Friday, September 25, 2009

Jsunpack-n update v0.3a: SWF parsing and Bug fixes release

The main new feature in this release is the "" file, as a standalone you can run it like this:

$ ./ sample-swf-js.file
processing flash file [version 4] (length 115, actual length 115)type=0x9 length=3 name=SetBackgroundColor
type=0x18 length=31 name=Protect
type=0xc length=46 name=DoAction
actionCode 0x83 len(42) ActionGetURL javascript:eval(fV6("ZlY4KGZWMSwxKQ=="))
actionCode 0x0 len(0) unknownAction

tags (with counts) of length=0
End:1, ShowFrame:1
sample-swf-js.file ['javascript:eval(fV6("ZlY4KGZWMSwxKQ=="))']

$ ./ sample-swf-url.file
processing flash file [version 8] (length 1125772, actual length 1125772)type=0x45 length=4 name=FileAttributes
type=0x9 length=3 name=SetBackgroundColor
type=0xc length=65 name=DoAction
actionCode 0x83 len(45) ActionGetURL (_blank)
actionCode 0x96 len(12) ActionPush datatype[0]=string(text)
actionCode 0x1d len(0) ActionSetVariable

As you can see, you can embed both URLs and javascript within Flash SWF files. jsunpack-n uses this module to follow those links and report any obtained information.

The changelog follows:

Updates 2009-09-25 version 0.3a
1) new extraction of URLs/JavaScript from Flash files (CWS/FWS) with
2) significant performance improvements in shellcode processing
3) bug fixes
3a) fixed tree structure of urls (specific to pcap processing)
when a node could detatch itself from the tree incorrectly

No comments:

Post a Comment