marco
blog
Menu:
Analyzing ActiveX controls
August 30, 2008
In my post about the vulnerability in the SuperBuddy ActiveX control, I've glossed over a couple of details that may be interesting:
- how to know which methods are exposed by an ActiveX control
- how to identify a specific method in the binary object of the control.
Several tools solve the first problem. In particular, I like OLE/COM Object Viewer (oleviewer, in short) and COMRaider.
For example, oleviewer shows the following information about SuperBuddy:
In particular, note the CLSID and the ProgID fields (you'll need these values if you want to instantiate the control), and the path to the DLL that provides the control. On the left hand side, there is the list of interfaces implemented by the control.
If you focus on the ISuperBuddy interface, you obtain the list of its methods. As expected, the vulnerable method LinkSBIcons is shown and we can also see its signature.
For the second problem (getting the address of a method), I could not find a better way than instantiating a control and dumping its virtual table (I see that this is essentially the solution also proposed by the folks at Websense):
#include "stdafx.h"
#import "C:\Program Files\AOL 9.0\sb.dll"
int _tmain(int argc, _TCHAR* argv[])
{
SBLib::ISuperBuddy *pSb;
CoInitialize(NULL);
HRESULT hr = CoCreateInstance(__uuidof(SBLib::SuperBuddy),
NULL,
CLSCTX_INPROC_SERVER | CLSCTX_LOCAL_SERVER,
__uuidof(SBLib::ISuperBuddy),
(LPVOID *) &pSb);
if (hr == S_OK) {
DWORD vtable = *(DWORD *) pSb;
DWORD *p = (DWORD *) vtable;
for (int i = 0; i < 55; i++) {
printf("%02d: %p", i, *p);
printf("\n");
p++;
}
} else {
printf("CoCreateInstance error: %x\n", hr);
return 1;
}
return 0;
}
The functions are in the same order as shown by oleviewer: at index 2 you find IUnknown::Release(), and, then, counting up, all the others. LinkSBIcons is at index 49, which corresponds to address 0x6398692D.
00: 63984070
01: 63983FEC
02: 63983FFC
...
48: 639870C9
49: 6398692D
50: 6398735B
...
Let me know if you know a better way to do this!
To leave a comment, complete the form below. Mandatory fields are marked *.