I recently had the necessity to test multiple flash files for XSS. Flashbang is an awesome tool for this kind of work. Since Flashbang needs a browser to run, the only way to automate it for multiple files is to use a headless browser like PhantomJS. So, it was easy to build a wrapper script as I know my way around Flashbang.

Usage

The least amount of time for this whole tool was spent for deciding its name i.e 1 second, hence the misleading name. The wrapper script is available at github.com/tunnelshade/flashriot. Some key things on using this tool:

• PhantomJS, Python2 and Flashbang itself are necessary to run this. If you are on OSX, you can install phantomjs using homebrew.

• Run the shell script using proper arguments.

    ./flashriot.sh ~/workspace/flash-files/ ~/workspace/Flashbang/
  

• Keep cheking the window periodically. Even if the script hangs, use Ctrl+C and start the script again. Flashriot will only run flashbang on unprocessed files.

• The output for each flash file is written to a text file with the same name. For a vulnerable ZeroClipboard.swf, we have the following ZeroClipboard.txt.

    :::bash
    ==> ZeroClipboard.txt <==
    ========================
    Detected Flash variables
    ========================
    id:eval
    width
    height
    ========================
    ===================
    Detected Sink calls
    ===================
    ---------------
    Flash variables
    ---------------
    {"id":"someDummyPayloadWhichHasToBeThereInOnePiece","width":"4232","height":"2079"}
    ----
    Sink
    ----
    eval
    ---------
    Sink Data
    ---------
    try {__flash__toXML(ZeroClipboard.dispatch("someDummyPayloadWhichHasToBeThereInOnePiece","load",null));} catch (e) {"<undefined/>";}
    ------------------
    Replaced Sink Data
    ------------------
    try {__flash__toXML(ZeroClipboard.dispatch("@@@id@@@","load",null));} catch (e) {"<undefined/>";}
    -------------------
    Vulnerable variable
    -------------------
    id
    ===================
  

• After completion, just skim through the file outputs. I use the following command to see the file specific output.

    :::bash
    tail -n +1 *.txt
  

• Sometimes, it is benificial to see the console output as well. For example from the following console output we can understand that some kind of request was done and parsing failed. This mostly happens when a valid xml file is not supplied which might be due to an improper path in a flash variable. Flashbang is not yet smart enough to detect a XML file call and fuzz using a XML file. If implemented, this will be awesome.

    :::bash
    Going to fuzz /Users/tunnelshade/workspace/src/github.com/cure53/Flashbang/flash-files/files/tagcloud.swf
    Using url: http://127.0.0.1:9000/tagcloud.swf
    ------------ Launching new instance ------------
    SyntaxError in ToXML
  
      http://127.0.0.1:9001/shumway/src/avm2/xml.js:506 in toXML
      http://127.0.0.1:9001/shumway/src/avm2/xml.js:717 in ASXML
      http://127.0.0.1:9001/shumway/src/avm2/xml.js:712 in ASXML
      http://127.0.0.1:9001/shumway/src/avm2/domain.js:266 in apply
      http://127.0.0.1:9001/shumway/src/avm2/runtime.js:498 in asCallProperty
      :7 in fn251
      http://127.0.0.1:9001/shumway/src/avm2/scope.js:178 in boundMethod
      http://127.0.0.1:9001/shumway/src/flash/events/EventDispatcher.js:101 in processListeners
      http://127.0.0.1:9001/shumway/src/flash/events/EventDispatcher.js:79 in doDispatchEvent
      http://127.0.0.1:9001/shumway/src/flash/events/EventDispatcher.js:252 in dispatchEventFunction
      http://127.0.0.1:9001/shumway/src/avm2/runtime.js:498 in asCallProperty
      :13 in EventDispatcher$$BgdispatchEvent
      http://127.0.0.1:9001/shumway/src/avm2/runtime.js:498 in asCallProperty
      :6 in URLLoader$$G_muXFIonStreamComplete
      :0 in URLLoader$$G_muXFIonStreamComplete
      http://127.0.0.1:9001/shumway/src/flash/events/EventDispatcher.js:133 in processListeners
      http://127.0.0.1:9001/shumway/src/flash/events/EventDispatcher.js:79 in doDispatchEvent
      http://127.0.0.1:9001/shumway/src/flash/events/EventDispatcher.js:223 in dispatchEvent
      http://127.0.0.1:9001/shumway/src/flash/net/URLStream.js:92 in onclose
      http://127.0.0.1:9001/shumway/examples/inspector/js/classes/BinaryFileReader.js:79 in onreadystatechange
    Done, now proceeding to clean up
    ------------ Killing used instance ------------
    ------------ Launching new instance ------------
    Done, now proceeding to clean up
    ------------ Killing used instance ------------
    ------------ Launching new instance ------------
    Done, now proceeding to clean up
    ------------ Killing used instance ------------
  

Bug Hunters!

• When bug hunting, search for all flash files for the domains. Either use google dorking (site: ext:swf) or thedumpster to gather all flash file urls.

• Then use wget or similar tool to download them into a folder.

• Run Flashriot on those files.

• BOOM!! for any bugs you might find.

    :::bash
    $ mkdir hunting; cd hunting;
    $ python3 thedumpster.py -a "ext:swf" -o urls.txt swag_seller.com
    $ wget -i urls.txt
    $ sh flashriot.sh ./ ~/workspace/Flashbang
    $ tail -n +1 *.txt