Tuesday, June 30, 2009

Jsunpack-n update: Automatic shellcode detection and other improvements

Hey guys,
I just released jsunpack-n version 0.1c. This release introduces JavaScript variable enumeration using a new file "post.js". get the source code here

Check out the new output for the sample-pdf.pcap included in the archive:

$ ./jsunpack-n.py sample-pdf.pcap
[0] decoded 25275 trughtsa.com/img/pfqa.php
[1] decoded 12269 trughtsa.com/img/pfqa.php
identified shellcode of length 1533
XOR key [shellcode]: 33
exploit_watch append [shellcode] http://trughtsa.com/img/uet.php
Match signature [CVE-2007-5659] Collab.collectEmailInfo
Match signature [CVE-2009-0927] Collab.getIcon
Match signature [CVE-2008-2992] util.printf
Match signature [CVE-2009-1493] spell.customDictionaryOpen
Match signature [CVE-2009-1492] getAnnots

undefined variable s fixing

Notice how jsunpack-n identified the shellcode, identified that it uses an XOR key of 33, and determined the URL that the shellcode presumably tries to download and execute. This URL is automatically added to the exploit_watch variable, so that a new alert will result if the victim downloads that file.

Other great features, such as default definitions for undefined variables indicated by the debug output shown above by "undefined variable s fixing".

Yet another feature, evaluation timeouts will prevent infinite loops and scripts that consume too much time/cpu/memory.

Wednesday, June 24, 2009

Jsunpack-n updates for PDF decoding, improved HTTP handling, dynamic JavaScript and Logging

Hey everyone,
I released jsunpack-n version 0.1b today (get source code from http://jsunpack.jeek.org/jsunpack-n.tgz). While this code is still being released as alpha/unstable, there are some great new features in this edition.

For example, try to decode the sample-pdf.pcap file included with the distribution and you will notice that I've added not only PDF decoding, but minimal PDF CVE signatures.

$ ./jsunpack-n.py sample-pdf.pcap
decoded 25275 bytes in pdf
[0] decoded 25275 trughtsa.com/img/pfqa.php
[1] decoded 7627 trughtsa.com/img/pfqa.php
Match signature [CVE-2007-5659] Collab.collectEmailInfo
Match signature [CVE-2007-5659] Collab.getIcon
Match signature [CVE-2008-2992] util.printf
Match signature [CVE-2009-1493] spell.customDictionaryOpen
Match signature [CVE-2009-1492] getAnnots

I hope you enjoy all of the new features in this update. As always, I like feedback so send me an email blake_at_jeek_org.

Sunday, June 7, 2009

Very Cool jsunpack-n release: JavaScript Decoding on the Network (The Future)

My favorite tools to decode JavaScript today are for security research and often have too little impact because administrators must find URLs, submit them for research, and it requires significant additional effort. There is no current way to detect threats against a real network using these tools in an automatic manner.

Until now! I started building a tool that is useful to administrators defending networks. The main difference is that it is a completely passive JavaScript decoder to perform Intrusion Detection, by processing network traffic (either an interface or pcap file), rather than URLs.

I built a basic implementation of this concept as a new version of "jsunpack-network" or (jsunpack-n). Some of the benefits of this technique are:

  • Tracks streams and decodes Transfer and Content encodings of types chunked and gzip.

  • Completely passive: Don't need to worry about User-Agents, proxies, or other tricks that attackers use to prevent analysis

  • Detect if an exploit is successful: the system monitors all URLs. It can determine if an exploit would fetch another URL and when the client requests that URL, the system knows that the exploit was successful.

The source code for this project is available from http://jsunpack.jeek.org/jsunpack-n.tgz. Here is an example output using the test file (included in the jsunpack-n.tgz archive):

$ ./jsunpack-n.py sample-http-exploit.pcap
DECODED JavaScript Data
exploit_watch append hxxp://hifgejig.cn/nuc/exe.php

The exploit_watch variable tracks all URLs to track if an exploit is successful and if it is, then the script prints the associated IP addresses and URLs:

print 'Exploit Successful ', tcp.addr, ' from URL ', exploit_watch[host+url]

Since this project is very new, I expect there will be a few issues and therefore you run this at your own risk. I am releasing this code as alpha/unstable, because I think that there is a lot of opportunity to improve it.

Two of the areas that are completely lacking at this point are

  • signature-based detection

  • pdf decoding

I am releasing a PDF decoding script with this code, available in the jsunpack-n.tgz archive called "pdf.py"; however, I haven't integrated it with jsunpack-n yet. While this should be a simple task, I'm still testing and improving the PDF decoding, as it now only handles a few of the decoding techniques I'd like it to support.

Please leave me your comments (good or bad), to improve the project. I haven't fully integrated jsunpack's algorithms yet (I will soon, I promise).

Improved Command Line API for jsunpack

A few weeks ago Jesse wrote an excellent script which is a command line interface for jsunpack.

Last week, one reader made some great improvements to this script by allowing you to upload a local file for decoding. It checks each command line argument to see if a local file exists, then if it does it uploads it. Otherwise, it works in the same way as Jesse's original script and just decodes URLs.


use strict;
use CGI;
use LWP::Simple;
use LWP::UserAgent;
use HTTP::Request::Common;

my $ua = LWP::UserAgent->new;

for my $url (@ARGV){
if (-f "$url"){
if(open(FIN, "< $url")){
$url = <FIN>;
else {
print "warning: ignoring '$url', cannot open file\n";

my $res = $ua->post(
Content_Type => 'application/x-www-form-urlencoded',
Content =>
'url' => [$url],
'apikey' => ['exploitme']

if ($res->is_success){
print $res->content;
else {
print "\n\n"."Failed to fetch remote file"."\n\n";
print "jsunpack"."\n".$res->status_line, "\n";