dstruct 0.0.1

data/lib/rex/exploitation/js/memory.rb

@@ -0,0 +1,81 @@
+# -*- coding: binary -*-
+
+require 'msf/core'
+
+module Rex
+module Exploitation
+module Js
+
+#
+# Provides meomry manipulative functions in JavaScript
+#
+class Memory
+
+  def self.mstime_malloc
+    js = ::File.read(::File.join(Msf::Config.data_directory, "js", "memory", "mstime_malloc.js"))
+    js = js.gsub(/W00TA/, Rex::Text.rand_text_hex(6))
+    js = js.gsub(/W00TB/, Rex::Text.rand_text_hex(5))
+
+    ::Rex::Exploitation::ObfuscateJS.new(js,
+      {
+        'Symbols' => {
+          'Variables' => %w{ buf eleId acTag }
+        }
+      }).obfuscate
+  end
+
+  def self.heaplib2(custom_js='', opts={})
+    js = ::File.read(::File.join(Msf::Config.data_directory, "js", "memory", "heaplib2.js"))
+
+    unless custom_js.blank?
+      js << custom_js
+    end
+
+    js = ::Rex::Exploitation::JSObfu.new js
+    js.obfuscate
+    return js
+  end
+
+  def self.property_spray
+    js = ::File.read(::File.join(Msf::Config.data_directory, "js", "memory", "property_spray.js"))
+
+    ::Rex::Exploitation::ObfuscateJS.new(js,
+      {
+        'Symbols' => {
+          'Variables' => %w{ sym_div_container data junk obj }
+        }
+      }).obfuscate
+  end
+
+  def self.heap_spray
+    js = ::File.read(::File.join(Msf::Config.data_directory, "js", "memory", "heap_spray.js"))
+
+    ::Rex::Exploitation::ObfuscateJS.new(js,
+      {
+        'Symbols' => {
+          'Variables' => %w{ index heapSprayAddr_hi heapSprayAddr_lo retSlide heapBlockCnt }
+        }
+      }).obfuscate
+  end
+
+  def self.explib2
+    js = ::File.read(::File.join(Msf::Config.data_directory, "js", "memory", "explib2", "lib", "explib2.js"))
+
+    ::Rex::Exploitation::ObfuscateJS.obfuscate(js)
+  end
+
+  def self.explib2_payload(payload="exec")
+    case payload
+    when "drop_exec"
+      js = ::File.read(::File.join(Msf::Config.data_directory, "js", "memory", "explib2", "payload", "drop_exec.js"))
+    else # "exec"
+      js = ::File.read(::File.join(Msf::Config.data_directory, "js", "memory", "explib2", "payload", "exec.js"))
+    end
+
+    ::Rex::Exploitation::ObfuscateJS.obfuscate(js)
+  end
+
+end
+end
+end
+end

data/lib/rex/exploitation/js/network.rb

@@ -0,0 +1,84 @@
+# -*- coding: binary -*-
+
+require 'msf/core'
+
+module Rex
+module Exploitation
+module Js
+
+#
+# Provides networking functions in JavaScript
+#
+class Network
+
+  # @param [Hash] opts the options hash
+  # @option opts [Boolean] :obfuscate toggles js obfuscation. defaults to true.
+  # @option opts [Boolean] :inject_xhr_shim automatically stubs XHR to use ActiveXObject when needed.
+  #   defaults to true.
+  # @return [String] javascript code to perform a synchronous ajax request to the remote
+  #   and returns the response
+  def self.ajax_download(opts={})
+    should_obfuscate = opts.fetch(:obfuscate, true)
+    js = ::File.read(::File.join(Msf::Config.data_directory, "js", "network", "ajax_download.js"))
+
+    if should_obfuscate
+      js = ::Rex::Exploitation::ObfuscateJS.new(js,
+        {
+          'Symbols' => {
+            'Variables' => %w{ xmlHttp oArg }
+          }
+      }).obfuscate
+    end
+
+    xhr_shim(opts) + js
+  end
+
+  # @param [Hash] opts the options hash
+  # @option opts [Boolean] :obfuscate toggles js obfuscation. defaults to true.
