Uninformed: Informative Information for the Uninformed

Vol 1» 2005.May

Automation with Scripting

An abstract application of this payload would be to create an ActiveX control that provides a scriptable interface to the machine that it is loaded on. This would let an attacker interface with the generic ActiveX control via JavaScript or vbscript in a manner that would allow for easy automation and control of the machine that it's loaded on. For instance, the ActiveX control could provide, via its COM interface or interfaces, a scripting-accessible API to things like the filesystem, networking, the registry, and other core components of the operating system. The primary benefit to implementing an ActiveX control that provides access to components such is these is that automated code can be written in a browser supported scripting language rather than having to modify the ActiveX control itself each time a new feature is to be added. The use of a scripting interface can be seen as a more flexible method of interacting with a machine, though it does come at the cost of requiring the ActiveX control to expose enough of the operating system's feature set to make it useful.