Sunday, January 06, 2008

axman icardie.dll

Today I gave http://www.metasploit.com/users/hdm/tools/axman/ a try on icardie.dll. axman is a somewhat dated (August 2006) but apparently still useful tool.
Well, at first I let axman run its normal fuzzing tests against my fully patched Windows XP system and guess: Boom. IE7 crashed. To be more precise: some component/ActiveX/... inside IE7 crashed and took IE7 down with it.
some more digging reveiled that dao360.dll is old. Updating the jet4 engine with SP8 fails though because the service pack claims that a newer version is already installed...

After this promising start I let axman work on the classid {19916E01-B44E-4e31-94A4-4696DF46157B} which is, you guessed it: "InformationCardSigninHelper Class".


var ax_name = '{19916E01-B44E-4e31-94A4-4696DF46157B}';
ax[ax_name] = new Array();
ax[ax_name]['Info'] = 'InformationCardSigninHelper Class';
ax[ax_name]['Server'] = 'C:\\WINDOWS\\system32\\icardie.dll';
ax[ax_name]['SafeScript'] = new Array(3, 1);
ax[ax_name]['FunctionCount'] = 22;
ax[ax_name]['Functions'] = new Array();
ax[ax_name]['Functions'][0] = new Array();
ax[ax_name]['Functions'][1] = new Array();
ax[ax_name]['Functions'][2] = new Array();
ax[ax_name]['Functions'][3] = new Array();
ax[ax_name]['Functions'][4] = new Array();
ax[ax_name]['Functions'][5] = new Array();
ax[ax_name]['Functions'][6] = new Array();
ax[ax_name]['Functions'][7] = new Array();
ax[ax_name]['Functions'][7]['Name'] = 'isInstalled';
ax[ax_name]['Functions'][7]['Return'] = 'VARIANT_BOOL';
ax[ax_name]['Functions'][7]['ArgCount'] = 0;
ax[ax_name]['Functions'][7]['Args'] = new Array();
ax[ax_name]['Functions'][7]['Type'] = 'PropGet';
ax[ax_name]['Functions'][8] = new Array();
ax[ax_name]['Functions'][8]['Name'] = 'PrivacyUrl';
ax[ax_name]['Functions'][8]['Return'] = 'BSTR';
ax[ax_name]['Functions'][8]['ArgCount'] = 0;
ax[ax_name]['Functions'][8]['Args'] = new Array();
ax[ax_name]['Functions'][8]['Type'] = 'PropGet';
ax[ax_name]['Functions'][9] = new Array();
ax[ax_name]['Functions'][9]['Name'] = 'PrivacyUrl';
ax[ax_name]['Functions'][9]['Return'] = 'void';
ax[ax_name]['Functions'][9]['ArgCount'] = 1;
ax[ax_name]['Functions'][9]['Args'] = new Array();
ax[ax_name]['Functions'][9]['Args'][0] = 'BSTR';
ax[ax_name]['Functions'][9]['Type'] = 'PropPut';
ax[ax_name]['Functions'][10] = new Array();
ax[ax_name]['Functions'][10]['Name'] = 'PrivacyVersion';
ax[ax_name]['Functions'][10]['Return'] = 'VARIANT';
ax[ax_name]['Functions'][10]['ArgCount'] = 0;
ax[ax_name]['Functions'][10]['Args'] = new Array();
ax[ax_name]['Functions'][10]['Type'] = 'PropGet';
ax[ax_name]['Functions'][11] = new Array();
ax[ax_name]['Functions'][11]['Name'] = 'PrivacyVersion';
ax[ax_name]['Functions'][11]['Return'] = 'void';
ax[ax_name]['Functions'][11]['ArgCount'] = 1;
ax[ax_name]['Functions'][11]['Args'] = new Array();
ax[ax_name]['Functions'][11]['Args'][0] = 'VARIANT*';
ax[ax_name]['Functions'][11]['Type'] = 'PropPut';
ax[ax_name]['Functions'][12] = new Array();
ax[ax_name]['Functions'][12]['Name'] = 'Issuer';
ax[ax_name]['Functions'][12]['Return'] = 'BSTR';
