I released jsunpack-n version 0.1b today (get source code from http://jsunpack.jeek.org/jsunpack-n.tgz). While this code is still being released as alpha/unstable, there are some great new features in this edition.
For example, try to decode the sample-pdf.pcap file included with the distribution and you will notice that I've added not only PDF decoding, but minimal PDF CVE signatures.
$ ./jsunpack-n.py sample-pdf.pcap
decoded 25275 bytes in pdf
[0] decoded 25275 trughtsa.com/img/pfqa.php
[1] decoded 7627 trughtsa.com/img/pfqa.php
Match signature [CVE-2007-5659] Collab.collectEmailInfo
Match signature [CVE-2007-5659] Collab.getIcon
Match signature [CVE-2008-2992] util.printf
Match signature [CVE-2009-1493] spell.customDictionaryOpen
Match signature [CVE-2009-1492] getAnnots
I hope you enjoy all of the new features in this update. As always, I like feedback so send me an email blake_at_jeek_org.
jsunpack-n can also decode local files if they contain JavaScript but are not pcap files.
ReplyDelete$ ./jsunpack-n.py
jsunpack-network version 0.1b (alpha)
Usage: ./jsunpack-n.py [fileName] or ./jsunpack-n.py [interfaceName]
[fileName] can be either a [pcap] or [file that contains JavaScript to decode]