+  # @option opts [Boolean] :inject_xhr_shim automatically stubs XHR to use ActiveXObject when needed.
+  #   defaults to true.
+  # @return [String] javascript code to perform a synchronous or asynchronous ajax request to
+  #   the remote with the data specified.
+  def self.ajax_post(opts={})
+    should_obfuscate = opts.fetch(:obfuscate, true)
+    js = ::File.read(::File.join(Msf::Config.data_directory, "js", "network", "ajax_post.js"))
+
+    if should_obfuscate
+      js = ::Rex::Exploitation::ObfuscateJS.new(js,
+        {
+          'Symbols' => {
+            'Variables' => %w{ xmlHttp cb path data }
+          }
+        }).obfuscate
+    end
+
+    xhr_shim(opts) + js
+  end
+
+  # @param [Hash] opts the options hash
+  # @option opts [Boolean] :obfuscate toggles js obfuscation. defaults to true.
+  # @option opts [Boolean] :inject_xhr_shim false causes this method to return ''. defaults to true.
+  # @return [String] javascript code that adds XMLHttpRequest to the global scope if it
+  #   does not exist (e.g. on IE6, where you have to use the ActiveXObject constructor)
+  def self.xhr_shim(opts={})
+    return '' unless opts.fetch(:inject_xhr_shim, true)
+
+    should_obfuscate = opts.fetch(:obfuscate, true)
+    js = ::File.read(::File.join(Msf::Config.data_directory, "js", "network", "xhr_shim.js"))
+
+    if should_obfuscate
+      js = ::Rex::Exploitation::ObfuscateJS.new(js,
+        {
+          'Symbols' => {
+            'Variables' => %w{ activeObjs idx }
+          }
+        }
+      ).obfuscate
+    end
+    js
+  end
+
+end
+end
+end
+end

data/lib/rex/exploitation/js/utils.rb

@@ -0,0 +1,33 @@
+# -*- coding: binary -*-
+
+require 'msf/core'
+require 'rex/text'
+require 'rex/exploitation/jsobfu'
+
+module Rex
+module Exploitation
+module Js
+
+#
+# Javascript utilities
+#
+class Utils
+
+  def self.base64
+    js = ::File.read(::File.join(Msf::Config.data_directory, "js", "utils", "base64.js"))
+
+    opts = {
+      'Symbols' => {
+        'Variables' => %w{ Base64 encoding result _keyStr encoded_data utftext input_idx
+          input output chr chr1 chr2 chr3 enc1 enc2 enc3 enc4 },
+        'Methods'   => %w{ _utf8_encode _utf8_decode encode decode }
+      }
+    }
+
+    ::Rex::Exploitation::ObfuscateJS.new(js, opts).to_s
+  end
+
+end
+end
+end
+end

data/lib/rex/exploitation/jsobfu.rb

@@ -0,0 +1,513 @@
+# -*- coding: binary -*-
+
+require 'rex/text'
+require 'rex/random_identifier_generator'
+require 'rkelly'
+
+module Rex
+module Exploitation
+
+
+#
+# Obfuscate JavaScript by randomizing as much as possible and removing
+# easily-signaturable string constants.
+#
+# Example:
+#   js = ::Rex::Exploitation::JSObfu.new %Q|
+#     var a = "0\\612\\063\\x34\\x35\\x36\\x37\\x38\\u0039";
+#     var b = { foo : "foo", bar : "bar" }
+#     alert(a);
+#     alert(b.foo);
+#   |
+#   js.obfuscate
+#   puts js
+# Example Output:
+#   var VwxvESbCgv = String.fromCharCode(0x30,0x31,062,063,064,53,0x36,067,070,0x39);
+#   var ToWZPn = {
+#     "\146\157\x6f": (function () { var yDyv="o",YnCL="o",Qcsa="f"; return Qcsa+YnCL+yDyv })(),
+#     "\142ar": String.fromCharCode(0142,97,0162)
+#   };
+#   alert(VwxvESbCgv);
+#   alert(ToWZPn.foo);
+#
+# NOTE: Variables MUST be declared with a 'var' statement BEFORE first use (or
+# not at all) for this to generate correct code!  If variables are not declared
+# they will not be randomized but the generated code will be correct.
