apolkosnik-old / jsunpack-n Goto Github PK

test

What steps will reproduce the problem?
1. Followed install instructions to install dependencies.
2. cd js-1.7.0-rc1-src && make BUILD_OPT=1 -f Makefile.ref && make js
3. FAILS with make: *** [js] Error 1

What is the expected output? What do you see instead?

Expected: Success
Errors: jstypes.h:401:25: error: expected ';' before numeric constant
...
make: *** [js] Error 1

What version of the product are you using? On what operating system?

Ubuntu 14.04 Server

Please provide any additional information below.

What steps will reproduce the problem?
1. go to http://jsunpack.jeek.org/dec/go
2. submit an active malware that is ASCII85 encoded without "<~" and "~>" (for 
example : hxxp://bigiqwars.ru/ppp/exp/pdf.php?user=admin&pdf_acces=on <-- 
active malware, be careful )
3. you'll see jsunpack marks it as benign :)

What is the expected output? What do you see instead?
- expected output is to detect as malicious behavior, but because of using "<~" 
and "~>" as a mandatory index, pdf will marked as benign!

What version of the product are you using? On what operating system?
- latest version that is active on site(http://jsunpack.jeek.org/dec/go?)

Please provide any additional information below.
- needed to provide andother way to index 
https://code.google.com/p/jsunpack-n/source/browse/trunk/pdf.py#274

The issue noted was that certain relative URLs were causing there to be an 
infinite loop, where the relative url (i.e. ../scripts/include.js) was being 
appended to the end of the url rather than joining properly to the host portion 
of the base URL.  This is allowed if two things are true:

1) there is an embedded URL as a parameter (i.e. 
www.host.com/page.php?referrer=http://www.referrer.com/ (this is what causes 
the malformed url)
2) a custom error page redirects to a page with the same, or similar type of 
include, rather than to a static html 404 error page (this is what causes the 
loop)

Note: if only condition #1 is true, you won't get stuck in a loop, but you'll 
get a lot of 404s and miss valuable includes

I've attached an example output from the condition with a URL that has both 
issues and causes an infinite loop condition (with a hard stop signal to stop 
it)

FIX:
I've attached a diff file, but essentially I included urljoin from urlparse, 
and used that to combine the URLs in cases other than files which I haven't 
touched or looked into.  

The issue was in the function build_url_from_path, where at regex was used to 
find the serverpath (or base url), just by removing anything after the last '/' 
character in the URL.  The error is that a valid URL may contain a '/' 
character in a parameter after a '?' character in the case of 
www.host.com/test?referrer=http://referrer.com/page.  

Rather than trying to solve all the complexities of URL parsing and joining, I 
fixed it by using the maintained library, which may be a little heavier weight 
than is needed for this fix, but the library would probably be helpful 
elsewhere as well.

Jsunpack is not able to handle the latest blackhole exploit kit which contains 
obfuscation within the div tags.

<html><body><style>#q{color:#fff;}</style><div id="q" 
style="display:block;">3320.........

<script>z=function(){c="";
d=11;
for(i=32478-1;i!=-1;i--){
    w=i;
    v=a[w];
    dd=32478-i-2+1;
    b=d;
    dd=dd-b*Math.floor(dd/d);
    k=v*1-(dd-13);
    kk=k;
    c+=f.fromCharCode(kk);
}
md="a";
try{prototype||123;}catch(dagdsg){if(020==0x10)eval(c);}}
if(window.document)for(i=0;i<document.body.childNodes.length;i++){
    if (document.body.childNodes[i].hasAttribute("style"))
        if(z)g=document.body.childNodes[i].innerHTML.replace(/hwehes/g,"");
}
a=[];
for(i=0;i<g.length;i+=2){
    gg=g.substr(i,0x2);
    a.push(parseInt(gg,0x10));
}
try{fwq&prototype}catch(qwrwqr){
if(020==0x10){f=String;
}}
z();
        </script>


Attaching a sample file.

Hello. What about some API?

Caused by an uncaught exception in line 486:
jars = re.findall('<(applet|object)([^>]*)?[ 
]+archive=\\\\?[\\\'"]?(.*?)\\\\?[\\\'"> ]', data, re.IGNORECASE)

What steps will reproduce the problem?
Processing of various http traffic on normal web traffic, about once every 200 
files I encountered.

I have had this error at least 40 times now and it breaks my threads while 
calling jsunpack as a library so I can't do anything about it!?

What is the expected output? What do you see instead?
The program should catch the exception and not terminate but it terminates.

