Friday, September 18, 2009

Jsunpack-n update v0.1f: Active Mode and Client version Enumeration

Attackers frequently try to hide their exploits using version detection. They profile the client software (browser or PDF reader), then only launch an exploit or decode the payload provided you use a vulnerable version. To counteract this, jsunpack-n now uses multiple different version strings and uses the best result.

More signatures and better PDF decoding (pdf.py) with Ascii85Decode support!

I also added active mode (-a), which fetches any [not analyzed] URLs and can be used with URL fetching (-u):
$ ./jsunpack-n.py -u "www.bbkmobile.com" -a
URL fetch www.bbkmobile.com
      (referer=www.google.com/trends/hottrends)
      saved 1647 bytes to ./files/fetch_b8df4c6607205922a41d6448de0dda45d3885951

Active Mode, fetching x new URLs
      [...cut...]

[nothing detected;children=malicious:10] (script) www.bbkmobile.com/
      [suspicious:5] (script) www.crcf.org.cn/logo.gif?b
            suspicious: DecodedIframe detected <iframe
            [nothing detected;children=malicious:10] (iframe) knownsec.7766.org/wwj2/1.htm?
[...cut...]


More info from the CHANGELOG:

Updates 2009-09-18 version 0.1f
1) active fetching of with -a, and evaluation of urls with -u, use both (-u URL and -a) for purely active analysis
2) evaluation of multiple different client version strings:
2a) version enumeration: adobe reader for pdf
2b) version enumeration: IE7, IE8, Firefox, Opera
2c) cumulative evaluation time limits per decoding, and inference of code coverage based upon evaluation time
3) added pdf decoding support for ASCII85Decode and made other improvements to pdf decoding
4) rules updates

Get it here!

No comments:

Post a Comment