To introduce the base features of COMRaider this document aims to serve as a walk through of a basic audit.
From the main interface, click on the start button which will bring up the load file wizard:
This form represents the main launch point where you select the file you wish to audit. All of the options should be self explanatory.
For this walk through we are going to use the default option and choose the file vuln.dll which is included with the COMRaider installer. This test ActiveX dll can be found in:
[COMRaiders install directory]\vuln.dll
Note:
If you would like to follow along, make sure to register this ActiveX dll with regsvr32.exe. It is not registered by default because it is an example of a vulnerable server. Full source is included. To register vuln.dll using a default install location you can run the following command in a cmd window or from the start -> run dialog.
regsvr32 c:\idefense\comraider\vuln.dll
After selecting our target, we are brought to our type library viewer form.
Here we can see a listing of all of the classes fuzzable functions. Clicking on each treeview node to the left will display unique information about it on the right. Each different node element will also present different right click menu options.
When using this form, you may also see its caption bar saying that it it is only displaying elements for a certain clsid. If you wish to see all of the classes in a specific dll/ocx file, you can right click on the topmost node and choosing the "View all Classes" menu item.
For our purposes here, we will right click on the class icon and choose to fuzz the main class. This option will generate fuzz files for each function found on the classes default interface (IServer)
Once the fuzz files are created, we can hit the next button to take us to the debugger interface .
This is the form which houses our built in debugger and will launch all of our wsf files in wscript.exe while monitoring for exceptions. The CrashMon form has 4 listviews. The top one is the file list of fuzz scripts and also contains an extensive right click menu.
Second down is the exception list which is used to display error information. Double clicking on an exception entry will display that exceptions error environment.
The third listview represents windows which were displayed and closed during the scripts run. This can be text from MessageBoxes, script errors or other system dialogs.
The bottom most listview is the API Log. Hooked functions currently include
WriteFile, CreateFileA ,WriteFileEx ,_lcreat ,_lwrite ,URLDownloadToFileA , URLDownloadToCacheFile ,RegCreateKeyA , RegSetValueA ,RegCreateKeyExA ,RegSetValueExAClick the "Begin Fuzzing" button to start running the fuzz scripts.
Once the tests are completed, you can click on any of the items in the file list to view its output. Various options are available which should be self explanatory.
Displayed in the example screen shot above are the results of fuzzing our test vuln.dll. Here you can see that several exceptions were encountered and listed in the exception listview.
Double clicking on any of these elements will bring up the full details of the exception environment which were captured at the time.
In the screen shot above you can see a partial listing of the exception environment including the registers along with data dereferencing, and the call stack.
Other information available for each crash includes:
- Exception address, exception code, exception instruction
- seh chain
- registers with data dereferencing
- call stack
- argument dump to called function
- block disassembly including 5 instructions before and after crash address
- hexdump of the stack.
