Some months ago I was working with some people on a great idea for a wicked ActiveX vulnerability project.  At the time I knew of two fuzzers out of the gate, AxMan and COMRaider.  Both had their drawbacks for our purposes.  The biggest thing was that we needed to be able to script it all out.  I kept looking and came across axfuzz, but felt it a bit gnarly to futz with it’s source on a deadline.  Anyway, that’s all I’ll say about that…I have the feeling they may still be pursuing this project.  ::shhh::

That’s not why you called though.  The point is, there just wasn’t a lot in the way of solid console based ActiveX fuzzers.   Then I read a sweet research paper by CERT on how they had discovered and pulled down thousands of ActiveX controls for their fuzzing pleasure and found plenty of potential vulnerabilities.  “Awesome!” I said.  This would be perfect.  That’s when I found that it hadn’t been officially released.  Now it has!

Some hotness around Dranzer is that it’ll fuzz like hell and spit the results to an output file.  It can also skip baselines or run against specific libs.  Very cool stuff indeed.  Check out the Dranzer project.

p.s. Put plenty of paper in your printer

Code ActiveX, CERT, Fuzzing, Windows