class Rex::Exploitation::EncryptJS
Encrypts javascript code
Public Class Methods
encrypt(js, key)
click to toggle source
Encrypts a javascript string.
Encrypts a javascript string via XOR using a given key. The key must be passed to the executed javascript so that it can decrypt itself. The provided loader gets the key from “location.search.substring(1)”
This should bypass any detection of the file itself as information not part of the file is needed to decrypt the original javascript code.
Example: <code> js = <<ENDJS
function say_hi() { var foo = "Hello, world"; document.writeln(foo); }
ENDJS key = ‘secret’ js_encrypted = EncryptJS.encrypt
(js, key) </code>
You might use something like this in exploit modules to pass the key to the javascript <code> if (!request.uri.match(/?w+/))
send_local_redirect(cli, "?#{@key}") return
end </code>
# File lib/rex/exploitation/encryptjs.rb, line 43 def self.encrypt(js, key) js.gsub!(/[\r\n]/, '') encoded = Rex::Encoding::Xor::Generic.encode(js, key)[0].unpack("H*")[0] # obfuscate the eval call to circumvent generic detection eval = 'eval'.split(//).join(Rex::Text.rand_text_alpha(rand(5)).upcase) eval_call = 'window["' + eval + '".replace(/[A-Z]/g,"")]' js_loader = Rex::Exploitation::ObfuscateJS.new <<-ENDJS var exploit = '#{encoded}'; var encoded = ''; for (i = 0;i<exploit.length;i+=2) { encoded += String.fromCharCode(parseInt(exploit.substring(i, i+2), 16)); } var pass = location.search.substring(1); var decoded = ''; for (i=0;i<encoded.length;i++) { decoded += String.fromCharCode(encoded.charCodeAt(i) ^ pass.charCodeAt(i%pass.length)); } #{eval_call}(decoded); ENDJS js_loader.obfuscate( 'Symbols' => { 'Variables' => [ 'exploit', 'encoded', 'pass', 'decoded' ], }, 'Strings' => false ) end