Unveiling Nuclear EK (III)

(See parts I and II of this serie)

In the previous post we were about to find out why the proxy does not identify the Flash object as application/x-shockwave-flash. Let’s see.

(4) Bk8RH15VB1xLUk5SS1BXClYHDgVUBlNLV1UWVAkOGVQBTQZQVkQDXQs

We extract the object Bk8RH15VB1xLUk5SS1BXClYHDgVUBlNLV1UWVAkOGVQBTQZQVkQDXQs from Wireshark and check what type of file it is:

$ file Bk8RH15VB1xLUk5SS1BXClYHDgVUBlNLV1UWVAkOGVQBTQZQVkQDXQs 
Bk8RH15VB1xLUk5SS1BXClYHDgVUBlNLV1UWVAkOGVQBTQZQVkQDXQs: data

$ file --mime Bk8RH15VB1xLUk5SS1BXClYHDgVUBlNLV1UWVAkOGVQBTQZQVkQDXQs 
Bk8RH15VB1xLUk5SS1BXClYHDgVUBlNLV1UWVAkOGVQBTQZQVkQDXQs: application/octet-stream; charset=binary

$ hexdump Bk8RH15VB1xLUk5SS1BXClYHDgVUBlNLV1UWVAkOGVQBTQZQVkQDXQs -n128 -C
00000000  5a 57 53 17 ad 23 00 00  3a 21 00 00 5d 00 00 20  |ZWS..#..:!..].. |
00000010  00 00 3b ff fc 8e 19 fa  df e7 66 08 a0 3d 3e 85  |..;.......f..=>.|
00000020  f5 75 6f d0 7e 61 35 1b  1a 8b 16 4d df 05 32 fe  |.uo.~a5....M..2.|
00000030  a4 4c 46 49 b7 7b 6b 75  f9 2b 5c 37 29 0b 91 37  |.LFI.{ku.+\7)..7|
00000040  01 37 0e e9 f2 e1 fc 9e  64 da 6c 11 21 33 ed a0  |.7......d.l.!3..|
00000050  0e 76 70 a0 cd 98 2e 76  80 f0 e0 59 56 06 08 e9  |.vp....v...YV...|
00000060  ca eb a2 c6 db 5a 86 7b  47 de 99 5d 68 76 38 16  |.....Z.{G..]hv8.|
00000070  bd 93 3c d3 d0 9e d3 55  63 5a da b0 db 27 e6 7c  |..<....UcZ...'.||
00000080

¡ZWS! It shows that the flash SWF file has been compressed using the LZMA standard to avoid the exploit detection by the antivirus.This is the reason why the proxy does not identify it correctly!

Once settled our doubts ... what if we continue to investigate this type of Flash files?

A quick search on Google gives us results of how we can unpack and get the original flash file. In particular, I used the first result: swfzip.

$ python swfzip.py Bk8RH15VB1xLUk5SS1BXClYHDgVUBlNLV1UWVAkOGVQBTQZQVkQDXQs exploit.swf
info : Input file: Bk8RH15VB1xLUk5SS1BXClYHDgVUBlNLV1UWVAkOGVQBTQZQVkQDXQs
info : Output file: exploit.swf
info : Reading Bk8RH15VB1xLUk5SS1BXClYHDgVUBlNLV1UWVAkOGVQBTQZQVkQDXQs
info : lzma compressed swf detected.
info : Filesize in signature: 9133
info : Filesize decompressed: 9133
info : Generating uncompressed data
info : Compressing with zlib
info : Packing zlib header
info : Generating compressed data
File compressed with zlib, size decreased: -2% 

Notice: Recompressing may cause filesize increased

$ file exploit.swf 
exploit.swf : Macromedia Flash data (compressed), version 23

$ file --mime exploit.swf 
exploit.swf: application/x-shockwave-flash; charset=binary

$ hexdump exploit.swf -n128 -C
00000000  43 57 53 17 ad 23 00 00  78 9c 9d 7a 67 54 93 5b  |CWS..#..x..zgT.[|
00000010  b7 6e 12 08 a1 f7 de 3b  4a 0d 21 74 90 de 9b f4  |.n.....;J.!t....|
00000020  22 3d 24 10 3a 49 e8 20  45 8a 74 41 a4 29 82 20  |"=$.:I. E.tA.). |
00000030  4d 10 10 50 01 51 aa 80  28 4d 94 de 41 a5 89 74  |M..P.Q..(M..A..t|
00000040  e9 dc b8 f7 be e7 3b fb  dc 3b ee 8f bb fe ac 77  |......;..;.....w|
00000050  cd f2 cc 39 9f 39 b3 92  31 de 84 00 08 97 01 00  |...9.9..1.......|
00000060  ca 72 00 80 19 08 d0 a4  61 01 00 00 51 74 41 40  |.r......a...QtA@|
00000070  00 40 49 25 c4 c7 9b 3b  08 89 c1 a2 fd 7c 95 79  |.@I%...;.....|.y|
00000080
CWS! This file is still compressed. Even though it can be decompiled, we want the original file. For this purpose we run the script seen in http://stackoverflow.com.
$ ./uncompress.sh exploit.swf 
uncompressing to ./uncompressed_exploit.swf

$ file uncompressed_exploit.swf 
uncompressed_exploit.swf : Macromedia Flash data, version 23

$ file --mime uncompressed_exploit.swf 
uncompressed_exploit.swf: application/x-shockwave-flash; charset=binary

$ hexdump uncompressed_exploit.swf -n128 -C
00000000  46 57 53 17 ad 23 00 00  78 00 04 e2 00 00 0e a6  |FWS..#..x.......|
00000010  00 00 18 01 00 44 11 19  00 00 00 7f 13 76 01 00  |.....D.......v..|
00000020  00 3c 3f 78 6d 6c 20 76  65 72 73 69 6f 6e 3d 22  |...    

Yes! Once we have the original SWF file, we can decompile it with any tool. In this case we will use the online decompiler http://www.showmycode.com/ getting as a result the ActionScript source code of the Flash.

NOTE: In this case we use an online editor for convenience and because the Flash file is publicly available. For a private investigation, you should use a desktop decompiler.

Skimming the code, we can understand that something strange happens. It is too small, something is not right.

In ActionScript 3 it is possible to embed SWF files into a ByteArray and run this SWF at runtime . Furthermore, to add another layer of protection to the embedded file it can be encrypted using XOR operations. This whole process can be applied as many times as you like, adding numerous layers of obfuscation and greatly complicating the job of the analyst. The SWF file decoded, and therefore the exploit, exists only in memory, which could make it difficult to detect by an antivirus.

More information about this method: http://www.veryinteractivepeople.com/?p=67.

But, would we be able to get the exploit and find out which vulnerability uses? We will get to it in the next post.

Greetings!

See also in: