jsobfu 0.1.0

data/lib/jsobfu/obfuscator.rb

@@ -0,0 +1,144 @@
+require_relative 'ecma_tight'
+
+class JSObfu::Obfuscator < JSObfu::ECMANoWhitespaceVisitor
+
+  # @return [JSObfu::Scope] the scope maintained while walking the ast
+  attr_reader :scope
+
+  # Note: At a high level #renames is not that useful, because var shadowing can
+  # cause multiple variables in different contexts to be mapped separately.
+  # - joev
+
+  # @return [Hash] of original var/fn names to our new random neames
+  attr_reader :renames
+
+  # @param opts [Hash] the options hash
+  # @option opts [JSObfu::Scope] :scope the optional scope to save vars to
+  def initialize(opts={})
+    @scope = opts.fetch(:scope, JSObfu::Scope.new)
+    @renames = {}
+    super()
+  end
+
+  # Maintains a stack of closures that we have visited. This method is called
+  # everytime we visit a nested function.
+  #
+  # Javascript is functionally-scoped, so a function(){} creates its own
+  # unique closure. When resolving variables, Javascript looks "up" the
+  # closure stack, ending up as a property lookup in the global scope
+  # (available as `window` in all browsers)
+  #
+  # This is changed in newer ES versions, where a `let` keyword has been
+  # introduced, which has regular C-style block scoping. We'll ignore this
+  # feature since it is not yet widely used.
+  def visit_SourceElementsNode(o)
+    scope.push!
+
+    hoister = JSObfu::Hoister.new(parent_scope: scope)
+    o.value.each { |x| hoister.accept(x) }
+
+    hoister.scope.keys.each do |key|
+      rename_var(key)
+    end
+
+    ret = super
+    ret = hoister.scope_declaration + ret
+
+    scope.pop!
+
+    ret
+  end
+
+  def visit_FunctionDeclNode(o)
+    o.value = if o.value and o.value.length > 0
+      JSObfu::Utils::random_var_encoding(scope.rename_var(o.value))
+    else
+      if rand(3) != 0
+        JSObfu::Utils::random_var_encoding(scope.random_var_name)
+      end
+    end
+
+    super
+  end
+
+  def visit_FunctionExprNode(o)
+    if o.value != 'function'
+      o.value = JSObfu::Utils::random_var_encoding(rename_var(o.value))
+    end
+
+    super
+  end
+
+  # Called whenever a variable is declared.
+  def visit_VarDeclNode(o)
+    o.name = JSObfu::Utils::random_var_encoding(rename_var(o.name))
+
+    super
+  end
+
+  # Called whenever a variable is referred to (not declared).
+  #
+  # If the variable was never added to scope, it is assumed to be a global
+  # object (like "document"), and hence will not be obfuscated.
+  #
+  def visit_ResolveNode(o)
+    new_val = rename_var(o.value, :generate => false)
+
+    if new_val
+      o.value = JSObfu::Utils::random_var_encoding(new_val)
+      super
+    else
+      # A global is used, at least obfuscate the lookup
+      "window[#{JSObfu::Utils::transform_string(o.value, scope, :quotes => false)}]"
+    end
+  end
+
+  # Called on a dot lookup, like X.Y
+  def visit_DotAccessorNode(o)
+    obf_str = JSObfu::Utils::transform_string(o.accessor, scope, :quotes => false)
+    "#{o.value.accept(self)}[(#{obf_str})]"
+  end
+
+  # Called when a parameter is declared. "Shadowed" parameters in the original
+  # source are preserved - the randomized name is "shadowed" from the outer scope.
+  def visit_ParameterNode(o)
+    o.value = JSObfu::Utils::random_var_encoding(rename_var(o.value))
+
+    super
+  end
+
+  # A property node in an object "{}"
+  def visit_PropertyNode(o)
+    # if it is a non-alphanumeric property, obfuscate the string's bytes
+    if o.name =~ /^[a-zA-Z_][a-zA-Z0-9_]*$/
+       o.instance_variable_set :@name, '"'+JSObfu::Utils::random_string_encoding(o.name)+'"'
+    end
+
+    super
+  end
+
+  def visit_NumberNode(o)
+    o.value = JSObfu::Utils::transform_number(o.value)
+    super
+  end
+
+  def visit_StringNode(o)
+    o.value = JSObfu::Utils::transform_string(o.value, scope)
+    super
+  end
+
+  def visit_TryNode(o)
+    if o.catch_block
+      o.instance_variable_set :@catch_var, rename_var(o.catch_var)
+    end
+    super
+  end
+
+  protected
+
+  # Assigns the var +var_name+ a new obfuscated name
+  def rename_var(var_name, opts={})
+    @renames[var_name] = scope.rename_var(var_name, opts)
+  end
+
+end

data/lib/jsobfu/scope.rb

@@ -0,0 +1,148 @@
+require_relative 'utils'
+require 'set'
+
+# A single Javascript scope, used as a key-value store
+# to maintain uniqueness of members in generated closures.
