This week in our Ruby For Pentesters series I wanted to cover a Ruby library we have used a lot over the past year or so. Using Ruby on Windows is not one of the most exciting things I can think of. But there are times when you have no choice, working with ActiveX controls is one of those times.
Working with COM objects can be tricky, its a complex and sometimes confusing technology. Lucky for us, Ruby provides us with a library called WIN32OLE by default. WIN32OLE can be used for parsing and controlling COM/OLE components from Ruby. For example, we can use the WIN32OLE library to open up and play with Internet Explorer.
require ‘win32ole’
ie = WIN32OLE.new(‘InternetExplorer.Application’)
ie.visible = true
ie.navigate(‘http://www.runplaybook.com’)
We passed in the ProgID for Internet Explorer and sent it to a URL of our choosing. Pretty standard stuff for a COM interface. But it’s pretty neat how seamlessly it works form Ruby.
Do you subscribe to milw0rms RSS feed? Its full of ActiveX vulnerabilities. But let me fill you in on a little secret, most of them are nothing more then feeding some random ActiveX controls eatAString() method a bunch of A’s. But how are these obscure (it’s called sarcasm people) and seemingly exploitable bugs found?
Well I’m here to show you! And I promise by the end you will be finding bugs in some random ActiveX control on your box. When an ActiveX control is marked ‘Safe For Scripting’ it usually exposes a bunch of methods and properties that the browser can call or set from a scripting language like Javascript or VBScript. This is what makes ActiveX bugs fun: ITS NATIVE CODE. But how can we find these interfaces and start poking at them with Ruby? WIN32OLE of course.
Note: We won’t go too deep into the details of COM/OLE here, check out [www.cert.org] or [uninformed.org] if your interested in a more detailed write up.
WIN32OLE can do a lot more then just control InternetExplorer. We can use it to list all of the properties and methods any ActiveX control exposes. Lets drill down and focus on an individual ActiveX control that we can start fuzzing. Microsoft XP ships with an ActiveX control named ‘htmlfile’. You can read more about it here [cometdaily.com] and here [msdn.microsoft.com]. This is a good example control because it contains a lot of methods we can play with. Heres some small example ruby code that demonstrates how to get a list of methods the control exposes:
require ‘win32ole’
a = WIN32OLE.new(‘htmlfile’)
methods = a.ole_methods.select { |m| m.visible? }
methods.each do |meth|
puts “#{meth.name}(” +
meth.params.map {|p| “#{p.ole_type} #{p.name}” }.join(‘, ‘) + “)”
end
You should have seen a bunch of junk scroll up your terminal, junk like:
cloneNode(BOOL fDeep)
removeNode(BOOL fDeep)
swapNode(IHTMLDOMNode otherNode)
replaceNode(IHTMLDOMNode replacement)
appendChild(IHTMLDOMNode newChild)
What you saw was WIN32OLE opening the ‘htmlfile’ control by using its ProgID and dumping the methods exposed by the control along with type information. Great, now we know what methods we can call into and what type of arguments those methods are expecting. With this information we can start generating test cases and looking for bugs. But we’re getting ahead of ourselves here, first we need to understand how to instantiate the control in a real-world way. We can use some simple HTML and Javascript for that:
<html>
<script lang=’JavaScript’>
var axobj = new ActiveXObject(“htmlfile”);
</script>
</html>
Note: Yes, its possible to fuzz directly into the control via WIN32OLE but were interested in vulnerabilities we can reach via Javascript within Internet Explorer. For this reason we stick with the ‘fake webserver’ technique.
Now if we wanted to call the cloneNode() method within htmlfile our Javascript looks like this:
<html>
<script lang=’JavaScript’>
var axobj = new ActiveXObject(“htmlfile”);
axobj.cloneNode(1);
</script>
</html>
So now we need to use Ruby to automate all of this and find some bugs. Enter AxRub.
AxRub is a tool I threw together and discussed this July at Blackhat 2009 during our Ruby For Pentesters talk. AxRub was inspired by HD Moore’s AXMan, which is an impressive tool, but difficult to use on a targeted penetration test. AxRub makes the process of fuzzing ActiveX controls much more targeted, and fast! It’s very early stage code and needs a lot of improvement, your ideas are welcome. You can grab AxRub here http://github.com/struct/AxRub
Here is an overview of how it works:
1. Use WIN32OLE to get a list of methods/properties our target ActiveX control exposes
2. Setup a small fake web server
3. Listens for connections from IE
4. Generate test cases and serves them up via HTML
Demo:
C:/> ruby axrub.rb htmlfile
Now connect to http://localhost:8080 with Internet Explorer and wait for those quality 0days to roll in.