Class: Rex::Exploitation::EncryptJS

Inherits:
Object
  • Object
show all
Defined in:
lib/rex/exploitation/encryptjs.rb

Overview

Encrypts javascript code

Class Method Summary collapse

Class Method Details

.encrypt(js, key) ⇒ Object

Encrypts a javascript string.

Encrypts a javascript string via XOR using a given key. The key must be passed to the executed javascript so that it can decrypt itself. The provided loader gets the key from “location.search.substring(1)”

This should bypass any detection of the file itself as information not part of the file is needed to decrypt the original javascript code.

Example: <code> js = <<ENDJS

function say_hi() {
    var foo = "Hello, world";
    document.writeln(foo);
}

ENDJS key = 'secret' js_encrypted = EncryptJS.encrypt(js, key) </code>

You might use something like this in exploit modules to pass the key to the javascript <code> if (!request.uri.match(/?w+/))

send_local_redirect(cli, "?#{@key}")
return

end </code>


44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
# File 'lib/rex/exploitation/encryptjs.rb', line 44

def self.encrypt(js, key)
  js.gsub!(/[\r\n]/, '')

  encoded = Rex::Encoding::Xor::Generic.encode(js, key)[0].unpack("H*")[0]

  # obfuscate the eval call to circumvent generic detection
  eval = 'eval'.split(//).join(Rex::Text.rand_text_alpha(rand(5)).upcase)
  eval_call = 'window["' + eval + '".replace(/[A-Z]/g,"")]'

  js_loader = Rex::Exploitation::ObfuscateJS.new <<-ENDJS
  var exploit = '#{encoded}';
  var encoded = '';
  for (i = 0;i<exploit.length;i+=2) {
    encoded += String.fromCharCode(parseInt(exploit.substring(i, i+2), 16));
  }
  var pass = location.search.substring(1);
  var decoded = '';
  for (i=0;i<encoded.length;i++) {
    decoded += String.fromCharCode(encoded.charCodeAt(i) ^ pass.charCodeAt(i%pass.length));
  }
  #{eval_call}(decoded);
  ENDJS

  js_loader.obfuscate(
    'Symbols' => {
      'Variables' => [ 'exploit', 'encoded', 'pass', 'decoded' ],
    },
    'Strings' => false
  )
end