From 19615ac4b7733e7729a23dcaac81f66325d827fa Mon Sep 17 00:00:00 2001 From: sinn3r Date: Mon, 21 Oct 2013 21:02:01 -0500 Subject: [PATCH] Apparently I missed a lot of stuff --- .../js/{exploitation => memory}/heap_spray.js | 0 .../{exploitation => memory}/mstime_malloc.js | 0 .../property_spray.js | 0 lib/rex/exploitation/js/addonsdetect.rb | 30 +++++++++++ lib/rex/exploitation/js/memory.rb | 52 +++++++++++++++++++ lib/rex/exploitation/js/network.rb | 28 ++++++++++ lib/rex/exploitation/js/osdetect.rb | 44 ++++++++++++++++ lib/rex/exploitation/js/utils.rb | 33 ++++++++++++ 8 files changed, 187 insertions(+) rename data/js/{exploitation => memory}/heap_spray.js (100%) rename data/js/{exploitation => memory}/mstime_malloc.js (100%) rename data/js/{exploitation => memory}/property_spray.js (100%) create mode 100644 lib/rex/exploitation/js/addonsdetect.rb create mode 100644 lib/rex/exploitation/js/memory.rb create mode 100644 lib/rex/exploitation/js/network.rb create mode 100644 lib/rex/exploitation/js/osdetect.rb create mode 100644 lib/rex/exploitation/js/utils.rb diff --git a/data/js/exploitation/heap_spray.js b/data/js/memory/heap_spray.js similarity index 100% rename from data/js/exploitation/heap_spray.js rename to data/js/memory/heap_spray.js diff --git a/data/js/exploitation/mstime_malloc.js b/data/js/memory/mstime_malloc.js similarity index 100% rename from data/js/exploitation/mstime_malloc.js rename to data/js/memory/mstime_malloc.js diff --git a/data/js/exploitation/property_spray.js b/data/js/memory/property_spray.js similarity index 100% rename from data/js/exploitation/property_spray.js rename to data/js/memory/property_spray.js diff --git a/lib/rex/exploitation/js/addonsdetect.rb b/lib/rex/exploitation/js/addonsdetect.rb new file mode 100644 index 0000000000..af0aeed1dd --- /dev/null +++ b/lib/rex/exploitation/js/addonsdetect.rb @@ -0,0 +1,30 @@ +# -*- coding: binary -*- + +require 'msf/core' +require 'rex/text' +require 'rex/exploitation/jsobfu' + +module Rex +module Exploitation +module Js + +# +# Provides javascript functions to determine addon information. +# +# getMsOfficeVersion(): Returns the version for Microsoft Office +# +class AddonsDetect < JSObfu + + def initialize(custom_js = '', opts = {}) + @js = custom_js + @js += ::File.read(::File.join(Msf::Config.data_directory, "js", "detect", "addons.js")) + + super @js + + return @js + end + +end +end +end +end diff --git a/lib/rex/exploitation/js/memory.rb b/lib/rex/exploitation/js/memory.rb new file mode 100644 index 0000000000..2d94e2ae5e --- /dev/null +++ b/lib/rex/exploitation/js/memory.rb @@ -0,0 +1,52 @@ +# -*- coding: binary -*- + +require 'msf/core' + +module Rex +module Exploitation +module Js + +# +# Provides meomry manipulative functions in JavaScript +# +class Memory + + def self.mstime_malloc + js = ::File.read(::File.join(Msf::Config.data_directory, "js", "memory", "mstime_malloc.js")) + js = js.gsub(/W00TA/, Rex::Text.rand_text_hex(6)) + js = js.gsub(/W00TB/, Rex::Text.rand_text_hex(5)) + + ::Rex::Exploitation::ObfuscateJS.new(js, + { + 'Symbols' => { + 'Variables' => %w{ buf eleId acTag } + } + }).obfuscate + end + + def self.property_spray + js = ::File.read(::File.join(Msf::Config.data_directory, "js", "memory", "property_spray.js")) + + ::Rex::Exploitation::ObfuscateJS.new(js, + { + 'Symbols' => { + 