Wednesday, June 24, 2009

Jsunpack-n updates for PDF decoding, improved HTTP handling, dynamic JavaScript and Logging

Hey everyone,
I released jsunpack-n version 0.1b today (get source code from http://jsunpack.jeek.org/jsunpack-n.tgz). While this code is still being released as alpha/unstable, there are some great new features in this edition.

For example, try to decode the sample-pdf.pcap file included with the distribution and you will notice that I've added not only PDF decoding, but minimal PDF CVE signatures.

$ ./jsunpack-n.py sample-pdf.pcap
decoded 25275 bytes in pdf
[0] decoded 25275 trughtsa.com/img/pfqa.php
[1] decoded 7627 trughtsa.com/img/pfqa.php
Match signature [CVE-2007-5659] Collab.collectEmailInfo
Match signature [CVE-2007-5659] Collab.getIcon
Match signature [CVE-2008-2992] util.printf
Match signature [CVE-2009-1493] spell.customDictionaryOpen
Match signature [CVE-2009-1492] getAnnots


I hope you enjoy all of the new features in this update. As always, I like feedback so send me an email blake_at_jeek_org.

1 comment:

  1. jsunpack-n can also decode local files if they contain JavaScript but are not pcap files.

    $ ./jsunpack-n.py
    jsunpack-network version 0.1b (alpha)
    Usage: ./jsunpack-n.py [fileName] or ./jsunpack-n.py [interfaceName]
    [fileName] can be either a [pcap] or [file that contains JavaScript to decode]

    ReplyDelete