Every time you start fuzzing with AxMan you??™ll hit this crash in
the first few minutes. You have a few options if you??™d like to finish your fuzzing run.
First, you could start fuzzing at an index after ADODB.Connection. In Figure 15-5, itwas
Gray Hat Hacking: The Ethical Hacker??™s Handbook
382
Figure 15-6 ADODB.Connection crash reproduced with a stand-alone HTML test file
Chapter 15: Client-Side Browser Exploits
383
PART IV
index #39, so starting at index #40 would not crash in this exact clsid. However, if you
look at the AxEnum output for ADODB.Connection, or look inside the {00000514-
0000-0010-8000-00AA006D2EA4}.js file, you??™ll see there are several other methods in
this same control that we??™d like to fuzz. So your other option is to add this specific
method from this specific clsid to AxMan??™s skip list. This list is maintained in blacklist.js.
You can exclude an entire clsid, a specific property being fuzzed, or a specific method.
Here??™s what the skip list would look like for the Execute method of the ADODB.Connection
ActiveX control:
blmethods["{00000514-0000-0010-8000-00AA006D2EA4}"] = new Array( 'Execute' );
As H.D. Moore points out in the AxMan README file, blacklist.js can double as a list of
discovered bugs if you add each crashing method to the file with a comment showing
the passed-in parameters from the IE status bar.
Pages:
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690