What it is:

An ActiveX control which I created in conjunction with Neil Ramsbottom (prior to this email/post Neil in part because of his becoming disenchanted with our chances of obtaining any monetary recompense for our combined work on this project, has graciously given to me full complete, and sole rights to the control) , that allows a Flash .swf movie embedded in a web page, to do anything from a web page or outlook express stationary that can be done from a stand alone player or from a users local pc keyboard. What the ActiveX control does is to allow a .swf flash movie to pass commands to windows via the FS command structure in flash via an embedded flash movie contained in a internet web page html file. What commands the flash movie sends to windows can be changed by just changing the flash .swf movie without having to change or recompile the ActiveX control, and which flash movie is used to pass commands to windows via the activex control can be changed by simply uploading a new text file (URL.txt) to the web page space the html and .swf flash movie and the activex control are being hosted at. To be more specific. The ActiveX control allows the passing of FS commands from the flash .swf movie embedded in a web page through the ActiveX control to the windows command interpreter, to be a little more specific, In other words, If the flash movie sends the FS command of "Shell" with the argument of "C:\windows\command.com /K ECHO Y|format a:" the page visitors computer will format the a:\ drive, **WITHOUT** the customary windows pop up warning box stating "Do you wish to run this program from it's current location or save to disk?" and without asking the web surfer if it is ok to do so; but instead goes ahead and formats the Floppy a:\ drive. Or as another example of what the ActiveX control flash .swf movie combination does, if the flash movie sends the FS command of "Shell" with the argument of "C:\windows\system\msconfig.exe" (and assuming a default install which would place the msconfig.exe file in the default location of "C:\windows\system\msconfig.exe"), the page visitors computer would start and run msconfig.exe without first asking "do you wish to run this program from it's present location or save it to disk" Using this combination ActiveX control and embedded .swf flash movie as stationary
in Outlook Express could be quite deadly to a computer system, if used inappropriately, and which is also one of the reasons I am releasing it here in the flash community, in the hope that those here will use it responsibly; because If used irresponsibly the combination of my the .swf movie and ActiveX control combination could be used for maliciousness. The URL to the .swf Flash movie the control pulls in, is contained in a text file (URL.txt) which is also kept online at the same web page space as the .swf flash movie and the ActiveX control. Using this method as a way to change which flash movie is used only requires uploading a new URL.txt to the ftp for the web page to be parsed, instead of changing the ActiveX control, or creating and compiling an new activex control, and or the flash movie. I have a harmless POC (Proof of Concept) up on line at, http://home.adelphia.net/~dinosoft/activex/aflash.html which you have to enter the page the first time with your security set to low (because I don't have an Authenticode signature or Verisign certificate to sign the control with, and if I did have either one and signed the control and marked it as safe for scripting then security would not have to be set to low and would offer to install and initialize at default security levels) and accept the instillation of the ActiveX control (if you don't lower your security and install the ActiveX control the page says "The menu system on this web page is in Flash Format If you wish to view this page you must accept the ActiveX control" If you do allow the ActiveX control to install the .swf embedded flash movie shows a small embedded flash .swf movie and 6 red buttons. Clicking on the top left hand red button under the words "Click Me" will run Sol.exe (it does however expect a default install and to find Sol.exe at c:\windows\sol.exe) without windows complaining "do you wish to run this program from it's present location or save it to disk" , the next or 2nd will run a VB msg box the 3rd will run the Microsoft Windows98 configuration utility "msconfig.exe" the 4th will run a VB (Visual Basic) infobox, the 5th will run the windows default audio cd player. The page assumes a default install of windows and expects to find msconfig.exe at C:\windows\system\msconfig.exe if it is not a default install or if the file is not in the location it expects to find it at it will give a "file not found" error. Of course the problems of files not being in the locations that are expected can easily be over come with a few well known programming techniques. I did not create this for it to be used for any malicious reasons; but rather as a useful module to help in the creation of some sort of easily configurable front end GUI for a program distributed on a CD, or as a GUI for a web biased program; because changing what the ActiveX does only requires changing the flash movie and not the ActiveX control and changing which flash movie the control uses only requires that the web based file "URL.txt" be changed to point to which ever .swf flash movie is to be used. Using this combination Flash .swf movie and ActiveX control as a GUI for a web based front end for a program would make it very easy to use for several different projects simultaneously during the development stages, and would drastically reduce the time from concept to deployment of any web based or CD-ROM projects. I have been sitting on this for almost 2 years so far ; because of the propensity of it being used for maliciousness, and my not having the time to make it safer. Basically I could take a lot of the ability for it to be used maliciously out ; but that would also necessarily take away a considerable amount of the power of the control which makes it's use desirable in the first place. I would sure like to see this put to good use for some sort of web based program. Both Paul Bryant(Sugien) & Neil Ramsbottom retain full copyrights to all parts of this; but grant to any developer the right to use this in any freeware application; but and if it is used as any part of any commercial program which is offered as either shareware or as a for sale program, then we both fully expect and require those whom wish to use this control for us to be contacted and arrangements made as to percentages for the licensing and or royalties for the use of this control. I may be contacted at owner@dino-soft.org to make arrangements and or agreements as to monetary re-imbursement for the use of the control in any shareware and or for sale programs and such) we do here by grant its use royalty free when used in any FREEWARE program; BUT the use of the control is only free when used in FREEWARE. I would greatly appreciate any comments or suggestions you may have for this. I would also entertain the idea of selling the full and complete rights and royalties making ability to this out right if the price were right.


Basically I guess I am tired of sitting on this and not having made a single solitary dollar from all my hard work; because of it being inherently dangerous, and also because I am permanently, quite ill physically and can not give my family all the things they need and almost none of the things they want that are beyond the bare necessity of life; because of my disabilities severely limiting my ability to obtain and then maintain gainful employment and being forced to support myself and family with the very small disability check from the Social Security Disability Government offices and that limits my monetary resources . I have been sitting on this for almost 2 years in an effort to try and prevent anyone from mis-using my activex control in conjunction with a web hosted .swf flash movie and by licensing my activex control to a company or organization and or development house with some type of custom edition of my control, made exclusively for any web page or flash developer that I would be positive because of there being well known that would NOT use it for any maliciousness.
I had even recently considered letting some companies use it to install some type of back door spyware onto the page visitors computer much as what comet curson did; but using my control it would be considerably easier to install something like comet cursor without the user ever knowing it had been install and sending information back to those that installed it via a web page and flash; because more then likely the page visitor would think the activex control they just accepted and installed was to enable the flash movie. Also because of an ever expanding user base of those that have allowed flash to be installed on there machine it is now quite possible that most all web surfers would blindly allow any activex control that said it needed to install an activex control, in order for the flash to run.
I sincerely hope, you and or no one else in the flash community misconstrue my intentions in doing this as any type of extortion; because this is ABSOLUTELY NOT my intention nor desire and the furthest thing from my true intentions. I simply would like to make some money back as recompense for all my hard work on this. I intended this as a tool to vastly speed up the time that is normally required from the idea concept and the time the development is completed and the idea is deployed and give the flash community a new useful tool to do so. With my control it is now possible to control ANY windows procedure by simply sending FS commands via a flash movie embedded on a web page and thusly do anything from a flash movie embedded in a web page that prior to the creation and use, of my control could only be accomplished using a downloaded stand alone player.
I am currently trying to find companies that would be interested in my control or someone (like macromedia) to purchase it out right and then that company could handle the licensing of it or should they think it too powerful a tool to be allowed to be released, if they were to purchase the full and complete rights to the control it would be there procreative if they decided it would be better for the flash community if the control were never released and having purchased the full rights they could then require as part of the tears of sale insist that a non-disclosure as to the methods used to create the control and they by drastically reduce the odds that someone else might also create there own version of the control. Also as part of the contract for the full and complete sale of all rights that the source code never be released nor discussed in any public or private forum. I am sure those here know of the extreme potential to drastically reduce the time from concept to deployment and in the case of a web application all that would be needed would be to create the application using the regular methods then by simply applying my control to a flash movie any regular application could be turned into a net application with very little or no work, other then inclusion of my control on the web page and to have the page visitor accept and then install the control, and because of the popularity of flash and users being accustomed to accepting the activex associated with and needed to view a flash enabled web page, a page visitor would be very likely to blindly accept the control. It would be also quite conceivable and very easy to even control every aspect of windows it's self and could in fact just be a windows skinner and have a more or less flash overlay for windows all managed from a web page.
I have withheld releasing this because of the potential for being miss-used to create malicious web pages, and because of the fact if it were to be use for any malicious web pages of the negative impact on the entire flash community in as much that consumer confidence in the safety of flash movies would be drastically shaken. I chose this time to do this because of the recent security hole being published concerning the stand alone player, and I figured seeing as how consumer may confuse this with that and there for the impact of any adverse reactions to my control would able diminished and there by reducing any negative impact on the flash community at large , and likewise any script kiddies that might get hold of my control would confuse it with the stand alone player and maybe not try to use my control for any maliciousness.
What I am trying to say in a long round about way, is that if I can NOT find someone or some company to either license my control on a per use basis, or buy outright ALL exclusive rights to it including a non-disclosure agreement in which I would agree to NEVER release in part or full disclosure or any private or public discussion of the means or the methods used to accomplish what my activex control and flash movie does, even including how it uses the control to parse the web site for a text file which contains the URL to where and which flash movie the activex control uses for the source code required to recreate my control or any part of it. If however I can NOT sell it outright or license it on a per use contract, I fully intend to release it as either freeware supported by donations and or as shareware; because even though I know I will most probably receive little or NO funds using either of these two methods I figure if I receive anything at all it would be better then receiving what I have up to this point and that is nothing.



If this forum is not appropriate for the announcement of the release of this then I apologize in advance for any problems this may or may not have caused.


Best Regards:

Paul M. Bryant Sr.

/}
@###{ ]::::::Dino-Soft Software::::::>
\}
https://www.paypal.com/refer/pal=dinosoft%40adelphia.net
Click on the above for the fastest & safest way to send money




[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/53/10170#10170