Bug #1003
javascript string obfuscator generates incorrect output
| Status: | Rejected | Start date: | 03/03/2010 | |
|---|---|---|---|---|
| Priority: | Low | Due date: | ||
| Assignee: | James Lee | % Done: | 0% |
|
| Category: | general | |||
| Target version: | Metasploit 4.3.0 | |||
| Resolution: | invalid | Release Note: |
Description
While writing exploit/windows/browser/chilkat_crypt_writefile, I ran into some issues with the JS obfuscator. Some of these issues are known, some may not be.
The first issue I ran into was the global replacing of '//.*" with ''. This was done irrespective of being inside a string or not. James changed the behavior (in r8702) to remove comments after string encoding instead. However, this doesn't help when string obfuscations are not used. The workaround is to manually encode occurrences of '//' in order to avoid this replacing.
In one case it generated output that caused IE to run out of memory, weird! Unfortunately, I don't have the test case available. It was with strings=>true for the chilkat exploit.
In general, it seems that more testing needs to be done to ensure the output is guaranteed to be identical in function to the input. Unfortunately, this probably means a much more sophisticated lexer/parser is needed to tokenize the input with some context taken into account. As is, the obfuscator is likely to negatively affect exploit reliability when used.
Related issues
Associated revisions
add a new javascript obfuscation engine using rkelly for parsing. use it in browser_autopwn and ms10_018_ie_behaviors. see #1003
git-svn-id: file:///home/svn/framework3/trunk@12839 4d416f70-5f16-0410-b530-b9f4589650da
History
Updated by Sven Taute almost 2 years ago
- File chilkat_jsencrypt.patch added
The changes introduced to obfuscatejs.rb with revision 8690 seem to break existing code that relies on the obfuscator.
The JS Encrypter (lib/rex/exploitation/encryptjs.rb) is used in the msvidctl_mpeg2 exploit and does also work with the ie_aurora exploit (see patch on msf mailing list). The encrypter itself uses the obfuscator but does not work with the new version of obfuscatejs.rb anymore.
Another problem is that some exploits do not only need code that is identical in function but also in some other aspects, especially if the exploit is triggered under some odd circumstances.
I would suggest to revert the changes to obfuscatejs.rb for now and use the encrypter for the chilkat exploit which works pretty well against AV detection.
The attached patch works with obfuscatejs.rb revision 7211.
(As I developed the encrypter, my opinion may not be unbiased...)
Updated by HD Moore almost 2 years ago
- Target version set to 18
Updated by HD Moore almost 2 years ago
- Target version changed from 18 to Metasploit 3.4.0
Updated by Joshua J. Drake almost 2 years ago
- Assignee changed from Joshua J. Drake to James Lee
Assigning to James for now..
Updated by Joshua J. Drake almost 2 years ago
- Subject changed from JS string obfuscator has issues to javascript string obfuscator generates incorrect output
Updated by James Lee over 1 year ago
- Target version changed from Metasploit 3.4.0 to Metasploit 3.4.1
Updated by James Lee over 1 year ago
- Target version changed from Metasploit 3.4.1 to Metasploit 3.5.0
Updated by James Lee about 1 year ago
- Target version changed from Metasploit 3.5.0 to Metasploit 3.6
Updated by Tod Beardsley 4 months ago
- Status changed from New to HavePatch
- Target version changed from Open Backlog to Metasploit 4.3.0
- 10 set to 0
Updated by Tod Beardsley 3 months ago
- Category changed from modules - exploits to general
- Status changed from HavePatch to Rejected
- Resolution set to invalid
Since Sven's chilkat_jsencrypt.patch is against the old obfuscator circa r8690, and James has since swapped out the obfuscator in r12839, I don't believe this patch is relevant any more. Please reopen if I've misunderstood the situation.