'Variables' => %w{ sym_div_container data junk obj } + } + }).obfuscate + end + + def self.heap_spray + js = ::File.read(::File.join(Msf::Config.data_directory, "js", "memory", "heap_spray.js")) + + ::Rex::Exploitation::ObfuscateJS.new(js, + { + 'Symbols' => { + 'Variables' => %w{ index heapSprayAddr_hi heapSprayAddr_lo retSlide heapBlockCnt } + } + }).obfuscate + end + +end +end +end +end diff --git a/lib/rex/exploitation/js/network.rb b/lib/rex/exploitation/js/network.rb new file mode 100644 index 0000000000..ae206dcd40 --- /dev/null +++ b/lib/rex/exploitation/js/network.rb @@ -0,0 +1,28 @@ +# -*- coding: binary -*- + +require 'msf/core' + +module Rex +module Exploitation +module Js + +# +# Provides networking functions in JavaScript +# +class Network + + def self.ajax_download + js = ::File.read(::File.join(Msf::Config.data_directory, "js", "network", "ajax_download.js")) + + ::Rex::Exploitation::ObfuscateJS.new(js, + { + 'Symbols' => { + 'Variables' => %w{ xmlHttp } + } + }).obfuscate + end + +end +end +end +end diff --git a/lib/rex/exploitation/js/osdetect.rb b/lib/rex/exploitation/js/osdetect.rb new file mode 100644 index 0000000000..4ec67e5de1 --- /dev/null +++ b/lib/rex/exploitation/js/osdetect.rb @@ -0,0 +1,44 @@ +# -*- coding: binary -*- + +require 'msf/core' +require 'rex/text' +require 'rex/exploitation/jsobfu' + +module Rex +module Exploitation +module Js + +# +# Provides several javascript functions for determining the OS and browser versions of a client. +# +# getVersion(): returns an object with the following properties +# os_name - OS name, one of the Msf::OperatingSystems constants +# os_flavor - OS flavor as a string (e.g.: "XP", "2000") +# os_sp - OS service pack (e.g.: "SP2", will be empty on non-Windows) +# os_lang - OS language (e.g.: "en-us") +# ua_name - Client name, one of the Msf::HttpClients constants +# ua_version - Client version as a string (e.g.: "3.5.1", "6.0;SP2") +# arch - Architecture, one of the ARCH_* constants +# +# The following functions work on the version returned in obj.ua_version +# +# ua_ver_cmp(a, b): returns -1, 0, or 1 based on whether a < b, a == b, or a > b respectively +# ua_ver_lt(a, b): returns true if a < b +# ua_ver_gt(a, b): returns true if a > b +# ua_ver_eq(a, b): returns true if a == b +# +class OSDetect < JSObfu + + def initialize(custom_js = '', opts = {}) + @js = custom_js + @js += ::File.read(::File.join(Msf::Config.data_directory, "js", "detect", "os.js")) + + super @js + + return @js + end + +end +end +end +end diff --git a/lib/rex/exploitation/js/utils.rb b/lib/rex/exploitation/js/utils.rb new file mode 100644 index 0000000000..45fdb216ee --- /dev/null +++ b/lib/rex/exploitation/js/utils.rb @@ -0,0 +1,33 @@ +# -*- coding: binary -*- + +require 'msf/core' +require 'rex/text' +require 'rex/exploitation/jsobfu' + +module Rex +module Exploitation +module Js + +# +# Javascript utilities +# +class Utils + + def self.base64 + js = ::File.read(::File.join(Msf::Config.data_directory, "js", "utils", "base64.js")) + + opts = { + 'Symbols' => { + 'Variables' => %w{ Base64 encoding result _keyStr encoded_data utftext input_idx + input output chr chr1 chr2 chr3 enc1 enc2 enc3 enc4 }, + 'Methods' => %w{ _utf8_encode _utf8_decode encode decode } + } + } + + ::Rex::Exploitation::ObfuscateJS.new(js, opts).to_s + end + +end +end +end +end