Defeat initial packers used in flash exploits using Sulo

Using Sulo it is quite easy to defeat the initial packers used in the recent flash exploits. All we need is setting up one VM environment as i mentioned in my previous blog and in Sulo Github page. Once you setup the environment it is just a process of drag & drop. We don’t need to worry about the technique(s) used in the packers. I mean packer means, most of the SWF exploits use Loader.loadBytes() to load the decrypted/decoded second stage SWF exploit file.

For example, i am going to show you how to dump the second stage flash exploit file using the sample (f5458eb4b0d7c18519bbf5fd92437485bff31f9abc6870beb4e8dc327cd24192).

The initial SWF file is decrypting/decoding a second stage SWF file(original exploit) and load it using Loader.loadBytes() as shown in this picture. It will take few hours to analyze it but with Sulo it is quite easy.

                                          image

We need to start the sulo using “-fast” mode and drag & drop the flash file into IE. Within few seconds you will get the second stage.

                                        image

Once you allowed IE load the initial flash file, Sulo will dump the second stage flash in the desktop. You can start analyzing the second stage flash file without worrying about the packer. Most interestingly you can use any version of flash Sulo supports.

                                        image

Advertisements
This entry was posted in Exploit, Exploit Kit, Flash Exploit Analysis and tagged , , . Bookmark the permalink.

8 Responses to Defeat initial packers used in flash exploits using Sulo

  1. tr0jan says:

    I had done it in python itself… 🙂

  2. Pingback: Defeat initial packers used in flash exploits u...

  3. C0d3r says:

    You can save the content before LoadBytes() to a file too.
    BTW, are there any workaround for decompiling second stage swf of the malware you analyzed? I’m stuck!

  4. jine says:

    what do you use adobe flash player version?

  5. random_dude says:

    Great post and tool! Saved me a lot of time on this exploit 🙂

    A question though, do you override the flash.system.capabilities data somehow?
    Other than intercepting the values through WinDbg or editing the original swf file,
    I’ve no idea how to mock those values..

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s