FlasHack (II)

Last week we discussed how to capture the information between the flash application and the server. This will help us to analyse the end-points in the application and determine the parameters we will be testing. Today we are going to go to the source code looking for those parameters…

First of all we need a decompiler, flasm. It decompile the flash files into some kind of ASM (named SWF bytecode) and we can modify and analyze the actions the application is performing under the hood. Download it and decompress anywhere in your machine.

Secondly we need an application for testing and decompile. We are going to use a example application that appears at Bing searching for "simple login in flash" and it is insecure.

The zip file contains two files, the .fla which has the original source code and the .swf, that has the compiled code and the one we are going to analyze.

image

To extract the SWF code we have to execute the flasm app with the –d parameter. This will output to the stdout the bytecode so we need to redirect it into a file:

flasm.exe -d simple_login.swf > simple_login.txt

Opening it with a text editor will reveal a very simple code that can be easily understand:

push ‘password’
getVariable
push ‘5pieces’
equals
not
branchIfTrue label1
gotoLabel ‘welcome’

So, we have a variable password and we compare it against the string 5pieces. If the comparison is true, we are in, if not, we have to guess again.

image 

As you can understand, writing the clear text password in the flash file is a really bad practice but some people do it. Also with this technique we can read the URLs inside the file and discover what requests is going to do the flash application.

Next post, flash cookies!