From aee0b1e50f2b9e998273620421aa10910f0607df Mon Sep 17 00:00:00 2001 From: antisnatchor Date: Wed, 23 May 2012 13:44:41 +0100 Subject: [PATCH] Evasion: scramble now stores random values in the config object, in order to be re-used later on in a consistent way. --- extensions/evasion/config.yaml | 4 ++- extensions/evasion/evasion.rb | 4 +++ extensions/evasion/extension.rb | 1 + extensions/evasion/obfuscation/base_64.rb | 9 +----- extensions/evasion/obfuscation/scramble.rb | 32 ++++++++++------------ 5 files changed, 23 insertions(+), 27 deletions(-) diff --git a/extensions/evasion/config.yaml b/extensions/evasion/config.yaml index d8603a43d..eae73d1f3 100644 --- a/extensions/evasion/config.yaml +++ b/extensions/evasion/config.yaml @@ -20,5 +20,7 @@ beef: name: 'Evasion' authors: ["antisnatchor"] scramble_variables: true - to_scramble: ["beef", "Beef"] + scramble: + beef: "beef" + Beef: "Beef" chain: ["scramble","minify","base_64"] \ No newline at end of file diff --git a/extensions/evasion/evasion.rb b/extensions/evasion/evasion.rb index 1ce45b1e7..044e63b7b 100644 --- a/extensions/evasion/evasion.rb +++ b/extensions/evasion/evasion.rb @@ -29,6 +29,10 @@ module BeEF @input = apply_chain(input, @@techniques) end + def inject_boostrapper(input) + # add stuff at the end, only once (when serving the initial init javascript) + end + def apply_chain(input, techniques) @output = input techniques.each do |technique| diff --git a/extensions/evasion/extension.rb b/extensions/evasion/extension.rb index dc81f5200..ce1fc360e 100644 --- a/extensions/evasion/extension.rb +++ b/extensions/evasion/extension.rb @@ -26,6 +26,7 @@ end end require 'extensions/evasion/evasion' +require 'extensions/evasion/helper' require 'extensions/evasion/obfuscation/scramble' require 'extensions/evasion/obfuscation/minify' require 'extensions/evasion/obfuscation/base_64' diff --git a/extensions/evasion/obfuscation/base_64.rb b/extensions/evasion/obfuscation/base_64.rb index 27c8e960a..b2ce0cd8e 100644 --- a/extensions/evasion/obfuscation/base_64.rb +++ b/extensions/evasion/obfuscation/base_64.rb @@ -19,18 +19,11 @@ module BeEF class Base_64 include Singleton - def random_string(length=5) - chars = 'abcdefghjkmnpqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ' - result = '' - length.times { result << chars[rand(chars.size)] } - result - end - def execute(input, config) encoded = Base64.strict_encode64(input) # basically, use atob if supported otherwise a normal base64 JS implementation (ie.: IE :-) decode_function = 'var _0x33db=["\x61\x74\x6F\x62","\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4A\x4B\x4C\x4D\x4E\x4F\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5A\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6A\x6B\x6C\x6D\x6E\x6F\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7A\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x2B\x2F\x3D","","\x63\x68\x61\x72\x41\x74","\x69\x6E\x64\x65\x78\x4F\x66","\x66\x72\x6F\x6D\x43\x68\x61\x72\x43\x6F\x64\x65","\x6C\x65\x6E\x67\x74\x68","\x6A\x6F\x69\x6E"];function dec(_0x487fx2){if(window[_0x33db[0]]){return atob(_0x487fx2);} ;var _0x487fx3=_0x33db[1];var _0x487fx4,_0x487fx5,_0x487fx6,_0x487fx7,_0x487fx8,_0x487fx9,_0x487fxa,_0x487fxb,_0x487fxc=0,_0x487fxd=0,dec=_0x33db[2],_0x487fxe=[];if(!_0x487fx2){return _0x487fx2;} ;_0x487fx2+=_0x33db[2];do{_0x487fx7=_0x487fx3[_0x33db[4]](_0x487fx2[_0x33db[3]](_0x487fxc++));_0x487fx8=_0x487fx3[_0x33db[4]](_0x487fx2[_0x33db[3]](_0x487fxc++));_0x487fx9=_0x487fx3[_0x33db[4]](_0x487fx2[_0x33db[3]](_0x487fxc++));_0x487fxa=_0x487fx3[_0x33db[4]](_0x487fx2[_0x33db[3]](_0x487fxc++));_0x487fxb=_0x487fx7<<18|_0x487fx8<<12|_0x487fx9<<6|_0x487fxa;_0x487fx4=_0x487fxb>>16&0xff;_0x487fx5=_0x487fxb>>8&0xff;_0x487fx6=_0x487fxb&0xff;if(_0x487fx9==64){_0x487fxe[_0x487fxd++]=String[_0x33db[5]](_0x487fx4);} else {if(_0x487fxa==64){_0x487fxe[_0x487fxd++]=String[_0x33db[5]](_0x487fx4,_0x487fx5);} else {_0x487fxe[_0x487fxd++]=String[_0x33db[5]](_0x487fx4,_0x487fx5,_0x487fx6);} ;} ;} while(_0x487fxc<_0x487fx2[_0x33db[6]]);;dec=_0x487fxe[_0x33db[7]](_0x33db[2]);return dec;};' - var_name = random_string(3) + var_name = BeEF::Extension::Evasion::Helper::random_string(3) input = "var #{var_name}=\"#{encoded}\";#{decode_function}[].constructor.constructor(dec(#{var_name}))();" print_debug "[OBFUSCATION - BASE64] Javascript has been base64'ed'" input diff --git a/extensions/evasion/obfuscation/scramble.rb b/extensions/evasion/obfuscation/scramble.rb index c1450ee38..664673ca1 100644 --- a/extensions/evasion/obfuscation/scramble.rb +++ b/extensions/evasion/obfuscation/scramble.rb @@ -19,28 +19,24 @@ module BeEF class Scramble include Singleton - def random_string(length=5) - chars = 'abcdefghjkmnpqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ' - result = '' - length.times { result << chars[rand(chars.size)] } - result - end - def execute(input, config) - to_scramble = config.get('beef.extension.evasion.to_scramble') - to_scramble.each do |var| - mod_var = random_string - input = input.gsub!(var,random_string) - print_debug "[OBFUSCATION - SCRAMBLER] string [#{var}] scrambled -> [#{mod_var}]" - - #todo: add scrambled vars to an Hash. - #todo: even better. Add them to the Configuration object, like "beef" => "cnjD3" - #@@to_scramble = config.get('beef.http.evasion.scramble_variables') - #@@scrambled = Hash.new + to_scramble = config.get('beef.extension.evasion.scramble') + to_scramble.each do |var, value| + key = config.get("beef.extension.evasion.scramble.#{var}") + if value == key + # Variables have not been scrambled yet + mod_var = BeEF::Extension::Evasion::Helper::random_string(3) + input = input.gsub!(var,mod_var) + config.set("beef.extension.evasion.scramble.#{var}",mod_var) + print_debug "[OBFUSCATION - SCRAMBLER] string [#{var}] scrambled -> [#{mod_var}]" + else + # Variables already scrambled, re-use the one already created to maintain consistency + input = input.gsub!(var,value) + print_debug "[OBFUSCATION - SCRAMBLER] string [#{var}] scrambled -> [#{value}]" + end end input end - end end end