+# For speed this class is implemented as a subclass of Hash.
+class JSObfu::Scope < Hash
+
+  # these keywords should never be used as a random var name
+  # source: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Reserved_Words
+  RESERVED_KEYWORDS = %w(
+    break case catch continue debugger default delete do else finally
+    for function if in instanceof new return switch this throw try
+    typeof var void while with class enum export extends import super
+    implements interface let package private protected public static yield
+    const let
+  )
+
+  # these vars should not be shadowed as they in the exploit code,
+  # and generating them would cause problems.
+  BUILTIN_VARS = %w(
+    String window unescape location chrome document navigator location
+    frames ActiveXObject XMLHttpRequest Function eval Object Math CSS
+    parent opener event frameElement Error TypeError setTimeout setInterval
+    top arguments Array Date
+  )
+  
+  # @return [JSObfu::Scope] parent that spawned this scope
+  attr_accessor :parent
+
+  # @return [Hash] mapping old var names to random ones
+  attr_accessor :renames
+
+  # @param [Hash] opts the options hash
+  # @option opts [Rex::Exploitation::JSObfu::Scope] :parent an optional parent scope,
+  #   sometimes necessary to prevent needless var shadowing
+  # @option opts [Integer] :min_len minimum length of the var names
+  def initialize(opts={})
+    @parent         = opts[:parent]
+    @first_char_set = opts[:first_char_set] || [*'A'..'Z']+[*'a'..'z']+['_', '$']
+    @char_set       = opts[:first_char_set] || @first_char_set + [*'0'..'9']
+    @min_len        = opts[:min_len] || 1
+    @renames        = {}
+  end
+
+  # Generates a unique, "safe" random variable
+  # @return [String] a unique random var name that is not a reserved keyword
+  def random_var_name
+    len = @min_len
+    loop do
+      text = random_string(len)
+      unless has_key?(text) or
+        RESERVED_KEYWORDS.include?(text) or
+        BUILTIN_VARS.include?(text)
+
+        self[text] = nil
+
+        return text
+      end
+      len += 1
+    end
+  end
+
+  # Re-maps your +var_name+ to a unique, random
+  # names in the current scope
+  #
+  # @param var_name [String] the name you want to replace. This
+  #   name will be remembered in the #renames hash
+  # @param opts [Hash] the options hash
+  # @option opts [Boolean] :generate if the variable was not
+  #   explicitly renamed before, in this scope or any parent
+  #   scope, generate a new random name
+  #
+  # @return [String] the randomly generated replacement name
+  # @return nil if generate=false and +var_name+ was not already replaced
+  def rename_var(var_name, opts={})
+    return var_name if BUILTIN_VARS.include?(var_name)
+
+    generate = opts.fetch(:generate, true)
+    unresolved = opts.fetch(:unresolved, [])
+    renamed = @renames[var_name]
+
+    if renamed.nil? and parent
+      renamed = parent.rename_var(var_name, :generate => false)
+    end
+
+    if renamed.nil? and generate
+      @renames[var_name] = random_var_name
+      renamed = @renames[var_name]
+    end
+
+    #puts "Mapped #{var_name} => #{renamed}" if renamed
+
+    renamed
+  end
+
+  # @return [Boolean] scope has members
+  def empty?
+    self.keys.empty? and (parent.nil? or parent.empty?)
+  end
+
+  # @return [Boolean] scope has no parent
+  def top?
+    parent.nil?
+  end
+
+  def top
+    p = self
+    p = p.parent until p.parent.nil?
+    p
+  end
+
+  # Check if we've used this var before. This will also check any
+  # attached parent scopes (and their parents, recursively)
+  #
+  # @return [Boolean] whether var is in scope
+  def has_key?(key)
+    super or (parent and parent.has_key?(key))
+  end
+
+  # replaces this Scope in the "parent" chain with a copy,
+  # empties current scope, and returns. Essentially an in-place
+  # push operation
+  def push!