ax[ax_name]['Functions'][12]['ArgCount'] = 0;
ax[ax_name]['Functions'][12]['Args'] = new Array();
ax[ax_name]['Functions'][12]['Type'] = 'PropGet';
ax[ax_name]['Functions'][13] = new Array();
ax[ax_name]['Functions'][13]['Name'] = 'Issuer';
ax[ax_name]['Functions'][13]['Return'] = 'void';
ax[ax_name]['Functions'][13]['ArgCount'] = 1;
ax[ax_name]['Functions'][13]['Args'] = new Array();
ax[ax_name]['Functions'][13]['Args'][0] = 'BSTR';
ax[ax_name]['Functions'][13]['Type'] = 'PropPut';
ax[ax_name]['Functions'][14] = new Array();
ax[ax_name]['Functions'][14]['Name'] = 'issuerPolicy';
ax[ax_name]['Functions'][14]['Return'] = 'BSTR';
ax[ax_name]['Functions'][14]['ArgCount'] = 0;
ax[ax_name]['Functions'][14]['Args'] = new Array();
ax[ax_name]['Functions'][14]['Type'] = 'PropGet';
ax[ax_name]['Functions'][15] = new Array();
ax[ax_name]['Functions'][15]['Name'] = 'issuerPolicy';
ax[ax_name]['Functions'][15]['Return'] = 'void';
ax[ax_name]['Functions'][15]['ArgCount'] = 1;
ax[ax_name]['Functions'][15]['Args'] = new Array();
ax[ax_name]['Functions'][15]['Args'][0] = 'BSTR';
ax[ax_name]['Functions'][15]['Type'] = 'PropPut';
ax[ax_name]['Functions'][16] = new Array();
ax[ax_name]['Functions'][16]['Name'] = 'value';
ax[ax_name]['Functions'][16]['Return'] = 'BSTR';
ax[ax_name]['Functions'][16]['ArgCount'] = 0;
ax[ax_name]['Functions'][16]['Args'] = new Array();
ax[ax_name]['Functions'][16]['Type'] = 'PropGet';
ax[ax_name]['Functions'][17] = new Array();
ax[ax_name]['Functions'][17]['Name'] = 'value';
ax[ax_name]['Functions'][17]['Return'] = 'void';
ax[ax_name]['Functions'][17]['ArgCount'] = 1;
ax[ax_name]['Functions'][17]['Args'] = new Array();
ax[ax_name]['Functions'][17]['Args'][0] = 'BSTR';
ax[ax_name]['Functions'][17]['Type'] = 'PropPut';
ax[ax_name]['Functions'][18] = new Array();
ax[ax_name]['Functions'][18]['Name'] = 'TokenType';
ax[ax_name]['Functions'][18]['Return'] = 'BSTR';
ax[ax_name]['Functions'][18]['ArgCount'] = 0;
ax[ax_name]['Functions'][18]['Args'] = new Array();
ax[ax_name]['Functions'][18]['Type'] = 'PropGet';
ax[ax_name]['Functions'][19] = new Array();
ax[ax_name]['Functions'][19]['Name'] = 'TokenType';
ax[ax_name]['Functions'][19]['Return'] = 'void';
ax[ax_name]['Functions'][19]['ArgCount'] = 1;
ax[ax_name]['Functions'][19]['Args'] = new Array();
ax[ax_name]['Functions'][19]['Args'][0] = 'BSTR';
ax[ax_name]['Functions'][19]['Type'] = 'PropPut';
ax[ax_name]['Functions'][20] = new Array();
ax[ax_name]['Functions'][20]['Name'] = 'RequiredClaims';
ax[ax_name]['Functions'][20]['Return'] = 'IUnknown*';
ax[ax_name]['Functions'][20]['ArgCount'] = 0;
ax[ax_name]['Functions'][20]['Args'] = new Array();
ax[ax_name]['Functions'][20]['Type'] = 'PropGet';
ax[ax_name]['Functions'][21] = new Array();
ax[ax_name]['Functions'][21]['Name'] = 'OptionalClaims';
ax[ax_name]['Functions'][21]['Return'] = 'IUnknown*';
ax[ax_name]['Functions'][21]['ArgCount'] = 0;
ax[ax_name]['Functions'][21]['Args'] = new Array();
ax[ax_name]['Functions'][21]['Type'] = 'PropGet';

I am happy that this test finished without crashing.

No comments: