DniproPirate

[MASM32] Com+ fuzzer for InternetExplorer - main.asm

Nov 20th, 2011
165
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. .386p
  2. .model flat, stdcall
  3. option casemap:none
  4. include \masm32\include\windows.inc
  5. include \masm32\include\kernel32.inc
  6. include \masm32\include\user32.inc
  7. include \masm32\include\advapi32.inc
  8. include \masm32\include\ole32.inc
  9. include \masm32\include\comctl32.inc
  10. includelib \masm32\lib\kernel32.lib
  11. includelib \masm32\lib\user32.lib
  12. includelib \masm32\lib\advapi32.lib
  13. includelib \masm32\lib\ole32.lib
  14. includelib \masm32\lib\comctl32.lib
  15.  
  16. CountCLSIDnGUID PROTO
  17.  
  18. .data?
  19. szSubKey db 0400h dup(?)
  20. dwSubKeySize dd ?
  21. szRegKey db 0400h dup(?)
  22. dwRegKey dd ?
  23. dwMainRegKey dd ?
  24. dwMainRegKeyCLSID dd ?
  25. dqFileTime dq ?
  26. stdOut dd ?
  27. stdIn dd ?
  28. wbuf db 0400h dup(?)
  29. Written dd ?
  30. hModule dd ?
  31. hList dd ?
  32. clmn LVCOLUMN <>
  33. item LVITEM <>
  34. sbitm LVITEM <>
  35. .const
  36. IDC_LIST1 DD 01000d
  37. DlgName DB "ComFuzzer", 0h
  38. .data
  39. szCl1 db "CLSID", 0h
  40. szCl2 db "ProgID", 0h
  41. szMsg db "ActiveX Fuzzer", 0ah, 0dh, 0ah, 0dh
  42. szMsg_size = $ - szMsg
  43. szPressKey db 0ah, 0dh, "Press Enter to exit"
  44. szPressKey_size = $ - szPressKey
  45. szImplCat db "CLSID\%s\Implemented Categories", 0h
  46. szCATID_SafeForScripting db "{7DD95801-9882-11CF-9FA9-00AA006C42C4}", 0h
  47. szCATID_SafeForInit db "{7DD95802-9882-11CF-9FA9-00AA006C42C4}", 0h
  48. szUnknown db "{00000000-0000-0000-C000-000000000046}", 0h
  49. szIID_IObjectSafety db "{CB5BDC81-93C1-11CF-8F20-00805F2CD064}", 0h
  50. szIsKillBitted db "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatiblity\%s", 0h
  51. szIsKillBitted2 db "Compatibility Flags", 0h
  52. szMainRegKey db "SOFTWARE\Classes", 0h
  53. szMainRegKeyCLSID db "SOFTWARE\Classes\%s\CLSID", 0h
  54. sEOL db 0ah, 0dh
  55. CurrentCLSID dd 0h
  56. IUnknown dd 0h
  57. dw 0h
  58. dw 0h
  59. db 0c0h, 00h, 00h, 00h, 00h, 00h, 00, 046h
  60.  
  61. IObjectSafety dd 0cb5bdc81h
  62. dw 093c1h
  63. dw 011CFh
  64. db 08fh, 020h, 00h, 80h, 05fh, 02ch, 0d0h, 064h
  65. InitCtrls dd 08h, 01h
  66. .code
  67. ;Процедура обработки сообщений главного диалогового окна
  68. DlgProc proc USES esi edi ebx, hWnd:HWND, uMsg:UINT, wParam:WPARAM, lParam:LPARAM
  69. .IF uMsg==WM_INITDIALOG
  70. invoke CoInitialize, 0h
  71. invoke GetDlgItem, [hWnd], IDC_LIST1
  72. mov [hList], eax
  73. mov [clmn.imask], LVCF_WIDTH or LVCF_TEXT or LVCF_SUBITEM
  74. mov [clmn.fmt], LVCFMT_CENTER
  75. mov [clmn.lx], 225
  76. mov [clmn.pszText], OFFSET szCl2
  77. mov [clmn.iSubItem], 0
  78. invoke SendMessage,hList, LVM_INSERTCOLUMN, 0, ADDR clmn ;Добавление столбца с заголовком
  79. mov [clmn.lx], 275
  80. mov [clmn.pszText],OFFSET szCl1
  81. mov [clmn.iSubItem], 1
  82. invoke SendMessage,hList, LVM_INSERTCOLUMN, 0, ADDR clmn ;Добавление столбца с заголовком
  83. mov [item.iItem], 0
  84. invoke CountCLSIDnGUID
  85. .ELSEIF uMsg==WM_CLOSE
  86. invoke CoUninitialize
  87. invoke EndDialog, hWnd,0
  88. .ELSE
  89. mov eax,FALSE
  90. ret
  91. .ENDIF
  92. mov eax, TRUE
  93. ret
  94. DlgProc endp
  95.  
