Wednesday, June 27, 2012

Debugging SWF with Flash Debugger

Pretty much out of action for so many days now. This blog will discuss about the very widely used way of debugging SWF files. All you need is to download the latest version of "Flash Debugger" from Adobe download site and we are off.

After installing "Flash Debugger" there are configurations that need to be made so that the logs are directed to a text file. I'll not re-invent the wheel as Adobe has already explained it well here.

For purpose of demonstration we'll look into an SWF that's used in exploiting CVE-2011-2110. We'll not get into the details on the vulnerability but the malicious SWF that exploits this vulnerability uses the encoded PARAMETER passed to it to download the malware on to the machine. The request to the malicious SWF is seen in the below Wireshark request.

The SWF when loaded into the browser retrieves the value from the parameter "info" and decodes it to form an URL from where the end malware is downloaded. The decoding routine is fairly simple. At first the value is converted from hex to bin later an XOR ^ 122 is imposed on the converted data and the resultant  data is uncompressed. Part of the ActionScript that's responsible for decoding the value can be seen below.

The function "hexToBin" is a custom function and the ActionScript source for the same can be seen below.

We can rip these above mentioned code apart and put them into a "temp.as3" file. "As3compile.exe" from SWFTOOLS can be used to compile this ActionScript file. Analyzing the above code it's evident that the decoded URL is stored into "t_url" variable. All we need is to use the "trace" function which can be used to write the values of variables to the log file (either here -  "Documents and Settings\username\Application Data\Macromedia\Flash Player\Logs\flashlog.txt,or here  "Users\username\AppData\Roaming\Macromedia\Flash Player\Logs\flashlog.txt,").

So the modified code looks something like below,

package test
                import flash.utils.*;
                public class Main extends flash.display.MovieClip
                                public function Main()
                                                trace("Inside Main");
                                                var url:String;
                                                var t_url:flash.utils.ByteArray;
                                                var arg1 = "02E6B1525353CAA8AD4D48CAAAC9CEAA4949A84948AE0DAF51D3527B7A22A87CC1";
                                                t_url = hexToBin(arg1);
                                                var i = 0;
                                                while (i < t_url.length)
                                                                t_url[i] = t_url[i] ^ 122;
                                                url = String(t_url);
                                public function hexToBin(arg1:String):flash.utils.ByteArray
                                                var loc1 = null;
                                                var loc4 = 0;
                                                var loc2 = new flash.utils.ByteArray;
                                                var loc3 = arg1.length;
                                                loc2.endian = flash.utils.Endian.LITTLE_ENDIAN;
                                                while (loc4 < loc3)
                                                                loc1 = arg1.charAt(loc4) + arg1.charAt(loc4+1);
                                                                loc2.writeByte(parseInt(loc1, 16));
                                                                loc4 = loc4 + 2;
                                                return loc2;

When the above ActionScript is compiled you get a flash file as output. Opening the flash file in Internet Explorer will print the result decoded URL into the log file. This malicious flash file after exploiting the vulnerability downloaded an EXE from http://208[.]98[.]62[.]21/E[.]txt (this is the decoded value from the "info" parameter passed to SWF) which at the time was writing wasn't reachable.

1 comment: