urule99/jsunpack-n · GitHub
jsunpack-n emulates browser functionality when visiting a URL. It's purpose is to detect exploits that target browser and browser plug-in vulnerabilities.
It accepts many different types of input:
PDF files - samples/sample-pdf.file
Packet Captures - samples/sample-http-exploit.pcap
HTML files
JavaScript files
SWF files
ソースダウンロード
svn checkout http://jsunpack-n.googlecode.com/svn/trunk/ jsunpack-n-read-only
pynidsインストール
$ cd depends/pynids-0.6.1/
$ apt-get install libpcap-dev pkg-config python-dev libgtk2.0-dev libnet1-dev
$ python setup.py build
$ python setup.py install
jsインストール
$ cd ../js-1.8.0-rc1-src/
$ make BUILD_OPT=1 -f Makefile.ref
$ file ./Linux_All_OPT.OBJ/js
./Linux_All_OPT.OBJ/js: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV),
dynamically linked (uses shared libs), for GNU/Linux 2.6.15, not stripped
$ sudo cp ./Linux_All_OPT.OBJ/js /usr/local/bin/
yaraインストール
$ cd ../yara-1.4/
$ apt-get install libpcre3 libpcre3-dev
$ ./configure
$ make
$ make install
$ sudo echo "/usr/local/lib" >> /etc/ld.so.conf
$ sudo ldconfig
yara-pythonインストール
$ cd ../yara-python-1.4/
$ python setup.py build
$ sudo python setup.py install
python-beautifulsoupインストール
$ cd ..
$ apt-get install python-beautifulsoup
pycryptoインストール
$ cd pycrypto-2.1.0
$ python setup.py build
$ python setup.py install
jsunpackn確認
$ cd ../../
$ tar zxvf samples.tgz
$ ./jsunpackn.py -V samples/pdf.file
[malicious:10] [PDF] samples/pdf.file
info: [decodingLevel=0] JavaScript in PDF 7299 bytes, with 929 bytes headers
suspicious: PDFobfuscation detected Collab[
info: [decodingLevel=1] found JavaScript
malicious: CollabgetIcon CVE-2009-0927 detected
suspicious: Warning detected //warning CVE-NO-MATCH Shellcode NOP len 9999 //warning CVE-NO-MATCH Shellcode NOP len 261283 //warning CVE-NO-MATCH Shellcode NOP len 847 //warning CVE-NO-MATCH Shellcode Engine Length 129358 //warning CVE-NO-MATCH Shellcode NOP len 121 //warning CVE-NO-MATCH Shellcode NOP len 1023
malicious: shellcode of length 1451/847
malicious: XOR key [shellcode]: 33
malicious: shellcode [xor] URL=b35.info/w/who.exe
info: [2] no JavaScript
info: file: saved samples/pdf.file to (./files/original_c34022681fa89171fc803baeb2b120400bc1775f)
file: decoding_0c2b24bcbd8417022c0c3e2aaba0fac462b9110c: 8228 bytes
file: decoding_92253c630dcc31a81f81a8234429a9a9c1cd716b: 5037 bytes
file: shellcode_9e91c6f7ac43d4b404c9793f64e7617a2f257cba: 1451 bytes
file: original_c34022681fa89171fc803baeb2b120400bc1775f: 23384 bytes
[not analyzed] (shellcode) b35.info/w/who.exe