Action Message Format security audit shell
georgehedfors/AMFShell
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Folders and files
Name | Name | Last commit message | Last commit date | |
---|---|---|---|---|
Repository files navigation
Introduction Action Message Format (AMF) is a binary format used to serialize ActionScript objects. It is used primarily to exchange data between an Adobe Flash application and a remote service, usually over the internet. Background When I was auditing the security of a content management system based on Flash, I quickly realized that the information that I could dig out by hand from the binary communication wouldn't take me the whole way. Burp Suite Pro, which I was using at the time has a neat feature that decodes the serialized communication on the fly. However, it doesn't provide an adequate way to manipulate. Therefore, I started investigating into possibilities of making a tool that could in fact communicate freely with the AMF gateway using its own protocol. After some investigation, I found PyAMF, which is a Python implementation of the AMF messaging protocol. The tool that I started making then turned into something that I'd like to call, a AMF Shell. AMFPHP Vulnerabilities There are a number of vulnerabilities that are standard with AMFPHP, which was the gateway software that I've constructed AMFShell around. By default, there is a so called "Service Browser" installed that allows you to to pretty much the same as my AMF Shell. It's typically installed in a path such as: http://www.victim.com/amfphp/browser However, most administrators are aware of this vulnerability and have removed the Flash page. What they usually haven't removed is the service files associated with it. They are typically located at: http://www.victim.com/amfphp/services/amfphp/DiscoveryServices.php DiscoveryService.php is the AMF class that the Service Browser calls on to do it's magic. This class can still be contacted using AMFShell for example. The vulnerability resides in the fact that the DiscoveryService class has methods that enumerates other local services and classes and returns them. The other vulnerability in AMFPHP is that it discloses the local path in case one is trying to use a non-existent class or method. What you'll get is something like this, when trying to access a class called 'asdf': The class {asdf} could not be found under the class path {/mnt/target03/350439/508174/www/web/content/amfphp/services/asdf.php} Yes, I've also been investigating into the possibility of directory traversal but have so far been unsuccessful. One of the reasons is that it converts dots '.' into slashes and is not subjected to hex or any other encoding. Available commands brute - Launches a brute force attack for method names to the selected class using common names. call methodName(args,..) - Call a method from the current class. Arguments may be single arguments or arrays: call methodName(['array','of','stuff']) call methodName(arg1,arg2,arg3) describe - Describes current class. Lists methods and arguments describe_all - Describes all classes, methods and their arguments and outputs to a file. list - Lists available classes use service.className - Change current class Usage example $ ./amfshell.py http://www.victim.com/amfphp/gateway.php [+] AMFPHP exists and appears to be vulnerable to 'DiscoveryService'. [*] To disable 'DiscoveryServices', remove /homepages/16/d264/htdocs/services/amfphp/DiscoveryService.php Welcome to Action Message Formate Shell by George Hedfors. Type 'help' for command list. (amfphp.DiscoveryService) list amfphp.DiscoveryService UserService (amfphp.DiscoveryService) use UserService (UserService) brute This may seriously harm your environment, are you sure? (y/N): y Testing 539 methods... Missing argument 1 for UserService::addUser() Missing argument 1 for UserService::getUser() Missing argument 1 for UserService::updateUser() (UserService) call getUser(admin) {"username": "admin", "password": "admin123", "id": "1"} What could possibly go wrong from here? :) Known bugs Some pages return HTML content instead of AMF when calling a method. This cannot be parsed by PyAMF but can easily be viewed using a sniffing tool, such as Wireshark.
About
Action Message Format security audit shell
Resources
Stars
Watchers
Forks
Releases
No releases published
Packages 0
No packages published