+    replacement = dup
+    replacement.parent = @parent
+    replacement.renames = @renames
+    @renames = {}
+    @parent = replacement
+    clear
+  end
+
+  # "Consumes" the parent and replaces self with it
+  def pop!
+    clear
+    if @parent
+      merge! @parent
+      @renames = @parent.renames
+      @parent = @parent.parent
+    end
+  end
+
+  # @return [String] a random string that can be used as a var
+  def random_string(len)
+    @first_char_set.sample + (len-1).times.map { @char_set.sample }.join
+  end
+
+end

data/lib/jsobfu/utils.rb

@@ -0,0 +1,366 @@
+#
+# Some quick utility functions to minimize dependencies
+#
+module JSObfu::Utils
+
+  #
+  # The maximum length of a string that can be passed through
+  # #transform_string without being chopped up into separate
+  # expressions and concatenated
+  #
+  MAX_STRING_CHUNK = 10000
+
+  ALPHA_CHARSET = ([*'A'..'Z']+[*'a'..'z']).freeze
+  ALPHANUMERIC_CHARSET = (ALPHA_CHARSET+[*'0'..'9']).freeze
+
+  # For escaping special chars in a Javascript quoted string
+  JS_ESCAPE_MAP = { '\\' => '\\\\', "\r\n" => '\n', "\n" => '\n', "\r" => '\n', '"' => '\\"', "'" => "\\'" }
+
+  # Returns a random alphanumeric string of the desired length
+  #
+  # @param [Integer] len the desired length
+  # @return [String] random a-zA-Z0-9 text
+  def self.rand_text_alphanumeric(len)
+    rand_text(ALPHANUMERIC_CHARSET, len)
+  end
+
+  # Returns a random alpha string of the desired length
+  #
+  # @param [Integer] len the desired length
+  # @return [String] random a-zA-Z text
+  def self.rand_text_alpha(len)
+    rand_text(ALPHA_CHARSET, len)
+  end
+
+  # Returns a random string of the desired length in the desired charset
+  #
+  # @param [Array] charset the available chars
+  # @param [Integer] len the desired length
+  # @return [String] random text
+  def self.rand_text(charset, len)
+    len.times.map { charset.sample }.join
+  end
+
+  # Encodes the bytes in +str+ as hex literals, each preceded by +delimiter+
+  #
+  # @param [String] str the string to encode
+  # @param [String] delimiter prepended to every hex byte
+  # @return [String] hex encoded copy of str
+  def self.to_hex(str, delimiter="\\x")
+    str.bytes.to_a.map { |byte| delimiter+byte.to_s(16) }.join
+  end
+
+  # @param [String] code a quoted Javascript string
+  # @return [String] containing javascript code that wraps +code+ in a
+  # call to +eval+. A random eval method is chosen.
+  def self.js_eval(code, scope)
+    code = '"' + escape_javascript(code) + '"'
+    ret_statement = random_string_encoding 'return '
+    case rand(7)
+      when 0; "window[#{transform_string('eval', scope, :quotes => false)}](#{code})"
+      when 1; "[].constructor.constructor(\"#{ret_statement}\"+#{code})()"
+      when 2; "(function(){}).constructor('', \"#{ret_statement}\"+#{code})()"
+      when 3; "''.constructor.constructor('', \"#{ret_statement}\"+#{code})()"
+      when 4; "Function(\"#{random_string_encoding 'eval'}\")()(#{code})"
+      when 5; "Function(\"#{ret_statement}\"+#{code})()"
+      when 6; "Function()(\"#{ret_statement}\"+#{code})()"
+    end + ' '
+  end
+
+  #
+  # Convert a number to a random base (decimal, octal, or hexedecimal).
