[ubuntu1010] JSUNPACKをローカルマシンにインストール

urule99/jsunpack-n · GitHub
jsunpack-n emulates browser functionality when visiting a URL. It's purpose is to detect exploits that target browser and browser plug-in vulnerabilities. It accepts many different types of input: PDF files - samples/sample-pdf.file Packet Captures - samples/sample-http-exploit.pcap HTML files JavaScript files SWF files
ソースダウンロード svn checkout http://jsunpack-n.googlecode.com/svn/trunk/ jsunpack-n-read-only pynidsインストール $ cd depends/pynids-0.6.1/ $ apt-get install libpcap-dev pkg-config python-dev libgtk2.0-dev libnet1-dev $ python setup.py build $ python setup.py install jsインストール $ cd ../js-1.8.0-rc1-src/ $ make BUILD_OPT=1 -f Makefile.ref $ file ./Linux_All_OPT.OBJ/js ./Linux_All_OPT.OBJ/js: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, not stripped $ sudo cp ./Linux_All_OPT.OBJ/js /usr/local/bin/ yaraインストール $ cd ../yara-1.4/ $ apt-get install libpcre3 libpcre3-dev $ ./configure $ make $ make install $ sudo echo "/usr/local/lib" >> /etc/ld.so.conf $ sudo ldconfig yara-pythonインストール $ cd ../yara-python-1.4/ $ python setup.py build $ sudo python setup.py install python-beautifulsoupインストール $ cd .. $ apt-get install python-beautifulsoup pycryptoインストール $ cd pycrypto-2.1.0 $ python setup.py build $ python setup.py install jsunpackn確認 $ cd ../../ $ tar zxvf samples.tgz $ ./jsunpackn.py -V samples/pdf.file [malicious:10] [PDF] samples/pdf.file info: [decodingLevel=0] JavaScript in PDF 7299 bytes, with 929 bytes headers suspicious: PDFobfuscation detected Collab[ info: [decodingLevel=1] found JavaScript malicious: CollabgetIcon CVE-2009-0927 detected suspicious: Warning detected //warning CVE-NO-MATCH Shellcode NOP len 9999 //warning CVE-NO-MATCH Shellcode NOP len 261283 //warning CVE-NO-MATCH Shellcode NOP len 847 //warning CVE-NO-MATCH Shellcode Engine Length 129358 //warning CVE-NO-MATCH Shellcode NOP len 121 //warning CVE-NO-MATCH Shellcode NOP len 1023 malicious: shellcode of length 1451/847 malicious: XOR key [shellcode]: 33 malicious: shellcode [xor] URL=b35.info/w/who.exe info: [2] no JavaScript info: file: saved samples/pdf.file to (./files/original_c34022681fa89171fc803baeb2b120400bc1775f) file: decoding_0c2b24bcbd8417022c0c3e2aaba0fac462b9110c: 8228 bytes file: decoding_92253c630dcc31a81f81a8234429a9a9c1cd716b: 5037 bytes file: shellcode_9e91c6f7ac43d4b404c9793f64e7617a2f257cba: 1451 bytes file: original_c34022681fa89171fc803baeb2b120400bc1775f: 23384 bytes [not analyzed] (shellcode) b35.info/w/who.exe