A remote method enumeration tool for flex servers

There are several ways to determine and access exposed methods:
  • Decompile SWF and search for remoting calls
  • Watch network traffic for service and method names
  • Dictionary attack against service and methods

Decompile SWF

Grab the SWF file:


Use swfdump to conver to bytecode, then grep through results for ServerConfig.xml, which is often embedded in the SWF. This will provide the URL's and service names.

./swfdump -D BankApp.swf 2>/dev/null |grep "service id"

00622) + 2:2 pushstring "<services><service id="remoting-service"><destination id="Transfer"><channels><channel ref="my-amf"/></channels></destination><destination id="Login"><channels><channel ref="my-amf"/></channels></destination><destination id="Balance"><channels><channel ref="my-amf"/></channels></destination></service><service id="proxy-service"><destination id="DefaultHTTP"><channels><channel ref="my-amf"/></channels></destination></service><service id="message-service"><destination id="data_sample"><channels><channel ref="my-polling-amf"/></channels></destination></service><channels><channel id="my-amf" type="mx.messaging.channels.AMFChannel"><endpoint uri="http://{}:{server.port}/blazeds/messagebroker/amf"/><properties></properties></channel><channel id="my-polling-amf" type="mx.messaging.channels.AMFChannel"><endpoint uri="http://{}:{server.port}/blazeds/messagebroker/amfpolling"/><properties><polling-enabled>true</polling-enabled><polling-interval-seconds>4</polling-interval-seconds></properties></channel><channel id="my-secure-amf" type="mx.messaging.channels.SecureAMFChannel"><endpoint uri="https://{}:{server.port}/blazeds/messagebroker/amfsecure"/><properties></properties></channel></channels></services>"

Next search for the remoting methods in SWF:

./swfdump -D BankApp.swf 2>/dev/null |grep "findproperty <q>\[public\]::remObj"

00011) + 0:1 findproperty <q>[public]::remObjLogin
00011) + 0:1 findproperty <q>[public]::remObjTrans
00011) + 0:1 findproperty <q>[public]::remObjBalance

Alternatively, you can decompile with Sothink SWF decompiler:

Find services.xml file in SWF. In the following example, "destination id" represents services. These include securityService, exampleService, and mathService:

ServerConfig.xml = <services>
  <service id="remoting-service">
   <destination id="securityService">
    <channel ref="my-amf"/>
   <destination id="exampleService">
    <channel ref="my-amf"/>
   <destination id="mathService">
    <channel ref="my-amf"/>
    <channel ref="my-amf"/><br/>

Search for remoting methods (send, service, remote, etc) in the decompiled files:

findstr /I /N /S "service\." *.as
var _loc_3:* = service.sendEmail(_loc_2.Email)

This can be accessed by:

python -u -s securityService -m sendEmail -p

Network Monitoring

Run deblaze in proxy mode:

python2.5 -P 8080:targetIP:targetPort

Set your browser to use localhost:8080 as a proxy and use the SWF normally. This captures and extracts all gateways, services, and methods that are called by SWF files.

Use Charles proxy to intercept HTTP traffic.

Fire up wireshark and start using the SWF functionality. Look through the network capture for Url's, Services, and Methods.

This can be accessed by:

python -u -s Discoveryservice -m getServices

Dictionary Attacks

Dictionary attacks can be performed against the service name or the method name. The names.txt file contains a list of common method names, custom values should be added to this list based on the target environment. To launch a dictionary attack, use the following command:

python -u -1 names.txt -m test