Flashriot - Using Flashbang for bulk analysis

22 May 2015 Categories: Hacks Tags: tools

I recently had the necessity to test multiple flash files for XSS. Flashbang is an awesome tool for this kind of work. Since Flashbang needs a browser to run, the only way to automate it for multiple files is to use a headless browser like PhantomJS. So, it was easy to build a wrapper script as I know my way around Flashbang.


The least amount of time for this whole tool was spent for deciding its name i.e 1 second, hence the misleading name. The wrapper script is available at github.com/tunnelshade/flashriot. Some key things on using this tool:

  • PhantomJS, Python2 and Flashbang itself are necessary to run this. If you are on OSX, you can install phantomjs using homebrew.
  • Run the shell script using proper arguments.

    bash ./flashriot.sh ~/workspace/flash-files/ ~/workspace/Flashbang/

  • Keep cheking the window periodically. Even if the script hangs, use Ctrl+C and start the script again. Flashriot will only run flashbang on unprocessed files.
  • The output for each flash file is written to a text file with the same name. For a vulnerable ZeroClipboard.swf, we have the following ZeroClipboard.txt.

    ==> ZeroClipboard.txt <== ======================== Detected Flash variables ======================== id:eval width height ======================== =================== Detected Sink calls =================== --------------- Flash variables --------------- {"id":"someDummyPayloadWhichHasToBeThereInOnePiece","width":"4232","height":"2079"} ---- Sink ---- eval --------- Sink Data --------- try {__flash__toXML(ZeroClipboard.dispatch("someDummyPayloadWhichHasToBeThereInOnePiece","load",null));} catch (e) {"<undefined/>";} ------------------ Replaced Sink Data ------------------ try {__flash__toXML(ZeroClipboard.dispatch("@@@id@@@","load",null));} catch (e) {"<undefined/>";} ------------------- Vulnerable variable ------------------- id ===================

  • After completion, just skim through the file outputs. I use the following command to see the file specific output.

    bash tail -n +1 *.txt

  • Sometimes, it is benificial to see the console output as well. For example from the following console output we can understand that some kind of request was done and parsing failed. This mostly happens when a valid xml file is not supplied which might be due to an improper path in a flash variable. Flashbang is not yet smart enough to detect a XML file call and fuzz using a XML file. If implemented, this will be awesome.

    ```bash Going to fuzz /Users/tunnelshade/workspace/src/github.com/cure53/Flashbang/flash-files/files/tagcloud.swf Using url: ———— Launching new instance ———— SyntaxError in ToXML in toXML in ASXML in ASXML in apply in asCallProperty
    :7 in fn251 in boundMethod in processListeners in doDispatchEvent in dispatchEventFunction in asCallProperty
    :13 in EventDispatcher$$BgdispatchEvent in asCallProperty
    :6 in URLLoader$$G_muXFIonStreamComplete
    :0 in URLLoader$$G_muXFIonStreamComplete in processListeners in doDispatchEvent in dispatchEvent in onclose in onreadystatechange   Done, now proceeding to clean up   ------------ Killing used instance ------------   ------------ Launching new instance ------------   Done, now proceeding to clean up   ------------ Killing used instance ------------   ------------ Launching new instance ------------   Done, now proceeding to clean up   ------------ Killing used instance ------------   ```

Bug Hunters!

  • When bug hunting, search for all flash files for the domains. Either use google dorking (site: ext:swf) or thedumpster to gather all flash file urls.
  • Then use wget or similar tool to download them into a folder.
  • Run Flashriot on those files.
  • BOOM!! for any bugs you might find.

    bash $ mkdir hunting; cd hunting; $ python3 thedumpster.py -a "ext:swf" -o urls.txt swag_seller.com $ wget -i urls.txt $ sh flashriot.sh ./ ~/workspace/Flashbang $ tail -n +1 *.txt

comments powered by Disqus