ActiveX controls that Microsoft ships
are especially nice to pen-test, because each one has an entry on MSDN giving lots of useful
information about the control that we can use to find bugs. You can quickly jump to
the appropriate MSDN entry by typing the following into your favorite search engine:
site:msdn.microsoft.com ADODB.Connection methods
Scanning through the MSDN documentation in this case didn??™t highlight anything
obviously bad. Several of its methods do handle arguments, however, so we should later
use this control as a fuzzing target. However, scrolling down a little farther in the safe.txt
list generated on my machine gives this potentially interesting control:
> SupportSoft Installer
{01010200-5e80-11d8-9e86-0007e96c65ae}
IObjectSafety:
IO. Safe for scripting (IDispatch) set successfully
IDispatch:GetInterfaceSafetyOptions Supported=3, Enabled=1
ISdcInstallCtl:
BSTR ModuleVersion() propget
BSTR GetModulePath()
void EnableErrorExceptions(VARIANT_BOOL)
VARIANT_BOOL ErrorExceptionsEnabled()
long GetLastError()
BSTR GetLastErrorMsg()
void EnableCmdTarget(VARIANT_BOOL)
void SetIdentity(BSTR)
BSTR EnableExtension(BSTR)
BSTR Server() propget
void Server(BSTR) propput
VARIANT_BOOL Install(long, BSTR)
void WriteRegVal(BSTR, BSTR, BSTR)
BSTR ReadRegVal(BSTR, BSTR)
long FindInstalledDna(long, BSTR)
void RunCmd(BSTR, VARIANT_BOOL)
BSTR GetCategories(BSTR)
VARIANT_BOOL Copy(long, BSTR)
VARIANT_BOOL InitGuid(BSTR)
void SetDefaultDnaServer(BSTR)
BSTR WriteTemp(BSTR)
BSTR ReadTemp(BSTR)
VARIANT_BOOL Uninstall(long, BSTR)
BSTR GetNames(BSTR, BSTR)
VARIANT_BOOL GetRebootFlag()
void RebootMachine()
??¦
BSTR GetHostname()
??¦
I??™m wary of any safe-for-scripting ActiveX control with functions named Install,
WriteRegVal, RunCmd, GetHostname, and RebootMachine! Let??™s take a closer look at this
one.
Pages:
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677