Tuesday, June 30, 2009

Jsunpack-n update: Automatic shellcode detection and other improvements

Hey guys,
I just released jsunpack-n version 0.1c. This release introduces JavaScript variable enumeration using a new file "post.js". get the source code here

Check out the new output for the sample-pdf.pcap included in the archive:

$ ./jsunpack-n.py sample-pdf.pcap
[0] decoded 25275 trughtsa.com/img/pfqa.php
[1] decoded 12269 trughtsa.com/img/pfqa.php
identified shellcode of length 1533
XOR key [shellcode]: 33
exploit_watch append [shellcode] http://trughtsa.com/img/uet.php
Match signature [CVE-2007-5659] Collab.collectEmailInfo
Match signature [CVE-2009-0927] Collab.getIcon
Match signature [CVE-2008-2992] util.printf
Match signature [CVE-2009-1493] spell.customDictionaryOpen
Match signature [CVE-2009-1492] getAnnots

undefined variable s fixing

Notice how jsunpack-n identified the shellcode, identified that it uses an XOR key of 33, and determined the URL that the shellcode presumably tries to download and execute. This URL is automatically added to the exploit_watch variable, so that a new alert will result if the victim downloads that file.

Other great features, such as default definitions for undefined variables indicated by the debug output shown above by "undefined variable s fixing".

Yet another feature, evaluation timeouts will prevent infinite loops and scripts that consume too much time/cpu/memory.

No comments:

Post a Comment