What version of the product are you using? On what operating system?
r58 on Ubuntu 11.04 64bit

Here is an example for it:
Exception in thread Thread-19:
Traceback (most recent call last):
  File "/usr/lib/python2.7/threading.py", line 132, in __bootstrap_inner
    self.run()
  File "/home/user/test.py", line 102, in run
    file_worker(self.inf)
  File "/home/user/test.py", line 67, in file_worker
    mimpact, impactmessages) = execute_jsunpack()
  File "/home/user/test.py", line 32, in execute_jsunpack
    js_prev_rooturl)
  File "/home/user/jsunpack/jsunpackn.py", line 137, in __init__
    self.main_decoder(mydata,myfile)
  File "/home/user/jsunpack/jsunpackn.py", line 1027, in main_decoder
    jsinurls = self.find_urls(predecoded,tcpaddr)
  File "/home/user/jsunpack/jsunpackn.py", line 486, in find_urls
    jars = re.findall('<(applet|object)([^>]*)?[ ]+archive=\\\\?[\\\'"]?(.*?)\\\\?[\\\'"> ]', data, re.IGNORECASE)
  File "/usr/lib/python2.7/re.py", line 177, in findall
    return _compile(pattern, flags).findall(string)
  File "/usr/lib/python2.7/re.py", line 245, in _compile
    raise error, v # invalid expression
error: nothing to repeat

What steps will reproduce the problem?
1.Download POC http://www36.zippyshare.com/v/25032778/file.html
2.python jsunpackn.py POC.pdf -V
3.

What is the expected output? What do you see instead?


What version of the product are you using? On what operating system?
Linux Mint, everything else works great, only errors on this PDF

What steps will reproduce the problem?
1.
2.
3.

What is the expected output? What do you see instead?


What version of the product are you using? On what operating system?


Please provide any additional information below.

What steps will reproduce the problem?
1. jsunpack http://dev.piwik.org/trac/export/3824/trunk/js/piwik.js

What is the expected output?
Benign. No errors.

What do you see instead?
Benign.
error: undefined variable hostName

What version of the product are you using? On what operating system?
http://jsunpack.jeek.org/dec/go

Please provide any additional information below.
It appears to be the use of hostName in the urlFixup() function in piwik.js 
triggering the error.  (This function, by itself, passes jsunpack.)

The same code appears to work in multiple browsers, and passes jslint.

1.http://jsunpack.jeek.org/
2.paste url
3.press Submit URLS

and get

<type 'exceptions.OSError'>: [Errno 28] No space left on device: 
'/storage/b745/1d22f64041dd66e20e4a8d81baadc189c62/' 
      args = (28, 'No space left on device') 
      errno = 28 
      filename = '/storage/b745/1d22f64041dd66e20e4a8d81baadc189c62/' 
      message = '' 
      strerror = 'No space left on device'

Attempt to test possible malicious link

[DO NOT FOLLOW Unless you know what you're doing]
http://deudor.com/searchresult-g.php?CS=aHR0cDovL3d3dy5uYmNvbmxpbmUxMC5jb20=


Page returns type 'exceptions.OSError', appears to be out of disk space. Entire 
page dump visible on page attached. 

brief summary of error output

args = (28, 'No space left on device') 
      errno = 28 
      filename = '/storage/973a/804c52d4056383e153cc9560a5b335bde64/' 
      message = '' 
      strerror = 'No space left on device'

What steps will reproduce the problem?
1.
2.
3.

What is the expected output? What do you see instead?


What version of the product are you using? On what operating system?


Please provide any additional information below.

What steps will reproduce the problem?
1.
2.
3.

What is the expected output? What do you see instead?


What version of the product are you using? On what operating system?


Please provide any additional information below.

In pdf.py, line 501 should read:

fileId = ''

rather than:

fileID = ''

The latter is a typo and leads to unbound local errors.

This is a similar problem, but different fix, as the previously noted infinite 
loop issue in active mode.  

In this case the two causes appear to be:
1) requested URL includes an html escapable character (i.e '<','>','&') 
2) the request html object includes an escaped version of the URL requested 
(i.e. if the requested URL was www.test.com/testpage.html?a=1&b=2, then the 
page would include a link on the page to 
www.test.com/testpage.html?a=1&amp;b=2, or some variation that includes &amp; 
in the link)

The loop is created because jsunpack-n doesn't recognize the second URL with 
&amp; instead of & the same as the first URL already fetched, so it makes 
another request for the "new" link, which then returns yet another link 
including &amp;amp; (because the first & is again escaped by the server.  This 
goes on until you run out of memory or patience.  

