Changeset 1492

Timestamp:

12/13/07 15:48:15 (9 months ago)

Author:

jose

Message:

HP Info 1.x ActiveX exploits
via http://www.anspi.pl/~porkythepig/hp-issue/kilokieubasy.txt

detection, example code

Files:

• phoneyc/trunk/ActiveX.py (modified) (3 diffs)
• phoneyc/trunk/honeyclient.py (modified) (1 diff)
• phoneyc/trunk/modules/jscript/HPInfo.js (added)
• phoneyc/trunk/tests/hpinfo.html (added)
• phoneyc/trunk/tests/hpinfo1.html (added)
• phoneyc/trunk/tests/hpinfo2.html (added)
• phoneyc/trunk/tests/hpinfo3.html (added)

phoneyc/trunk/ActiveX.py

@@ -28 +28 @@
-        self.clsid['5D86DDB5-BDF9-441B-9E9E-D4730F4EE499'] = BitDefender()
-        self.clsid['E23FE9C6-778E-49D4-B537-38FCDE4887D8'] = VLC()
+        self.clsid['62DDEB79-15B2-41E3-8834-D3B80493887A'] = HPInfo()
-
-        self.clsname = {}
@@ -37 +38 @@
-        self.clsname['IERPCTL.IERPCTL'] = RealPlayer()
-        self.clsname['IERPCTL.IERPCTL.1'] = RealPlayer()
+        self.clsname['HPInfoDLL.HPInfo.1'] = HPInfo()
-
-        # set up the pure JScript version
@@ -199 +201 @@
-        self.cve_id = ('CVE-NOMATCH', )
-        self.description = 'VLC ActiveX Control'
+
+class HPInfo(ActiveX):
+    def __init__(self):
+        self.js_src = self.load_js_src('HPInfo.js')
+        self.classname = 'HPInfo'
+        self.cve_id = ('CVE-NOMATCH', )
+        self.description = 'HP Info Center ActiveX Control'

phoneyc/trunk/honeyclient.py

@@ -572 +572 @@
-                elif self.vbs_inScript:
-                    if v not in self.vbs_script_srcs: self.vbs_script_srcs.append(v)
+        # force a newline before the next script body
+        self.js_body.append('\n')
+        self.vbs_body.append('\n')
-        # when in a script body, set literal to be True. this is because
-        # SGML parsers will intercept things like foo<bar and '<v:rect'