+#
+# Bad Example Javascript:
+#   a = "asdf"; // this variable hasn't been declared and will not be randomized
+#   var a;
+#   alert(a); // real js engines will alert "asdf" here
+# Bad Example Obfuscated:
+#   a = (function () { var hpHu="f",oyTm="asd"; return oyTm+hpHu })();
+#   var zSrnHpEfJZtg;
+#   alert(zSrnHpEfJZtg);
+# Notice that the first usage of +a+ (before it was declared) is not
+# randomized.  Thus, the obfuscated version will alert 'undefined' instead of
+# "asdf".
+#
+class JSObfu
+
+  # these keywords should never be used as a random var name
+  # source: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Reserved_Words
+  RESERVED_KEYWORDS = %w(
+    break case catch continue debugger default delete do else finally
+    for function if in instanceof new return switch this throw try
+    typeof var void while with class enum export extends import super
+    implements interface let package private protected public static yield
+  )
+
+  #
+  # Abstract Syntax Tree generated by RKelly::Parser#parse
+  #
+  attr_reader :ast
+
+  #
+  # Saves +code+ for later obfuscation with #obfuscate
+  #
+  def initialize(code)
+    @code = code
+    @funcs = {}
+    @vars  = {}
+    @debug = false
+    @rand_gen = Rex::RandomIdentifierGenerator.new(
+      :max_length => 15,
+      :first_char_set => Rex::Text::Alpha+"_$",
+      :char_set => Rex::Text::AlphaNumeric+"_$"
+    )
+  end
+
+  #
+  # Add +str+ to the un-obfuscated code.
+  #
+  # Calling this method after #obfuscate is undefined
+  #
+  def <<(str)
+    @code << str
+  end
+
+  #
+  # Return the (possibly obfuscated) code as a string.
+  #
+  # If #obfuscate has not been called before this, returns the parsed,
+  # unobfuscated code.  This can be useful for example to remove comments and
+  # standardize spacing.
+  #
+  def to_s
+    parse if not @ast
+    @ast.to_ecma
+  end
+
+  #
+  # Return the obfuscated name of a symbol
+  #
+  # You MUST call #obfuscate before this method!
+  #
+  def sym(lookup)
+    if @vars[lookup]
+      ret = @vars[lookup]
+    elsif @funcs[lookup]
+      ret = @funcs[lookup]
+    else
+      ret = lookup
+    end
+    ret
+  end
+
+  #
+  # Parse and obfuscate
+  #
+  def obfuscate
+    parse
+    obfuscate_r(@ast)
+  end
+
+  # @return [String] a unique random var name that is not a reserved keyword
+  def random_var_name
+    loop do
+      text = random_string
+      unless @vars.has_value?(text) or RESERVED_KEYWORDS.include?(text)
+        return text
+      end
+    end
+  end
+
+protected
+
+  # @return [String] a random string
+  def random_string
+    @rand_gen.generate
+  end
+
+  #
+  # Recursive method to obfuscate the given +ast+.
