Tuesday, April 12, 2016

Extracting Angler's inner SWF with Python

As everyone is aware, Angler Exploit hides the inner flash file that's responsible for exploiting the vulnerability in the binaryData. The outer flash file is responsible for unpacking the inner flash file and loading it.

When the flash file executes, it fetches the binaryData decodes it and loads it. To ease the process during analysis, have come up with a small python script that automates this inner flash file extraction process. Given the binaryData file as input the python file decodes the flash file and writes it to the disk for further analysis.


import zlib
import binascii
import sys


def main():
    data = bytearray(open(sys.argv[1], 'rb').read())
    key = data[0] ^ 120
    #if not (data[1] == data[2]):
    #    print "[*] Cannot recognize binary file"
    #    exit(1)
    _len = 0
    _length = len(data)
    while(_len < _length):
      byte = data[_len] ^ key
     key = data[_len]
     data[_len] = byte
     _len += 1

    data = zlib.decompress(str(data))
    f = open("output.swf", "wb")
    f.write(data)
    f.close()

    print "[*] Output under output.swf"

if __name__ == '__main__':
    main()

This script is known to work against Angler flash exploits where the actionscript code looks similar to below.


The input binaryData looks like,


and the decoded SWF file looks like,


Update:Minor update to the script on - 18th April 2016. (Commented out "if" block)

No comments:

Post a Comment