You can recreate this (at this moment) with the following command and url: 
./jsunpackn.py -au 
'http://search.twitter.com/search?q=Seth+s+Blog+Where+Do+Ideas+Come+From'

I've attached a diff that also includes the previous fix for issue #3 
(https://code.google.com/p/jsunpack-n/issues/detail?id=3)

The fix is a little gludgy ATM, it would be better if all urls are created and 
cleaned in one method, rather than adhoc for each type.

Also, I noticed that there are timeouts for time, but I may go ahead and add a 
"max-depth" parameter as well for active mode, as this would address a 
different set of issues than time timeouts.

I try to use jsunpack on Ubuntu 10.04 64 bits server
when i execute python jsunpackn.py -D -V samples/pdf-jsEval.file

I have this error return: 
error: Error: Fatal error in decodeJS: [Errno 2] No such file or directory

Thank a lot for your attention

Sebastien Larinier

Add support for unzipping Java jars and applying rules to them. :-)

I am thinking about how to fasten the html parsing and have found this article 
about python html-parsers: 

http://blog.ianbicking.org/2008/03/30/python-html-parser-performance/

According to which lxml is the fastest python parser because it is only a type 
of python binding to the underlying libxml and libxslt libraries. 

Further analysis reveals that the latest beta version of the BeautifulSoup 
Parser 4.x is supporting this parser as the underlying engine. 
Thus bringing me to the conclusion that patching jsunpack to use lxml as the 
html parser would be only a small patch which might be something like this:
From (in html.py):
import BeautifulSoup
...
soup = BeautifulSoup.BeautifulSoup(data)
soup.findAll(tag,attrib)
To:
import bs4
soup = bs4.BeautifulSoup(data)
soup.find_all(tag,attrib)

(And tests/test_lxml.py contains a sample of how to use lxml as a bs4.builder)

What do you think?

Regards

Ali

Not an issue, but I couldn't find a way to contact the dev.  I'm trying to make 
a copy of the http://jsunpack.jeek.org/dec/go site but inside our private 
network.

I was wondering if you'd be willing to provide your php/html source for parsing 
input and outputting results?  Due to our restrictions in research, we're not 
able to always use your site.

Thanks, 
Lance

Lines 320 and 334 in pdf.py both contain the code:

streamLocation = re.search(....);

In both cases, the return value is unchecked.  In the case where no match is 
found this leads to a fatal AttributeError on the following line when 
streamLocation.start() is accessed.

Suggest adding an 'if streamLocation:' check in both cases to allow the script 
to continue.

What steps will reproduce the problem?
1.
2.
3.

What is the expected output? What do you see instead?


What version of the product are you using? On what operating system?


Please provide any additional information below.

The problem is related with a change in the Match object. The 'strings' 
attribute of Match was a dictionary in previous versions of yara-python, but 
starting with version 1.4 is a list of tuples. Each tuple contains the offset, 
string identifier, and string data.

Lines 56-57 of detection.py should be changed from:

for s in match.strings:
      msg.append(match.strings[s])

to:

for (offset, identifier, string) in match.strings:
     msg.append(string)

Maybe would be a good idea to do something like:

if type(match.strings) is dict:
      for s in match.strings:
           msg.append(match.strings[s])
else:
     for (offset, identifier, string) in match.strings:
           msg.append(string)

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" 
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml" >
 <head id="ctl00_masterHead">

What steps will reproduce the problem?
Use jsunpack to scan a file with the following line in it:

<Applet Code="Update.class" archive="Update.jar" width="0" Height="0">

What do you see instead?
Traceback (most recent call last):
  File "./jsunpackn.py", line 1359, in <module>
    main()
  File "./jsunpackn.py", line 1300, in main
    js = jsunpack(file, ['',mydata,file], options)
  File "./jsunpackn.py", line 133, in __init__
    self.main_decoder(mydata,myfile)
  File "./jsunpackn.py", line 1023, in main_decoder
    jsinurls = self.find_urls(predecoded,tcpaddr)
  File "./jsunpackn.py", line 482, in find_urls
    jars = re.findall('<(applet|object)([^>]*)?[ ]+archive=\\\\?[\\\'"]?(.*?)\\\\?[\\\'"> ]', data, re.IGNORECASE)
  File "/usr/lib/python2.6/re.py", line 177, in findall
    return _compile(pattern, flags).findall(string)
  File "/usr/lib/python2.6/re.py", line 245, in _compile
    raise error, v # invalid expression
sre_constants.error: nothing to repeat


What version of the product are you using? On what operating system?
r55

Please provide any additional information below.