+  #
+  # Given 10 as input, the possible return values are:
+  #   "10"
+  #   "0xa"
+  #   "012"
+  #
+  # @param num [Integer] number to convert to random base
+  # @return [String] equivalent encoding in a different base
+  #
+  def self.rand_base(num)
+    case rand(3)
+    when 0; num.to_s
+    when 1; "0%o" % num
+    when 2; "0x%x" % num
+    end
+  end
+
+  # In Javascript, it is possible to refer to the same var in a couple
+  # different ways:
+  #
+  #  var AB = 1;
+  #  console.log(\u0041\u0042); // prints "1"
+  #
+  # @return [String] equivalent variable name
+  def self.random_var_encoding(var_name)
+    if var_name.length < 3 and rand(6) == 0
+      to_hex(var_name, "\\u00")
+    else
+      var_name
+    end
+  end
+
+  # Given a Javascript string +str+ with NO escape characters, returns an
+  #  equivalent string with randomly escaped bytes
+  #
+  # @return [String] Javascript string with a randomly-selected encoding
+  # for every byte
+  def self.random_string_encoding(str)
+    encoded = ''
+    str.unpack("C*") { |c|
+      encoded << case rand(3)
+        when 0; "\\x%02x"%(c)
+        when 1; "\\#{c.to_s(8)}"
+        when 2; "\\u%04x"%(c)
+        when 3; [c].pack("C")
+      end
+    }
+    encoded
+  end
+
+  # Taken from Rails ActionView: http://api.rubyonrails.org/classes/ActionView/Helpers/JavaScriptHelper.html
+  #
+  # @return [String] +javascript+ with special chars (newlines, quotes) escaped correctly
+  def self.escape_javascript(javascript)
+    javascript.gsub(/(\|<\/|\r\n|\342\200\250|\342\200\251|[\n\r"'])/u) {|match| JS_ESCAPE_MAP[match] }
+  end
+
+  #
+  # Return a mathematical expression that will evaluate to the given number
+  # +num+.
+  #
+  # +num+ can be a float or an int, but should never be negative.
+  #
+  def self.transform_number(num)
+    case num
+    when Fixnum
+      if num == 0
+        r = rand(10) + 1
+        transformed = "('#{JSObfu::Utils.rand_text_alpha(r)}'.length-#{r})"
+      elsif num > 0 and num < 10
+        # use a random string.length for small numbers
+        transformed = "'#{JSObfu::Utils.rand_text_alpha(num)}'.length"
+      else
+        transformed = "("
+        divisor = rand(num) + 1
+        a = num / divisor.to_i
+        b = num - (a * divisor)
+        # recurse half the time for a
+        a = (rand(2) == 0) ? transform_number(a) : rand_base(a)
+        # recurse half the time for divisor
+        divisor = (rand(2) == 0) ? transform_number(divisor) : rand_base(divisor)
+        transformed << "#{a}*#{divisor}"
+        transformed << "+#{b}"
+        transformed << ")"
+      end
+    when Float
+      transformed = "(#{num-num.floor}+#{rand_base(num.floor)})"
+    end
+
+    transformed
+  end
+
+  #
+  # Convert a javascript string into something that will generate that string.
+  #
+  # Randomly calls one of the +transform_string_*+ methods
+  #
+  # @param str [String] the string to transform
+  # @param scope [Scope] the scope to use for variable allocation
+  # @param opts [Hash] an optional options hash
+  # @option opts :quotes [Boolean] str includes quotation marks (true)
+  def self.transform_string(str, scope, opts={})
+    includes_quotes = opts.fetch(:quotes, true)
+    str = str.dup
+    quote = includes_quotes ? str[0,1] : '"'
+
+    if includes_quotes
+      str = str[1,str.length - 2]
+      return quote*2 if str.length == 0
+    end
+
+    if str.length > MAX_STRING_CHUNK
+      return safe_split(str, :quote => quote).map { |arg| transform_string(arg, scope) }.join('+')
+    end
+
+    case rand(2)
+    when 0
+      transform_string_split_concat(str, quote, scope)
+    when 1
+      transform_string_fromCharCode(str)
+    end
+  end
+
+  #
+  # Split a javascript string, +str+, without breaking escape sequences.
+  #
+  # The maximum length of each piece of the string is half the total length
+  # of the string, ensuring we (almost) always split into at least two
+  # pieces.  This won't always be true when given a string like "AA\x41",
+  # where escape sequences artificially increase the total length (escape
+  # sequences are considered a single character).
+  #
+  # Returns an array of two-element arrays.  The zeroeth element is a
+  # randomly generated variable name, the first is a piece of the string
+  # contained in +quote+s.
+  #
+  # See #escape_length
+  #
+  # @param str [String] the String to split
+  # @param opts [Hash] the options hash
+  # @option opts [String] :quote the quoting character ("|')
+  #
+  # @return [Array] 2d array series of [[var_name, string], ...]
+  #
+  def self.safe_split(str, opts={})
+    quote = opts.fetch(:quote)
+
+    parts = []
+    max_len = str.length / 2
+    while str.length > 0
+      len = 0
+      loop do
+        e_len = escape_length(str[len..-1])
+        e_len = 1 if e_len.nil?
