This post probably won't make sense to you unless you're a penetration tester. Let me take a stab at some context.
Pentesting is black-box testing for security problems. Chris and Mike have been doing a lot of pentesting of ActiveX controls. ActiveX controls are native X86 code packaged as DLLs that run in IE. They're very horrible, but big companies have tens of apps that rely on them.
You can think of ActiveX (AX) as the web extensions for Win32 COM, which is the "advanced" version of OLE, which is the mechanism that allows you to embed Excel spreadsheets in Word documents (by loading Excel as a DLL and giving it a window context). Ruby has support for OLE and for native Windows calls with Win32OLE.
What Chris has done here is build a system whereby he can take any AX DLL, use Ruby to find all the AX interfaces (they're registered, because AX uses COM), and then automatically generate a web server that will generate pathological inputs for each of them. So basically, you drop in the AX binary, and Chris' system automatically builds a torture test for it, without you even knowing what the AX control does.
This isn't our idea; I'm pretty sure we stole it from HD Moore.
Pentesting is black-box testing for security problems. Chris and Mike have been doing a lot of pentesting of ActiveX controls. ActiveX controls are native X86 code packaged as DLLs that run in IE. They're very horrible, but big companies have tens of apps that rely on them.
You can think of ActiveX (AX) as the web extensions for Win32 COM, which is the "advanced" version of OLE, which is the mechanism that allows you to embed Excel spreadsheets in Word documents (by loading Excel as a DLL and giving it a window context). Ruby has support for OLE and for native Windows calls with Win32OLE.
What Chris has done here is build a system whereby he can take any AX DLL, use Ruby to find all the AX interfaces (they're registered, because AX uses COM), and then automatically generate a web server that will generate pathological inputs for each of them. So basically, you drop in the AX binary, and Chris' system automatically builds a torture test for it, without you even knowing what the AX control does.
This isn't our idea; I'm pretty sure we stole it from HD Moore.