Jsunpack-n update v0.3a: SWF parsing and Bug fixes release

The main new feature in this release is the "swf.py" file, as a standalone you can run it like this:

$ ./swf.py sample-swf-js.file
processing flash file [version 4] (length 115, actual length 115)type=0x9 length=3 name=SetBackgroundColor
type=0x18 length=31 name=Protect
type=0xc length=46 name=DoAction
actionCode 0x83 len(42) ActionGetURL javascript:eval(fV6("ZlY4KGZWMSwxKQ=="))
actionCode 0x0 len(0) unknownAction

tags (with counts) of length=0
End:1, ShowFrame:1
sample-swf-js.file ['javascript:eval(fV6("ZlY4KGZWMSwxKQ=="))']

$ ./swf.py sample-swf-url.file
processing flash file [version 8] (length 1125772, actual length 1125772)type=0x45 length=4 name=FileAttributes
type=0x9 length=3 name=SetBackgroundColor
type=0xc length=65 name=DoAction
actionCode 0x83 len(45) ActionGetURL http://5173vip.seawww.cn/cuteqq.htm (_blank)
actionCode 0x96 len(12) ActionPush datatype[0]=string(text)
actionCode 0x1d len(0) ActionSetVariable
...

As you can see, you can embed both URLs and javascript within Flash SWF files. jsunpack-n uses this module to follow those links and report any obtained information.

The changelog follows:

Updates 2009-09-25 version 0.3a
1) new extraction of URLs/JavaScript from Flash files (CWS/FWS) with swf.py
2) significant performance improvements in shellcode processing
3) bug fixes
3a) fixed tree structure of urls (specific to pcap processing)
when a node could detatch itself from the tree incorrectly

Jsunpack-n update v0.1f: Active Mode and Client version Enumeration

Attackers frequently try to hide their exploits using version detection. They profile the client software (browser or PDF reader), then only launch an exploit or decode the payload provided you use a vulnerable version. To counteract this, jsunpack-n now uses multiple different version strings and uses the best result.

More signatures and better PDF decoding (pdf.py) with Ascii85Decode support!

I also added active mode (-a), which fetches any [not analyzed] URLs and can be used with URL fetching (-u):

$ ./jsunpack-n.py -u "www.bbkmobile.com" -a
URL fetch www.bbkmobile.com
      (referer=www.google.com/trends/hottrends)
      saved 1647 bytes to ./files/fetch_b8df4c6607205922a41d6448de0dda45d3885951

Active Mode, fetching x new URLs
      [...cut...]

[nothing detected;children=malicious:10] (script) www.bbkmobile.com/
      [suspicious:5] (script) www.crcf.org.cn/logo.gif?b
            suspicious: DecodedIframe detected <iframe
            [nothing detected;children=malicious:10] (iframe) knownsec.7766.org/wwj2/1.htm?
[...cut...]

More info from the CHANGELOG:

Updates 2009-09-18 version 0.1f
1) active fetching of with -a, and evaluation of urls with -u, use both (-u URL and -a) for purely active analysis
2) evaluation of multiple different client version strings:
2a) version enumeration: adobe reader for pdf
2b) version enumeration: IE7, IE8, Firefox, Opera
2c) cumulative evaluation time limits per decoding, and inference of code coverage based upon evaluation time
3) added pdf decoding support for ASCII85Decode and made other improvements to pdf decoding
4) rules updates

Get it here!

Jsunpack-n Update v0.1e: Graphical output, directory output, command line options and fixes

A new version of jsunpack-n is available 0.1e! This version makes some major improvements in the rule language (using Yara) and allows you to make pretty pictures like this:



One thing I think you will like is the new output ./files/ directory and command line options! Enjoy.

Here is it running with the sample files included in the archive:

$ ./jsunpack-n.py sample-http-exploit.pcap
[malicious:10] hifgejig.cn/nuc/
[impact=5] DecodedGenericCLSID detected F0E42D60-368C-11D0-AD81-00A0C90DC8D9
[impact=10] MSOfficeSnapshotViewer detected F0E42D60-368C-11D0-AD81-00A0C90DC8D9
[impact=5] ObfuscationPattern detected location eval
[impact=10] MSIENestedSpan detected CDATA[<image SRC=http://&# DATAFORMATAS= <SPAN DATASRC= DATASRC= DATAFLD=
[info] find_urls: [javascript var] hifgejig.cn/nuc/exe.php

$ ./jsunpack-n.py sample-pdf.pcap
[suspicious:5] trughtsa.com/
[impact=5] DecodedIframe detected <iframe
[info] [iframe /] trughtsa.com/img/pfqa.php

[malicious:10] trughtsa.com/img/pfqa.php
[impact=10] PDFexploit detected util.printf Collab.getIcon getAnnots Collab.collectEmailInfo spell.customDictionaryOpen
[malicious] identified shellcode of length 1533 (./files/shellcode_9ac3a76f70caef94f2773abc1043e9511d2d0f09)
[info] XOR key [shellcode]: 33
[info] shellcode url [xor] trughtsa.com/img/uet.php
[impact=5] ObfuscationPattern detected eval String.fromCharCode

[malicious:10] trughtsa.com/img/uet.php
[incident:10] [0] requested by 192.168.203.60
[incident:10] [0] origin trughtsa.com/img/pfqa.php
[incident:10] [0] method=GET type=shellcode
[incident:10] [0] filetype MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit

$ ./jsunpack-n.py sample-pdf.file
[malicious:10] sample-pdf.file
[impact=10] PDFexploit detected collab.getIcon
[suspicious] likely NOP sled shellcode variable of length 167
[malicious] identified shellcode of length 1526 (./files/shellcode_da344d16e814e40dec67592bdccdf3ad50e0069d)
[info] XOR key [shellcode]: 33
[info] shellcode url [xor] b35.info/w/who.exe
[suspicious] likely NOP sled shellcode variable of length 2048
[suspicious] likely NOP sled shellcode variable of length 1714
[suspicious] likely NOP sled shellcode variable of length 522574

More from the RELEASE notes:

RELEASE NOTES:
Updates 2009-09-02 version 0.1e

First and foremost, thanks to Victor! (for creating the Yara detection library)
Yara is now a required dependency and the supported format for the 'rules' file

1) improved URL tracking using 'urlattr' class and urls dictionary
1a) new command line option -g, to create a URL graph (only when pcap contains 10 or fewer URL requests)
2) bug fixes for stream reassembly and pdf parsing
2a) stream reassembly now handles all streams when processing a pcap file,
regardless of whether the nids state is in end_states
4) detection of NOP sled shellcode and performance improvements in shellcode processing
(this was one of the performance bottlenecks)
5) new output format with ./files/ directory or -d OUTDIR command line option
6) CVE references are available in the 'rules' file but are temporarily unavailable in alerts