The testcase came from the Eleonore exploit kit v1.4.1, exp.php.

#Ex. <applet mayscript='true' code='bpac.a.class' archive='bnktjvdpxuko4.jar
jars = re.findall('<(applet|object)([^>]*)?[ 
]+archive=\\\\?[\\\'"]?(.*?)\\\\?[\\\'"> ]', data, re.IGNORECASE)

What steps will reproduce the problem?
1. when we try to run jsunpackn.py from another batch file or through another 
python script.

What is the expected output? What do you see instead?
When we try to access jsunpackn.py from another python program, jsunpackn.py is 
unable to read the options.config file and its variables.
throws an error starting from,
options.timeout = int(options.timeout)

If i manually set the time here, it will throw error on redo timer and keeps 
going on.

Happens especially when accessing it from another script.

What version of the product are you using? On what operating system?
The latest SVN trunk.

Please provide a setup.py distutils for jsunpack

What steps will reproduce the problem?

Disabling the OPTIONAL paths in options.config does not work.

What is the expected output? 
I expect to see no output for the OPTIONAL outdir log_ips and decoded.log when 
I comment these out in options.config

I want to run jsunpackn.py as fast as possible with out any unnecessary output.

What do you see instead?

I see parse errors for the above aforementioned objects. I expect to see it run 
normally.


What version of the product are you using? 
Latest (0.3.2c)

On what operating system?

Linux 


Please provide any additional information below.

What steps will reproduce the problem?
1.provide html file containing url with control characters
ie: <script src="[insert any with control characters]">
2. run jsunpack

What is the expected output? What do you see instead?
Expect jsunpack to run without fatal error, instead I see error output 
including:
File "../../../urlattr.py", line 27
  if os.path.exists(input):
  ^ 
What version of the product are you using? On what operating system?
Latest on Linux Redhat

Please provide any additional information below.

Believe the solution is to wrap the call to "os.path.exists(input)" in a 
try/catch block. It doesn't appear to matter if this call fails as it only 
appears to be looking for the supplied file on the filesystem, and I don't know 
that such files can contain control characters.

What steps will reproduce the problem?
1. create a file with the following content (note the space preceeding the word 
archive:
' archive="blah.jar"'

What is the expected output? What do you see instead?
Expect jsunpackn.py not to fall over, however an error is occurring producing a 
traceback as shown below:

Traceback (most recent call last):
  File ".jsunpackn.py", line 1363, in <module>
    main()
  File ".jsunpackn.py", line 1304, in main
    js = jsunpack(file, ['',mydata,file], options)
  File ".jsunpackn.py", line 1027, in main decoder
    jsinurls = self.find_urls(predecoded, tcpaddr)
  File ".jsunpackn.py", line 486, in find_urls
    jars = re.findall('<(applet|object)([^>]*)?[ ]+archive=\\\\?[\\\'"]?(.*?)\\\\?[\\\'"> ]', data, re.IGNORECASE)
  File "/usr/local/lib64/python2.7/re.py", line 177, in findall
    return_compile(pattern, flags).findall(string)
  File "/usr/local/lib64/python2.7/re.py", line 244, in _compile
    raise error, v # invalidexpression
sre_constants.error: nothing to repeat


What version of the product are you using? On what operating system?
r58 of junpackn.py, running on redhat linux.

Please provide any additional information below.
Have had a quick play around and it appears the issue relates to the regex 
being supplied:
'<(applet|object)([^>]*)?[ ]+archive=\\\\?[\\\'"]?(.*?)\\\\?[\\\'"> ]'
in particular the text "([^>]*)?" seems to trigger the error.

What steps will reproduce the problem?
1.
2.
3.

What is the expected output? What do you see instead?


What version of the product are you using? On what operating system?


Please provide any additional information below.

What steps will reproduce the problem?
1.
2.
3.

What is the expected output? What do you see instead?


What version of the product are you using? On what operating system?


Please provide any additional information below.

What steps will reproduce the problem?
1. Get a fresh FreeBSD
2. Have a lot of issues with pynids but get them fixed ;)
3. Follow the guide but get an error

What is the expected output? What do you see instead?

js-1.8.0-rc1-src # make BULD_OPT=1 -f Makefile.ref
"config.mk", line 40: Need an operator
"config.mk", line 42: Need an operator
"config.mk", line 44: Need an operator
"config.mk", line 51: Missing dependency operator
"config.mk", line 53: Need an operator
Error expanding embedded variable.