  96. ;Является ли объект безопасным для инициализации
  97. IsSafeForInit proc szCLSID:DWORD
  98. LOCAL dwKey:DWord
  99. push ebx
  100. mov eax, [CLSID]
  101. invoke wsprintf, offset szRegKey, offset szImplCat, [szCLSID]
  102. lea eax, [dwKey]
  103. invoke RegOpenKeyEx, 080000000h, offset szRegKey, 0, 020019H, eax
  104. cmp eax, 0h
  105. jnz @@Error
  106. xor ebx, ebx
  107. @@Main_Loop:
  108. mov [dwRegKey], 0400h
  109. invoke RegEnumKeyEx, [dwKey], ebx, offset szRegKey, offset dwRegKey, 0, 0, 0, offset dqFileTime
  110. cmp eax, 0h
  111. jnz @@Error
  112. inc ebx
  113. invoke lstrcmp, offset szCATID_SafeForInit, offset szRegKey
  114. cmp eax, 0h
  115. jnz @@Main_Loop
  116. xor eax, eax
  117. inc eax
  118. jmp short @@End
  119. @@Error:
  120. xor eax, eax
  121. @@End:
  122. push eax
  123. invoke RegCloseKey, [dwKey]
  124. pop eax
  125. pop ebx
  126. ret
  127. IsSafeForInit endp
  128.  
  129. ;Является ли объект безопасным для скриптинга
  130. IsSafeForScripting proc szCLSID:DWORD
  131. LOCAL dwKey:DWord
  132. push ebx
  133. invoke wsprintf, offset szRegKey, offset szImplCat, [szCLSID]
  134. invoke RegOpenKeyEx, 080000000h, offset szRegKey, 0, 020019H, addr dwKey
  135. cmp eax, 0h
  136. jnz @@Error
  137. xor ebx, ebx
  138. @@Main_Loop:
  139. mov [dwRegKey], 0400h
  140. invoke RegEnumKeyEx, [dwKey], ebx, offset szRegKey, offset dwRegKey, 0, 0, 0, offset dqFileTime
  141. cmp eax, 0h
  142. jnz @@Error
  143. inc ebx
  144. invoke lstrcmp, offset szCATID_SafeForScripting, offset szRegKey
  145. cmp eax, 0h
  146. jnz @@Main_Loop
  147. xor eax, eax
  148. inc eax
  149. jmp short @@End
  150. @@Error:
  151. xor eax, eax
  152. @@End:
  153. push eax
  154. invoke RegCloseKey, [dwKey]
  155. pop eax
  156. pop ebx
  157. ret
  158. IsSafeForScripting endp
  159.  
  160. ;Есть ли объект в списке kill bitting
  161. IsKillBitted proc szCLSID:DWORD
  162. LOCAL dwKey:DWord
  163. LOCAL dwKeyType:DWord
  164. LOCAL dwValue:DWord
  165. LOCAL dwLenVal:DWord
  166. mov [dwLenVal], 04h
  167. invoke wsprintf, offset szRegKey, offset szIsKillBitted, [szCLSID]
  168. invoke RegOpenKeyEx, 080000000h, offset szRegKey, 0, 020019H, addr dwKey
  169. cmp eax, 0h
  170. jnz @@Error
  171. invoke RegQueryValueEx, [dwKey], offset szIsKillBitted2, 0, addr dwKeyType, addr dwValue, addr dwLenVal
  172. cmp [dwKeyType], 04h
  173. jnz @@Error
  174. test [dwValue], 0400h
  175. jz @@Error
  176. xor eax, eax
  177. inc eax
  178. jz @@End
  179. @@Error:
  180. xor eax, eax
  181. @@End:
  182. push eax
  183. invoke RegCloseKey, [dwKey]
  184. pop eax
  185. ret
  186. IsKillBitted endp
  187.  
  188. ;Поддерживает ли объект интерфейс IObjectSafety
  189.  
