By default, it will only
pass 0 or a long string value for each parameter. So if you want to use AxFuzz, you??™ll need
to add the fuzzing smarts yourself. It is only a few pages of code, so you??™ll be able to
quickly figure it out if you??™d like to put some research into this tool but we will not
discuss it here.
Chapter 15: Client-Side Browser Exploits
377
PART IV
Figure 15-3 SupportSoft install dialog box
AxMan
More recently, H.D. Moore (of Metasploit fame) developed a pretty good COM object
fuzzer called AxMan. AxMan runs in the browser, simulating a real environment in
which to load a COM object. The nice thing about doing this is that every exploitable
crash found by AxMan will be exploitable in the real world. The downside is slow
throughput??”IE script reloads each time you want to test a new combination of fuzzed
variables. It also only works with IE6, due to defense-in-depth improvements made to
IE7 in this area. But it??™s easy to download the tool (http://metasploit.com/users/hdm/
tools/axman), enumerate the locally installedCOMobjects, and immediately start fuzzing.
AxMan has discovered several serious vulnerabilities leading to Microsoft security
bulletins.
Before fuzzing, AxMan requires you to enumerate the registered COM objects on the
system and includes a tool (axman.
Pages:
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683