AxMan
Is a tool which enumerate all methods that an ActiveX control supports. When you’re hunting for a vulnerability and see methods such as CreateObject() or Launch() or Run(), take a close look to make sure they can’t be repurposed to run malicious code.
Little background story:
WScript.Shell directly from the Internet zone will fail, as it is only to be used in a trusted environment such as the Local Machine zone. However, Russian hackers discovered that instantiating the safe-for-scripting WMIScriptUtils. WMIObjectBroker2 ActiveX control, and then calling the method CreateObject() de- fined on the ActiveX control, allowed them to create any arbitrary object, bypassing security checks! They promptly used this client-side vulnerability to install malware by hosting the exploit code on hundreds of adult websites. At the time it was being abused, no other IE zero-day vulnerability was widely known in the community, so anybody who wanted to install malware was using this vulnerability.
For example examine this code at first:
<script>
var o = new ActiveXObject("WMIScriptUtils.WMIObjectBroker2");
var x = o.CreateObject("WScript.Shell");
x.run("cmd.exe /k");
</script>
You will notice that WScript.shell is not a secure Object to call.
Microsoft Security Bulletin MS06-073 (WMIScriptUtils)
www.microsoft.com/technet/security/bulletin/ms06-073.mspx
Metasploit exploit www.metasploit.com/modules/
www.microsoft.com/technet/security/bulletin/ms06-073.mspx
Metasploit exploit www.metasploit.com/modules/
No comments:
Post a Comment