As promised, I have released my ActiveX fuzzing tool, aptly named AxMan
. This tool was used to discover and debug almost every single ActiveX flaw published during the Month of Browser Bugs. In addition to the MoBB issues, this tool discovered over 100 unique flaws on a Windows XP SP2 system with common third-party packages installed. I am releasing this tool without my blacklist.js file of discovered vulnerabilities; this should give the vendors some breathing room while they figure out how to address these problems. An online demonstration
of AxMan is available, but the interface is not designed to work across a slow network and a locally installed version will run much faster. Enjoy and happy bug hunting!