AxEnum gives us some information, but there is more metadata about this object
stored in the registry at HKCR\CLSID\{01010200-5e80-11d8-9e86-0007e96c65ae}. In fact,
when IE gets a request to instantiate this object, it queries this registry area via COM. Investigating
here shows us where the DLL lives on the disk. In this case, it??™s C:\Windows\Downloaded
Program Files\tgctlins.dll.We also get the ProgID, which is useful when instantiating
the object from a script. This control??™s ProgID is SPRT.Install.1. The .1 at the end is a kind of
version number that can be omitted if there is only one SPRT.Install registered on the
system.
TIP ActiveX controls are sometimes implemented with DLLs as you see
here.However,more often the file extension of the object code is .ocx. An
OCX can be treated just like a DLL for our purposes.
There??™s one last trick you need to know before attempting to instantiate this control to
see if we can RebootMachine() or RunCmd(). If you create HTML and run it locally, it
will load in the Local Machine zone. Remember from earlier that the rules governing the
Local Machine zone are different from the rules in the Internet zone where attackers live.
We could build this ActiveX control test in the LMZ, but ifwewere to find the control to be
vulnerable and report that vulnerability to the vendor, they would want to know whether
it can be reproduced in the more restrictive Internet zone.
Pages:
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678