Land rapid7#3247 - Revert rapid7#3224 jsobfu string size fixes

Author: wchen-r7

data/js/detect/os.js

@@ -1,25 +1,25 @@
 
 // Case matters, see lib/msf/core/constants.rb
 // All of these should match up with constants in ::Msf::HttpClients
-var clients_opera = "Opera";
-var clients_ie    = "MSIE";
-var clients_ff    = "Firefox";
-var clients_chrome= "Chrome";
-var clients_safari= "Safari";
+clients_opera = "Opera";
+clients_ie    = "MSIE";
+clients_ff    = "Firefox";
+clients_chrome= "Chrome";
+clients_safari= "Safari";
 
 // All of these should match up with constants in ::Msf::OperatingSystems
-var oses_linux    = "Linux";
-var oses_windows  = "Microsoft Windows";
-var oses_mac_osx  = "Mac OS X";
-var oses_freebsd  = "FreeBSD";
-var oses_netbsd   = "NetBSD";
-var oses_openbsd  = "OpenBSD";
+oses_linux    = "Linux";
+oses_windows  = "Microsoft Windows";
+oses_mac_osx  = "Mac OS X";
+oses_freebsd  = "FreeBSD";
+oses_netbsd   = "NetBSD";
+oses_openbsd  = "OpenBSD";
 
 // All of these should match up with the ARCH_* constants
-var arch_armle    = "armle";
-var arch_x86      = "x86";
-var arch_x86_64   = "x86_64";
-var arch_ppc      = "ppc";
+arch_armle    = "armle";
+arch_x86      = "x86";
+arch_x86_64   = "x86_64";
+arch_ppc      = "ppc";
 
 window.os_detect = {};
 

lib/rex/exploitation/jsobfu.rb

@@ -48,71 +48,14 @@ module Exploitation
 #
 class JSObfu
 
-  # A single Javascript scope, used as a key-value store
-  # to maintain uniqueness of members in generated closures.
-  # For speed this class is implemented as a subclass of Hash.
-  class Scope < Hash
-
-    # these keywords should never be used as a random var name
-    # source: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Reserved_Words
-    RESERVED_KEYWORDS = %w(
-      break case catch continue debugger default delete do else finally
-      for function if in instanceof new return switch this throw try
-      typeof var void while with class enum export extends import super
-      implements interface let package private protected public static yield
-    )
-
-    # these vars should not be shadowed as they may be used in other obfuscated code
-    BUILTIN_VARS = %w(
-      String window unescape
-    )
-
-    # @param [Rex::Exploitation::JSObfu::Scope] parent an optional parent scope,
-    #   sometimes necessary to prevent needless var shadowing
-    def initialize(parent=nil)
-      @parent = parent
-      @rand_gen = Rex::RandomIdentifierGenerator.new(
-        :max_length => 15,
-        :first_char_set => Rex::Text::Alpha+"_$",
-        :char_set => Rex::Text::AlphaNumeric+"_$",
-        :min_length => 1
-      )
-    end
-
-    # @return [String] a unique random var name that is not a reserved keyword
-    def random_var_name
-      len = 1
-      loop do
-        text = random_string(len)
-        unless has_key?(text) or
-          RESERVED_KEYWORDS.include?(text) or
-          BUILTIN_VARS.include?(text)
-
-          self[text] = nil
-          return text
-        end
-        len += 1
-      end
-    end
-
-    # @return [Boolean] var is in scope
-    def has_key?(key)
-      super or (@parent and @parent.has_key?(key))
-    end
-
-    # @return [String] a random string that can be used as a var
-    def random_string(len)
-      @rand_gen.generate(len)
-    end
-
-  end
-
-  #
-  # The maximum length of a string that can be passed through
-  # #transform_string without being chopped up into separate
-  # expressions and concatenated
-  #
-  MAX_STRING_CHUNK = 10000
+  # these keywords should never be used as a random var name
+  # source: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Reserved_Words
+  RESERVED_KEYWORDS = %w(
+    break case catch continue debugger default delete do else finally
+    for function if in instanceof new return switch this throw try
+    typeof var void while with class enum export extends import super
+    implements interface let package private protected public static yield
+  )
 
   #
   # Abstract Syntax Tree generated by RKelly::Parser#parse
@@ -126,8 +69,12 @@ def initialize(code)
     @code = code
     @funcs = {}
     @vars  = {}
-    @scope = Scope.new
     @debug = false
+    @rand_gen = Rex::RandomIdentifierGenerator.new(
+      :max_length => 15,
+      :first_char_set => Rex::Text::Alpha+"_$",
+      :char_set => Rex::Text::AlphaNumeric+"_$"
+    )
   end
 