  190. IsObjectSafety proc szCLSID:DWORD
  191. LOCAL RetVal:DWORD
  192. LOCAL dwKey:DWORD
  193. LOCAL iidobjsaf[010h]:BYTE
  194. LOCAL pUnk: DWORD
  195. LOCAL ppv2:DWORD
  196. LOCAL iCLSID[010h]:BYTE
  197. mov [RetVal], 0h
  198. invoke MultiByteToWideChar, 0, 0, [szCLSID], -1, offset wbuf, 0400h
  199. invoke CLSIDFromString, offset wbuf, addr iCLSID
  200. invoke CoCreateInstance, addr iCLSID, 0h, 01h, offset IUnknown, ADDR pUnk
  201. cmp eax, 0h
  202. jnz @@End
  203. cmp [pUnk], 0h
  204. jz @@End
  205. lea eax, [ppv2]
  206. mov esi, offset IObjectSafety
  207. mov ecx, [pUnk]
  208. push eax
  209. push esi
  210. push ecx
  211. mov ecx, [pUnk]
  212. mov edx,dword ptr [ecx]
  213. call dword ptr [edx]
  214. cmp eax, 0h
  215. jnz @@Err
  216. cmp [ppv2], eax
  217. jz @@Err
  218. mov [RetVal], 01h
  219. @@Err:
  220. mov eax, [pUnk]
  221. push eax
  222. mov eax, [eax]
  223. call DWord ptr [eax+8]
  224. @@End:
  225. mov eax, [RetVal]
  226. ret
  227. IsObjectSafety endp
  228.  
  229. Start:
  230. invoke GetModuleHandle, NULL
  231. mov [hModule], eax
  232. invoke InitCommonControlsEx, offset InitCtrls ;Запрос на загрузку дополнительного класса окна ListView
  233. invoke DialogBoxParam, [hModule], ADDR DlgName,NULL, addr DlgProc, NULL
  234. invoke ExitProcess, 0h
  235.  
  236. ;Процерура перечисления всех объектов и их проверка на условия загрузки в интенет эксплорер без предупреждения
  237. CountCLSIDnGUID proc
  238. invoke RegOpenKeyEx, 080000002h, offset szMainRegKey, 0, 020019H, offset dwMainRegKey
  239. xor ebx, ebx
  240. MainLoop:
  241. mov [dwSubKeySize], 0400h
  242. invoke RegEnumKeyEx, [dwMainRegKey], ebx, offset szSubKey, offset dwSubKeySize, 0, 0, 0, offset dqFileTime
  243. cmp eax, 0h
  244. jnz Error
  245. inc ebx
  246. invoke wsprintf, offset wbuf, offset szMainRegKeyCLSID, offset szSubKey
  247. invoke RegOpenKeyEx, 080000002h, offset wbuf, 0, 020019H, offset dwMainRegKeyCLSID
  248. cmp eax, 0h
  249. jnz ErrCloseKey
  250. mov [Written], 0400h
  251. invoke RegQueryValue, [dwMainRegKeyCLSID], 0, offset wbuf, offset Written
  252. cmp eax, 0h
  253. jnz MainLoop
  254. invoke IsSafeForScripting, offset wbuf
  255. cmp eax, 0h
  256. jz ErrCloseKey
  257. mov [Written], 0400h
  258. invoke RegQueryValue, [dwMainRegKeyCLSID], 0, offset wbuf, offset Written
  259. invoke IsSafeForInit, offset wbuf
  260. cmp eax, 0h
  261. jz ErrCloseKey
  262. invoke IsKillBitted, offset wbuf
  263. cmp eax, 0h
  264. jnz ErrCloseKey
  265. mov [Written], 0400h
  266. invoke RegQueryValue, [dwMainRegKeyCLSID], 0, offset szRegKey, offset Written
  267. invoke IsObjectSafety, offset szRegKey
  268. cmp eax, 0h
  269. jz ErrCloseKey
  270. invoke RegQueryValue, [dwMainRegKeyCLSID], 0, offset wbuf, offset Written
  271. mov eax, [Written]
  272. add eax, offset wbuf
  273. mov Byte ptr [eax], 0h
  274. mov [item.imask], LVIF_TEXT or LVCF_SUBITEM
  275. mov [item.pszText], OFFSET wbuf
  276. mov [item.iSubItem], 0
  277. invoke SendMessage, [hList], LVM_INSERTITEM, 0, ADDR item ;Добавление строки
  278. mov [item.pszText], OFFSET szSubKey
  279. mov [item.iSubItem], 1h
  280. invoke SendMessage, [hList], LVM_SETITEM, 0, ADDR item ;Изменение надписи
  281. inc [item.iItem]
  282. jmp MainLoop
  283. ErrCloseKey:
  284. invoke RegCloseKey, [dwMainRegKeyCLSID]
  285. jmp MainLoop
  286. Error:
  287. ret
  288. CountCLSIDnGUID EndP
  289.  
  290. end Start
  291.  
  292.  
  293.  
RAW Paste Data