+        len += e_len
+        # if we've reached the end of the string, bail
+        break unless str[len]
+        break if len > max_len
+        # randomize the length of each part
+        break if (rand(max_len) == 0)
+      end
+
+      part = str.slice!(0, len)
+
+      parts.push("#{quote}#{part}#{quote}")
+    end
+
+    parts
+  end
+
+  #
+  # Stolen from obfuscatejs.rb
+  # Determines the length of an escape sequence
+  #
+  # @param str [String] the String to check the length on
+  # @return [Integer] the length of the character at the head of the string
+  #
+  def self.escape_length(str)
+    esc_len = nil
+    if str[0,1] == "\\"
+      case str[1,1]
+      when "u"; esc_len = 6     # unicode \u1234
+      when "x"; esc_len = 4     # hex, \x41
+      when /[0-7]/              # octal, \123, \0
+        str[1,3] =~ /([0-7]{1,3})/
+        if $1.to_i(8) > 255
+          str[1,3] =~ /([0-7]{1,2})/
+        end
+        esc_len = 1 + $1.length
+      else; esc_len = 2         # \" \n, etc.
+      end
+    end
+    esc_len
+  end
+
+  #
+  # Split a javascript string, +str+, into multiple randomly-ordered parts
+  # and return an anonymous javascript function that joins them in the
+  # correct order.  This method can be called safely on strings containing
+  # escape sequences.  See #safe_split.
+  #
+  def self.transform_string_split_concat(str, quote, scope)
+    parts = safe_split(str, :quote => quote).map {|s| [scope.random_var_name, s] }
+    func = "(function () { var "
+    ret = "; return "
+    parts.sort { |a,b| rand }.each do |part|
+      func << "#{part[0]}=#{part[1]},"
+    end
+    func.chop!
+
+    ret  << parts.map{|part| part[0]}.join("+")
+    final = func + ret + " })()"
+
+    final
+  end
+
+  #
+  # Return a call to String.fromCharCode() with each char of the input as arguments
+  #
+  # Example:
+  #   input : "A\n"
+  #   output: String.fromCharCode(0x41, 10)
+  #
+  # @param str [String] the String to transform (with no quotes)
+  # @return [String] Javascript code that evaluates to #str
+  #
+  def self.transform_string_fromCharCode(str)
+    "String.fromCharCode(#{string_to_bytes(str)})"
+  end
+
+  #
+  # Converts a string to a series of byte values
+  #
+  # @param str [String] the Javascript string to encode (no quotes)
+  # @return [String] containing a comma-separated list of byte values
+  # with random encodings (decimal/hex/octal)
+  #
+  def self.string_to_bytes(str)
+    len = 0
+    bytes = str.unpack("C*")
+    encoded_bytes = []
+
+    while str.length > 0
+      if str[0,1] == "\\"
+        str.slice!(0,1)
+        # then this is an escape sequence and we need to deal with all
+        # the special cases
+        case str[0,1]
+        # For chars that contain their non-escaped selves, step past
+        # the backslash and let the rand_base() below decide how to
+        # represent the character.
+        when '"', "'", "\\", " "
+          char = str.slice!(0,1).unpack("C").first
+        # For symbolic escapes, use the known value
+        when "n"; char = 0x0a; str.slice!(0,1)
+        when "t"; char = 0x09; str.slice!(0,1)
+        # Lastly, if it's a hex, unicode, or octal escape, pull out the
+        # real value and use that
+        when "x"
+          # Strip the x
+          str.slice!(0,1)
+          char = str.slice!(0,2).to_i 16
+        when "u"
+          # This can potentially lose information in the case of
+          # characters like \u0041, but since regular ascii is stored
+          # as unicode internally, String.fromCharCode(0x41) will be
+          # represented as 00 41 in memory anyway, so it shouldn't
+          # matter.
+          str.slice!(0,1)
+          char = str.slice!(0,4).to_i 16
+        when /[0-7]/
+          # Octals are a bit harder since they are variable width and
+          # don't necessarily mean what you might think. For example,
+          # "\61" == "1" and "\610" == "10".  610 is a valid octal
+          # number, but not a valid ascii character.  Javascript will
+          # interpreter as much as it can as a char and use the rest
+          # as a literal.  Boo.
+          str =~ /([0-7]{1,3})/
+          char = $1.to_i 8
+          if char > 255
+            str =~ /([0-7]{1,2})/
+            char = $1.to_i 8
+          end
+          str.slice!(0, $1.length)
+        end
+      else
+        char = str.slice!(0,1).unpack("C").first
+      end
+      encoded_bytes << rand_base(char) if char
+    end
+
+    encoded_bytes.join(',')
+  end
+
+end