   #
@@ -175,8 +122,23 @@ def obfuscate
     obfuscate_r(@ast)
   end
 
+  # @return [String] a unique random var name that is not a reserved keyword
+  def random_var_name
+    loop do
+      text = random_string
+      unless @vars.has_value?(text) or RESERVED_KEYWORDS.include?(text)
+        return text
+      end
+    end
+  end
+
 protected
 
+  # @return [String] a random string
+  def random_string
+    @rand_gen.generate
+  end
+
   #
   # Recursive method to obfuscate the given +ast+.
   #
@@ -220,12 +182,12 @@ def obfuscate_r(ast)
       # Variables
       when ::RKelly::Nodes::VarDeclNode
         if @vars[node.name].nil?
-          @vars[node.name] = @scope.random_var_name
+          @vars[node.name] = random_var_name
         end
         node.name = @vars[node.name]
       when ::RKelly::Nodes::ParameterNode
         if @vars[node.value].nil?
-          @vars[node.value] = @scope.random_var_name
+          @vars[node.value] = random_var_name
         end
         node.value = @vars[node.value]
       when ::RKelly::Nodes::ResolveNode
@@ -247,7 +209,7 @@ def obfuscate_r(ast)
         # Functions can also act as objects, so store them in the vars
         # and the functions list so we can replace them in both places
         if @funcs[node.value].nil? and not @funcs.values.include?(node.value)
-          @funcs[node.value] = @scope.random_var_name
+          @funcs[node.value] = random_var_name
           if @vars[node.value].nil?
             @vars[node.value] = @funcs[node.value]
           end
@@ -349,15 +311,14 @@ def transform_string(str)
     str = str[1,str.length - 2]
     return quote*2 if str.length == 0
 
-    if str.length > MAX_STRING_CHUNK
-      return safe_split(str, quote).map { |args| transform_string(args[1]) }.join('+')
-    end
-
-    transformed = case rand(2)
+    case rand(2)
     when 0
-      transform_string_split_concat(str, quote)
+      transformed = transform_string_split_concat(str, quote)
     when 1
-      transform_string_fromCharCode(str)
+      transformed = transform_string_fromCharCode(str)
+    #when 2
+    #	# Currently no-op
+    #	transformed = transform_string_unescape(str)
     end
 
     #$stderr.puts "Obfuscating str: #{str.ljust 30} #{transformed}"
@@ -392,12 +353,12 @@ def safe_split(str, quote)
         break unless str[len]
         break if len > max_len
         # randomize the length of each part
-        break if (rand(max_len) == 0)
+        break if (rand(4) == 0)
       end
 
       part = str.slice!(0, len)
 
-      var = @scope.random_var_name
+      var = Rex::Text.rand_text_alpha(4)
       parts.push( [ var, "#{quote}#{part}#{quote}" ] )
     end
 
@@ -448,6 +409,12 @@ def transform_string_split_concat(str, quote)
     final
   end
 
+
+  # TODO
+  #def transform_string_unescape(str)
+  #	str
+  #end
+
   #
   # Return a call to String.fromCharCode() with each char of the input as arguments
   #
@@ -456,17 +423,9 @@ def transform_string_split_concat(str, quote)
   #   output: String.fromCharCode(0x41, 10)
   #
   def transform_string_fromCharCode(str)
-    "String.fromCharCode(#{string_to_bytes(str)})"
-  end
-
-  #
-  # Return a comma-separated list of byte values with random encodings (decimal/hex/octal)
-  #
-  def string_to_bytes(str)
-    len = 0
+    buf = "String.fromCharCode("
     bytes = str.unpack("C*")
-    encoded_bytes = []
-
+    len = 0
     while str.length > 0
       if str[0,1] == "\\"
         str.slice!(0,1)
@@ -513,12 +472,16 @@ def string_to_bytes(str)
       else
         char = str.slice!(0,1).unpack("C").first
       end
-      encoded_bytes << rand_base(char)
+      buf << "#{rand_base(char)},"
     end
+    # Strip off the last comma
+    buf = buf[0,buf.length-1] + ")"
+    transformed = buf
 
-    encoded_bytes.join(',')
+    transformed
   end
 
+
 end
 end
 end