Sha256: 5d717900c034705dcc77d6616218ed8cb21326dd74481d87eba2122a35d86b33

Contents?: true

Size: 1.83 KB

Versions: 43

Compression:

Stored size: 1.83 KB

Contents

module Rex
module Exploitation

#
# Encrypts javascript code
#
class EncryptJS
	#
	# Encrypts a javascript string.
	#
	# Encrypts a javascript string via XOR using a given key.
	# The key must be passed to the executed javascript
	# so that it can decrypt itself.
	# The provided loader gets the key from
	# "location.search.substring(1)"
	#
	# This should bypass any detection of the file itself
	# as information not part of the file is needed to
	# decrypt the original javascript code.
	#
	# Example:
	# <code>
	# js = <<ENDJS
	#     function say_hi() {
	#         var foo = "Hello, world";
	#         document.writeln(foo);
	#     }
	# ENDJS
	# key = 'secret'
	# js_encrypted = EncryptJS.encrypt(js, key)
	# </code>
	#
	# You might use something like this in exploit
	# modules to pass the key to the javascript
	# <code>
	# if (!request.uri.match(/\?\w+/))
	#	  send_local_redirect(cli, "?#{@key}")
	#	  return
	# end
	# </code>
	#

	def self.encrypt(js, key)
		js.gsub!(/[\r\n]/, '')

		encoded = Rex::Encoding::Xor::Generic.encode(js, key)[0].unpack("H*")[0]

		# obfuscate the eval call to circumvent generic detection
		eval = 'eval'.split(//).join(Rex::Text.rand_text_alpha(rand(5)).upcase)
		eval_call = 'window["' + eval + '".replace(/[A-Z]/g,"")]'

		js_loader = Rex::Exploitation::ObfuscateJS.new <<-ENDJS
		var exploit = '#{encoded}';
		var encoded = '';
		for (i = 0;i<exploit.length;i+=2) {
			encoded += String.fromCharCode(parseInt(exploit.substring(i, i+2), 16));
		}
		var pass = location.search.substring(1);
		var decoded = '';
		for (i=0;i<encoded.length;i++) {
			decoded += String.fromCharCode(encoded.charCodeAt(i) ^ pass.charCodeAt(i%pass.length));
		}
		#{eval_call}(decoded);
		ENDJS

		js_loader.obfuscate(
			'Symbols' => {
				'Variables' => [ 'exploit', 'encoded', 'pass', 'decoded' ],
			},
			'Strings' => false
		)
	end

end

end
end

Version data entries

43 entries across 43 versions & 1 rubygems

Version Path
librex-0.0.65 lib/rex/exploitation/encryptjs.rb
librex-0.0.63 lib/rex/exploitation/encryptjs.rb
librex-0.0.54 lib/rex/exploitation/encryptjs.rb
librex-0.0.53 lib/rex/exploitation/encryptjs.rb
librex-0.0.52 lib/rex/exploitation/encryptjs.rb
librex-0.0.51 lib/rex/exploitation/encryptjs.rb
librex-0.0.50 lib/rex/exploitation/encryptjs.rb
librex-0.0.49 lib/rex/exploitation/encryptjs.rb
librex-0.0.48 lib/rex/exploitation/encryptjs.rb
librex-0.0.47 lib/rex/exploitation/encryptjs.rb
librex-0.0.46 lib/rex/exploitation/encryptjs.rb
librex-0.0.44 lib/rex/exploitation/encryptjs.rb
librex-0.0.43 lib/rex/exploitation/encryptjs.rb
librex-0.0.42 lib/rex/exploitation/encryptjs.rb
librex-0.0.41 lib/rex/exploitation/encryptjs.rb
librex-0.0.40 lib/rex/exploitation/encryptjs.rb
librex-0.0.39 lib/rex/exploitation/encryptjs.rb
librex-0.0.38 lib/rex/exploitation/encryptjs.rb
librex-0.0.37 lib/rex/exploitation/encryptjs.rb
librex-0.0.36 lib/rex/exploitation/encryptjs.rb