$ ./swf.py sample-swf-js.file
processing flash file [version 4] (length 115, actual length 115)type=0x9 length=3 name=SetBackgroundColor
type=0x18 length=31 name=Protect
type=0xc length=46 name=DoAction
actionCode 0x83 len(42) ActionGetURL javascript:eval(fV6("ZlY4KGZWMSwxKQ=="))
actionCode 0x0 len(0) unknownAction
tags (with counts) of length=0
End:1, ShowFrame:1
sample-swf-js.file ['javascript:eval(fV6("ZlY4KGZWMSwxKQ=="))']
$ ./swf.py sample-swf-url.file
processing flash file [version 8] (length 1125772, actual length 1125772)type=0x45 length=4 name=FileAttributes
type=0x9 length=3 name=SetBackgroundColor
type=0xc length=65 name=DoAction
actionCode 0x83 len(45) ActionGetURL http://5173vip.seawww.cn/cuteqq.htm (_blank)
actionCode 0x96 len(12) ActionPush datatype[0]=string(text)
actionCode 0x1d len(0) ActionSetVariable
...
As you can see, you can embed both URLs and javascript within Flash SWF files. jsunpack-n uses this module to follow those links and report any obtained information.
The changelog follows:
Updates 2009-09-25 version 0.3a
1) new extraction of URLs/JavaScript from Flash files (CWS/FWS) with swf.py
2) significant performance improvements in shellcode processing
3) bug fixes
3a) fixed tree structure of urls (specific to pcap processing)
when a node could detatch itself from the tree incorrectly
No comments:
Post a Comment