Class: Rex::Exploitation::EncryptJS

Inherits:
Object
  • Object
show all
Defined in:
lib/rex/exploitation/encryptjs.rb

Overview

Encrypts javascript code

Class Method Summary collapse

Class Method Details

.encrypt(js, key) ⇒ Object

Encrypts a javascript string.

Encrypts a javascript string via XOR using a given key. The key must be passed to the executed javascript so that it can decrypt itself. The provided loader gets the key from "location.search.substring(1)"

This should bypass any detection of the file itself as information not part of the file is needed to decrypt the original javascript code.

Example: js = <<ENDJS function say_hi() { var foo = "Hello, world"; document.writeln(foo); } ENDJS key = 'secret' js_encrypted = EncryptJS.encrypt(js, key)

You might use something like this in exploit modules to pass the key to the javascript if (!request.uri.match(/?\w+/)) send_local_redirect(cli, "?#{@key}") return end 



44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
 
# File 'lib/rex/exploitation/encryptjs.rb', line 44

def self.encrypt(js, key)
  js.gsub!(/[\r\n]/, '')

  encoded = Rex::Encoding::Xor::Generic.encode(js, key)[0].unpack("H*")[0]

  # obfuscate the eval call to circumvent generic detection
  eval = 'eval'.split(//).join(Rex::Text.rand_text_alpha(rand(5)).upcase)
  eval_call = 'window["' + eval + '".replace(/[A-Z]/g,"")]'

  js_loader = Rex::Exploitation::ObfuscateJS.new <<-ENDJS
  var exploit = '#{encoded}';
  var encoded = '';
  for (i = 0;i<exploit.length;i+=2) {
    encoded += String.fromCharCode(parseInt(exploit.substring(i, i+2), 16));
  }
  var pass = location.search.substring(1);
  var decoded = '';
  for (i=0;i<encoded.length;i++) {
    decoded += String.fromCharCode(encoded.charCodeAt(i) ^ pass.charCodeAt(i%pass.length));
  }
  #{eval_call}(decoded);
  ENDJS

  js_loader.obfuscate(
    'Symbols' => {
      'Variables' => [ 'exploit', 'encoded', 'pass', 'decoded' ],
    },
    'Strings' => false
  )
end