Uninformed: Informative Information for the Uninformed

Vol 9» 2008.Jan


First of all, I'd like to explain what this paper is all about, and especially, what it is not. A few months ago I got into the technical details of ActiveX for the first time. Prior to this point I only had some vague ideas and a general understanding of what it is and how it works. What I did first is probably quite obvious: I googled. To my surprise though, I could not find a single paper discussing ActiveX and how to exploit it. My next step was to contact some generally smart and knowledgable friends to harvest the required information from them. I was even more surprised to find that some of the most skilled people out there lacked the same knowledge that I did. Perhaps it's our common background, coming from the Unix/Linux world, but whatever the reason, I had to work to collect the information I now possess. But still, I feel like I'm the one-eyed man explaining what the world looks like to the blind.

The fact that there are tons of ActiveX exploits on Milw0rm which would suggest that the knowledge is out there by now. I wonder why no one took the time to write it all up so the less knowledgable may get into this theater as well. It's the intention of this paper to fill this gap. If you already know everything about ActiveX, if you've found your own 0day and exploited it successfully, I probably can't teach you any new tricks. Everyone else I invite to read on.