forked from urule99/jsunpack-n
-
Notifications
You must be signed in to change notification settings - Fork 0
/
post.js
82 lines (76 loc) · 2.57 KB
/
post.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
// post processing, run this file after the main js file is interpreted.
// print out results
//document.myd_data();
if (window.onload){
window.onload();
}
if (intervalExec){
eval(intervalExec);
}
if ( elementn > 100){
print ('\n//alert CVE-2010-0249 MSIEUseAfterFree (CreateElement called ' + elementn + ' times)');
}
if ( elementn > -1 ){
for (var i = 0; i <= elementn; i++){
print ('\n//jsunpack.url '+ elements[i].src);
}
}
if ( windowlocation != window.location){
print ("\n//jsunpack.location '" + window.location + "' where windowlocation = '" + windowlocation + "'");
}
if(documenttxt){
print ('\n//document.write (s)\n');
print (documenttxt);
}
//finalvars = [];
//finalcount = 0;
for (var i in this){
var objlen = 0;
if (typeof this[i] == 'object'){
tmp = String(this[i]); //this[i] = String(this[i]);
objlen = tmp.length;
if (objlen > 10000){ //Memory/performance intensive beyond this
this[i] = tmp.substring(0,10000);
}
}
if (typeof this[i] == 'string' && i != 'documenttxt' && i != 'i' && i != 'txtzzz'){
//if (escape(this[i]).match(/^(%u.{4})+(%..)*$/)){ //STRICT SHELLCODE DETECTION (disabled by default)
if (escape(this[i]).match(/%u/)){ //LOOSE SHELLCODE DETECTION (enabled by default)
var prelen = this[i].length;
if (prelen > 100){
this[i] = this[i].replace(/(.)\1{10}/g,'');
//NOPs
}
var postlen = this[i].length;
if (prelen - postlen > 100){
print ('//warning CVE-NO-MATCH Shellcode NOP len ' + (prelen - postlen));
}
if (objlen > prelen){
prelen = objlen;
}
print ('//shellcode len ' + prelen + ' (including any NOPs) ' + i + ' = ' + escape(this[i]));
}
else if (this[i].match(/http:/)){
var newurl = this[i];
if (newurl.length > 255){
newurl = newurl.substring(0,255);
}
print ('//jsunpack.url var ' + i + ' = ' + newurl + '\n');
}
else if (this[i].match(/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}/i)){
print ('//info.ActiveXObject '+this[i]+'\n');
}
//else {
//[DEBUG] VERY noisy
//print (i + ' = ' + this[i]);
//}
/*if (this[i].toSource().length < 100000){
finalvars[finalcount] = '//jsunpack.var ' + i; //' = ' + this[i].toSource();
finalcount++;
}*/
}
}
/*print ('//jsunpack.final variable enumeration');
for (var f in finalvars){
print (finalvars[f]);
}*/