototype  = "Function aaaaaaaaaaaaaaaaaaaa ( ByVal
hinstResource As Long ) As Long"
memberName = "zzzzzzzzzzzzzzzzzzzz"
progid     =
argCount   = 1


target.zzzzzzzzzzzzzzzzzzzz arg1 


Using the above value & -1 an exception is generated
in the DLL shown above.  EIP is not overlaid but l
will run Olly and see if I can get control.  - later

I checked if the AX control is allowed in our IE by
doing the following:  point IE at the HTML file below
The file resides in a trusted ZONE site.




My IE page did not display the "test" variable and it
did not display any error messages.  I can also view
(in iE) the complete source of the HTML file. I am
assuming that this means that I can load this control
in IE ??  

COMRAIDER does FIND this control when I run it looking
for IE loadable ax - and - the KILLBIT is NOT set.

Ok - I then created several variants in JS and pointed
my IE browser at them  - each one got a
"Error on page" and nothing else.   There are 2 ways I
tried to get the BOF to occur a "spawn" command and a
"check" command in JS.

I think that I am missing the correct way to pass the
parameter to the Activex control as a "BSTR"
I also used " for the ' below and tried removing
various whitespace.  Maybe I need to define the
arguments as a number value ?

Anyone see my dumb mistake ?

------------- test1.html ----------------------
<head>  This is a test - 
<script language="JavaScript">

var arg1 = '-1';

function spawn2()


<body onload="spawn2()">
<object ID="o2obj" WIDTH=0 HEIGHT=0


 <head>   This is a test - 
  <script language="JavaScript" DEFER>
    function Check() {
     var x = '2147483647' ;
     var obj = new


 <body onload="JavaScript: return Check();" />

Be a better friend, newshound, and 
know-it-all with Yahoo! Mobile.  Try it now.  http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ 

This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!


  By Date           By Thread  

Current thread:
  • Activex potential BOF me (Mar 07)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]