+  #
+  # +ast+ should be the result of RKelly::Parser#parse
+  #
+  def obfuscate_r(ast)
+    ast.each do |node|
+      #if node.respond_to? :value and node.value.kind_of? String and node.value =~ /bodyOnLoad/i
+      #	$stdout.puts("bodyOnLoad: #{node.class}: #{node.value}")
+      #end
+
+      case node
+      when nil
+        nil
+
+      when ::RKelly::Nodes::SourceElementsNode
+        # Recurse
+        obfuscate_r(node.value)
+
+      #when ::RKelly::Nodes::ObjectLiteralNode
+        # TODO
+        #$stdout.puts(node.methods - Object.new.methods)
+        #$stdout.puts(node.value.inspect)
+
+      when ::RKelly::Nodes::PropertyNode
+        # Property names must be bare words or string literals NOT
+        # expressions!  Can't use transform_string() here
+        if node.name =~ /^[a-zA-Z_][a-zA-Z0-9_]*$/
+          n = '"'
+          node.name.unpack("C*") { |c|
+            case rand(3)
+            when 0; n << "\\x%02x"%(c)
+            when 1; n << "\\#{c.to_s 8}"
+            when 2; n << [c].pack("C")
+            end
+          }
+          n << '"'
+          node.instance_variable_set(:@name, n)
+        end
+
+      # Variables
+      when ::RKelly::Nodes::VarDeclNode
+        if @vars[node.name].nil?
+          @vars[node.name] = random_var_name
+        end
+        node.name = @vars[node.name]
+      when ::RKelly::Nodes::ParameterNode
+        if @vars[node.value].nil?
+          @vars[node.value] = random_var_name
+        end
+        node.value = @vars[node.value]
+      when ::RKelly::Nodes::ResolveNode
+        #$stdout.puts("Resolve bodyOnload: #{@vars[node.value]}") if "bodyOnLoad" == node.value
+        node.value = @vars[node.value] if @vars[node.value]
+      when ::RKelly::Nodes::DotAccessorNode
+        case node.value
+        when ::RKelly::Nodes::ResolveNode
+          if @vars[node.value.value]
+            node.value.value = @vars[node.value.value]
+          end
+        #else
+        #	$stderr.puts("Non-resolve node as target of dotaccessor: #{node.value.class}")
+        end
+
+      # Functions
+      when ::RKelly::Nodes::FunctionDeclNode
+        #$stdout.puts("FunctionDecl: #{node.value}")
+        # Functions can also act as objects, so store them in the vars
+        # and the functions list so we can replace them in both places
+        if @funcs[node.value].nil? and not @funcs.values.include?(node.value)
+          @funcs[node.value] = random_var_name
+          if @vars[node.value].nil?
+            @vars[node.value] = @funcs[node.value]
+          end
+          node.value = @funcs[node.value]
+        end
+      when ::RKelly::Nodes::FunctionCallNode
+        # The value of a FunctionCallNode is some sort of accessor node or a ResolveNode
+        # so this is basically useless
+        #$stdout.puts("Function call: #{node.name} => #{@funcs[node.name]}")
+        #node.value = @funcs[node.value] if @funcs[node.value]
+
+      # Transformers
+      when ::RKelly::Nodes::NumberNode
+        node.value = transform_number(node.value)
+      when ::RKelly::Nodes::StringNode
+        node.value = transform_string(node.value)
+      else
+        #$stderr.puts "#{node.class}: #{node.value}"
+        #$stderr.puts "#{node.class}"
+      end
+
+      #unless node.kind_of? ::RKelly::Nodes::SourceElementsNode
+      #	$stderr.puts "#{node.class}: #{node.value}"
+      #end
+    end
+
+    nil
+  end
+
+  #
+  # Generate an Abstract Syntax Tree (#ast) for later obfuscation
+  #
+  def parse
+    parser = RKelly::Parser.new
+    @ast = parser.parse(@code)
+  end
+
+  #
+  # Convert a number to a random base (decimal, octal, or hexedecimal).
+  #
+  # Given 10 as input, the possible return values are:
+  #   "10"
+  #   "0xa"
+  #   "012"
+  #
+  def rand_base(num)
+    case rand(3)
+    when 0; num.to_s
+    when 1; "0%o" % num
+    when 2; "0x%x" % num
+    end
+  end
+
+  #
+  # Return a mathematical expression that will evaluate to the given number
+  # +num+.