Assumed that gmake might be necessary resulting in:

js-1.8.0-rc1-src # gmake BULD_OPT=1 -f Makefile.ref
config.mk:159: config/FreeBSD9.1-RELEASE.mk: No such file or directory
cat: ../../dist/FreeBSD9.1-RELEASE_DBG.OBJ/nspr/Version: No such file or 
directory
gmake: *** No rule to make target `config/FreeBSD9.1-RELEASE.mk'.  Stop.


What version of the product are you using? On what operating system?

Latest version JSUN + FreeBSD 9.1

What steps will reproduce the problem?
1. Download jsunpack-n
2. Download Spidermonkey - wget 
http://ftp.mozilla.org/pub/mozilla.org/js/js-1.7.0.tar.gz
3. Follow INSTALL.spidermonkey instructions with jsunpack.

Specificall.  

     line = 0;
        principals = NULL;
    }

    if (JSSTRING_IS_DEPENDENT(str)) {
        n = (size_t)JSSTRDEP_LENGTH(str);
        s = JSSTRDEP_CHARS(str);
    } else {
        n = (size_t)str->length;
        s = str->u.chars;                     //this line causes comile error
        //why doesn't this work
    }
    printf("\n//eval\n");
    for (i = 0; i < n; i++){
        if (s[i] == '\0'){
                break;
        }
        printf("%c",s[i]);
    }
    printf("\n");

    /*
     * Set JSFRAME_EVAL on fp and any frames (e.g., fun_call if eval.call was

4.  Run build of spidermonkey

[root@nsm src]# make BUILD_OPT=1 -f Makefile.ref

<snip a few lines.
gcc -o Linux_All_OPT.OBJ/jsobj.o -c -Wall -Wno-format -DGCC_OPT_BUG -O 
-DXP_UNIX -DSVR4 -DSYSV -D_BSD_SOURCE -DPOSIX_SOURCE -DHAVE_LOCALTIME_R 
-DX86_LINUX  -UDEBUG -DNDEBUG -UDEBUG_root -DEDITLINE -ILinux_All_OPT.OBJ  
jsobj.c
jsobj.c: In function âobj_evalâ:
jsobj.c:1375: error: âJSStringâ has no member named âuâ
make[1]: *** [Linux_All_OPT.OBJ/jsobj.o] Error 1
make[1]: Leaving directory `/home/kyle/js/src'
make: *** [all] Error 2







What is the expected output? What do you see instead?

See above

What version of the product are you using? On what operating system?

[root@nsm src]# cat /etc/redhat-release
Fedora release 11 (Leonidas)

Please provide any additional information below.

What steps will reproduce the problem?
1. $ python jsunpackn.py -v /home/ssh/wp-content.htm

What is the expected output? What do you see instead?
I expect this
[nothing detected] upload
     info: [decodingLevel=0] found JavaScript
     info: DecodedIframe detected 
     info: [var ss] URL=127.0.0.1/          if
     info: [var newurl] URL=127.0.0.1/          if
     info: [iframe] saprolaunimaxim.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c
     info: [decodingLevel=1] found JavaScript
     file: 84597d8477698da97081d6f1752e46b4103a6538: 3085 bytes
     file: b5f2d1dddbf5e52ca8781f738194665f000ea603: 1492 bytes

Only see this:
[nothing detected] upload
     info: [decodingLevel=0] found JavaScript
What version of the product are you using? On what operating system?
0.3.2c, Ubuntu 11.10

Please provide any additional information below.
I tried several combinations of options but didn't get the desired output. 
Thank you for the help.

Added code to handle object streams in a pdf document and detect JavaScript 
embedded in the object streams. Previously objects embedded into a object 
stream were missing in the output and if JavaScript was embedded it would not 
be detected. Also if a "/Names" tag was used and it contained a custom name, 
for example "/Names (My Code) 15 0 R", only the text "My Code" would be 
captured and displayed because the parsing function would stop after the right 
parenthesis. I added a condition to an existing "if" statement so the 
"grabmore" variable is one if there was a right parenthesis and the current tag 
was "Names". I tested both changes to several pdf documents and I posted the 
test cases on my security blog 
http://mariomalwareanalysis.blogspot.com/2012/03/jsunpack-fix-for-detecting-pdf.
html. The changes have been helpful for me and hopefully you will find it 
useful as well :-)

A faster JS engine like f.e. V8 would significantly speedup the deobfuscation 
process, and given the small patch to SpiderMonkey, patching v8 should be very 
easy?! There are lots of tests out there that show the huge performance 
increase of the latest free software engines. A google search for JaegerMonkey 
vs V8 or similar will provide insight into the topic.