Flashriot - Using Flashbang for bulk analysis

22 May 2015 Categories: Hacks Tags: tools

I recently had the necessity to test multiple flash files for XSS. Flashbang is an awesome tool for this kind of work. Since Flashbang needs a browser to run, the only way to automate it for multiple files is to use a headless browser like PhantomJS. So, it was easy to build a wrapper script as I know my way around Flashbang.

Usage

The least amount of time for this whole tool was spent for deciding its name i.e 1 second, hence the misleading name. The wrapper script is available at github.com/tunnelshade/flashriot. Some key things on using this tool:

  • PhantomJS, Python2 and Flashbang itself are necessary to run this. If you are on OSX, you can install phantomjs using homebrew.
  • Run the shell script using proper arguments.

      ./flashriot.sh ~/workspace/flash-files/ ~/workspace/Flashbang/
    
  • Keep cheking the window periodically. Even if the script hangs, use Ctrl+C and start the script again. Flashriot will only run flashbang on unprocessed files.
  • The output for each flash file is written to a text file with the same name. For a vulnerable ZeroClipboard.swf, we have the following ZeroClipboard.txt.

      ==> ZeroClipboard.txt <==
      ========================
      Detected Flash variables
      ========================
      id:eval
      width
      height
      ========================
      ===================
      Detected Sink calls
      ===================
      ---------------
      Flash variables
      ---------------
      {"id":"someDummyPayloadWhichHasToBeThereInOnePiece","width":"4232","height":"2079"}
      ----
      Sink
      ----
      eval
      ---------
      Sink Data
      ---------
      try {__flash__toXML(ZeroClipboard.dispatch("someDummyPayloadWhichHasToBeThereInOnePiece","load",null));} catch (e) {"<undefined/>";}
      ------------------
      Replaced Sink Data
      ------------------
      try {__flash__toXML(ZeroClipboard.dispatch("@@@id@@@","load",null));} catch (e) {"<undefined/>";}
      -------------------
      Vulnerable variable
      -------------------
      id
      ===================
    
  • After completion, just skim through the file outputs. I use the following command to see the file specific output.

       tail -n +1 *.txt
    
  • Sometimes, it is benificial to see the console output as well. For example from the following console output we can understand that some kind of request was done and parsing failed. This mostly happens when a valid xml file is not supplied which might be due to an improper path in a flash variable. Flashbang is not yet smart enough to detect a XML file call and fuzz using a XML file. If implemented, this will be awesome.

      Going to fuzz /Users/tunnelshade/workspace/src/github.com/cure53/Flashbang/flash-files/files/tagcloud.swf
      Using url: http://127.0.0.1:9000/tagcloud.swf
      ------------ Launching new instance ------------
      SyntaxError in ToXML
    
        http://127.0.0.1:9001/shumway/src/avm2/xml.js:506 in toXML
        http://127.0.0.1:9001/shumway/src/avm2/xml.js:717 in ASXML
        http://127.0.0.1:9001/shumway/src/avm2/xml.js:712 in ASXML
        http://127.0.0.1:9001/shumway/src/avm2/domain.js:266 in apply
        http://127.0.0.1:9001/shumway/src/avm2/runtime.js:498 in asCallProperty
        :7 in fn251
        http://127.0.0.1:9001/shumway/src/avm2/scope.js:178 in boundMethod
        http://127.0.0.1:9001/shumway/src/flash/events/EventDispatcher.js:101 in processListeners
        http://127.0.0.1:9001/shumway/src/flash/events/EventDispatcher.js:79 in doDispatchEvent
        http://127.0.0.1:9001/shumway/src/flash/events/EventDispatcher.js:252 in dispatchEventFunction
        http://127.0.0.1:9001/shumway/src/avm2/runtime.js:498 in asCallProperty
        :13 in EventDispatcher$$BgdispatchEvent
        http://127.0.0.1:9001/shumway/src/avm2/runtime.js:498 in asCallProperty
        :6 in URLLoader$$G_muXFIonStreamComplete
        :0 in URLLoader$$G_muXFIonStreamComplete
        http://127.0.0.1:9001/shumway/src/flash/events/EventDispatcher.js:133 in processListeners
        http://127.0.0.1:9001/shumway/src/flash/events/EventDispatcher.js:79 in doDispatchEvent
        http://127.0.0.1:9001/shumway/src/flash/events/EventDispatcher.js:223 in dispatchEvent
        http://127.0.0.1:9001/shumway/src/flash/net/URLStream.js:92 in onclose
        http://127.0.0.1:9001/shumway/examples/inspector/js/classes/BinaryFileReader.js:79 in onreadystatechange
      Done, now proceeding to clean up
      ------------ Killing used instance ------------
      ------------ Launching new instance ------------
      Done, now proceeding to clean up
      ------------ Killing used instance ------------
      ------------ Launching new instance ------------
      Done, now proceeding to clean up
      ------------ Killing used instance ------------
    

Bug Hunters!

  • When bug hunting, search for all flash files for the domains. Either use google dorking (site: ext:swf) or thedumpster to gather all flash file urls.
  • Then use wget or similar tool to download them into a folder.
  • Run Flashriot on those files.
  • BOOM!! for any bugs you might find.

      $ mkdir hunting; cd hunting;
      $ python3 thedumpster.py -a "ext:swf" -o urls.txt swag_seller.com
      $ wget -i urls.txt
      $ sh flashriot.sh ./ ~/workspace/Flashbang
      $ tail -n +1 *.txt
    
comments powered by Disqus