+  #
+  # +num+ can be a float or an int, but should never be negative.
+  #
+  def transform_number(num)
+    case num
+    when Fixnum
+      if num == 0
+        r = rand(10) + 1
+        transformed = "('#{Rex::Text.rand_text_alpha(r)}'.length - #{r})"
+      elsif num > 0 and num < 10
+        # use a random string.length for small numbers
+        transformed = "'#{Rex::Text.rand_text_alpha(num)}'.length"
+      else
+        transformed = "("
+        divisor = rand(num) + 1
+        a = num / divisor.to_i
+        b = num - (a * divisor)
+        # recurse half the time for a
+        a = (rand(2) == 0) ? transform_number(a) : rand_base(a)
+        # recurse half the time for divisor
+        divisor = (rand(2) == 0) ? transform_number(divisor) : rand_base(divisor)
+        transformed << "#{a}*#{divisor}"
+        transformed << "+#{b}"
+        transformed << ")"
+      end
+    when Float
+      transformed = "(#{num - num.floor} + #{rand_base(num.floor)})"
+    end
+
+    #puts("#{num} == #{transformed}")
+
+    transformed
+  end
+
+  #
+  # Convert a javascript string into something that will generate that string.
+  #
+  # Randomly calls one of the +transform_string_*+ methods
+  #
+  def transform_string(str)
+    quote = str[0,1]
+    # pull off the quotes
+    str = str[1,str.length - 2]
+    return quote*2 if str.length == 0
+
+    case rand(2)
+    when 0
+      transformed = transform_string_split_concat(str, quote)
+    when 1
+      transformed = transform_string_fromCharCode(str)
+    #when 2
+    #	# Currently no-op
+    #	transformed = transform_string_unescape(str)
+    end
+
+    #$stderr.puts "Obfuscating str: #{str.ljust 30} #{transformed}"
+    transformed
+  end
+
+  #
+  # Split a javascript string, +str+, without breaking escape sequences.
+  #
+  # The maximum length of each piece of the string is half the total length
+  # of the string, ensuring we (almost) always split into at least two
+  # pieces.  This won't always be true when given a string like "AA\x41",
+  # where escape sequences artificially increase the total length (escape
+  # sequences are considered a single character).
+  #
+  # Returns an array of two-element arrays.  The zeroeth element is a
+  # randomly generated variable name, the first is a piece of the string
+  # contained in +quote+s.
+  #
+  # See #escape_length
+  #
+  def safe_split(str, quote)
+    parts = []
+    max_len = str.length / 2
+    while str.length > 0
+      len = 0
+      loop do
+        e_len = escape_length(str[len..-1])
+        e_len = 1 if e_len.nil?
+        len += e_len
+        # if we've reached the end of the string, bail
+        break unless str[len]
+        break if len > max_len
+        # randomize the length of each part
+        break if (rand(4) == 0)
+      end
+
+      part = str.slice!(0, len)
+
+      var = Rex::Text.rand_text_alpha(4)
+      parts.push( [ var, "#{quote}#{part}#{quote}" ] )
+    end
+
+    parts
+  end
+
+  #
+  # Stolen from obfuscatejs.rb
+  #
+  # Determines the length of an escape sequence
+  #
+  def escape_length(str)
+    esc_len = nil
+    if str[0,1] == "\\"
+      case str[1,1]
+      when "u"; esc_len = 6     # unicode \u1234
+      when "x"; esc_len = 4     # hex, \x41
+      when /[0-7]/              # octal, \123, \0
+        str[1,3] =~ /([0-7]{1,3})/
+        if $1.to_i(8) > 255
+          str[1,3] =~ /([0-7]{1,2})/
+        end
+        esc_len = 1 + $1.length
+      else; esc_len = 2         # \" \n, etc.
