Chapter 15: Client-Side Browser Exploits
379
PART IV
Figure 15-4 AxMan interface
Gray Hat Hacking: The Ethical Hacker??™s Handbook
380
This system had 4600 registered COM objects! Each was listed in objects.js and had a
corresponding {CLSID}.js in the conf directory. The web UI will happily start cranking
through all 4600, starting at the first or anywhere in the list by changing the Start Index.
You can also test a single object by filling in the CLSID text box and clicking Single.
If you run AxMan for long enough, you will find crashes and a subset of those crashes
will probably be security vulnerabilities. Before you start fuzzing, you??™ll want to attach a
debugger to your iexplore.exe process so you can triage the crashes with the debugger as
the access violations roll in or generate crash dumps for offline analysis. One nice thing
about AxMan is the deterministic fuzzing algorithm it uses. Any crash found with
AxMan can be found again by rerunning AxMan against the crashing clsid because it
does the same fuzzing in the same sequence every time it runs.
In this book, we don??™t want to disclose vulnerabilities that haven??™t yet been reported
to or fixed by the vendor, so let??™s use AxMan to look more closely at an already fixed vulnerability.
Pages:
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686