+      end
+    end
+    esc_len
+  end
+
+  #
+  # Split a javascript string, +str+, into multiple randomly-ordered parts
+  # and return an anonymous javascript function that joins them in the
+  # correct order.  This method can be called safely on strings containing
+  # escape sequences.  See #safe_split.
+  #
+  def transform_string_split_concat(str, quote)
+    parts = safe_split(str, quote)
+    func = "(function () { var "
+    ret = "; return "
+    parts.sort { |a,b| rand }.each do |part|
+      func << "#{part[0]}=#{part[1]},"
+    end
+    func.chop!
+
+    ret  << parts.map{|part| part[0]}.join("+")
+    final = func + ret + " })()"
+
+    final
+  end
+
+
+  # TODO
+  #def transform_string_unescape(str)
+  #	str
+  #end
+
+  #
+  # Return a call to String.fromCharCode() with each char of the input as arguments
+  #
+  # Example:
+  #   input : "A\n"
+  #   output: String.fromCharCode(0x41, 10)
+  #
+  def transform_string_fromCharCode(str)
+    buf = "String.fromCharCode("
+    bytes = str.unpack("C*")
+    len = 0
+    while str.length > 0
+      if str[0,1] == "\\"
+        str.slice!(0,1)
+        # then this is an escape sequence and we need to deal with all
+        # the special cases
+        case str[0,1]
+        # For chars that contain their non-escaped selves, step past
+        # the backslash and let the rand_base() below decide how to
+        # represent the character.
+        when '"', "'", "\\", " "
+          char = str.slice!(0,1).unpack("C").first
+        # For symbolic escapes, use the known value
+        when "n"; char = 0x0a; str.slice!(0,1)
+        when "t"; char = 0x09; str.slice!(0,1)
+        # Lastly, if it's a hex, unicode, or octal escape, pull out the
+        # real value and use that
+        when "x"
+          # Strip the x
+          str.slice!(0,1)
+          char = str.slice!(0,2).to_i 16
+        when "u"
+          # This can potentially lose information in the case of
+          # characters like \u0041, but since regular ascii is stored
+          # as unicode internally, String.fromCharCode(0x41) will be
+          # represented as 00 41 in memory anyway, so it shouldn't
+          # matter.
+          str.slice!(0,1)
+          char = str.slice!(0,4).to_i 16
+        when /[0-7]/
+          # Octals are a bit harder since they are variable width and
+          # don't necessarily mean what you might think. For example,
+          # "\61" == "1" and "\610" == "10".  610 is a valid octal
+          # number, but not a valid ascii character.  Javascript will
+          # interpreter as much as it can as a char and use the rest
+          # as a literal.  Boo.
+          str =~ /([0-7]{1,3})/
+          char = $1.to_i 8
+          if char > 255
+            str =~ /([0-7]{1,2})/
+            char = $1.to_i 8
+          end
+          str.slice!(0,$1.length)
+        end
+      else
+        char = str.slice!(0,1).unpack("C").first
+      end
+      buf << "#{rand_base(char)},"
+    end
+    # Strip off the last comma
+    buf = buf[0,buf.length-1] + ")"
+    transformed = buf
+
+    transformed
+  end
+
+
+end
+end
+end
+
+
+=begin
+if __FILE__ == $0
+  if ARGV[0]
+    code = File.read(ARGV[0])
+  else
+    #require 'rex/exploitation/javascriptosdetect'
+    #code = Rex::Exploitation::JavascriptOSDetect.new.to_s
+    code = <<-EOS
+      // Should alert "0123456789"
+      var a = "0\\612\\063\\x34\\x35\\x36\\x37\\x38\\u0039";
+      var a,b=2,c=3;
+      alert(a);
+      // should alert "asdfjkl;"
+      var d = (function() { var foo = "jkl;", blah = "asdf"; return blah + foo; })();
+      alert(d);
+    EOS
+  end
+  js = Rex::Exploitation::JSObfu.new(code)
+  js.obfuscate
+  puts js.to_s
+
+end
+
+=end