Revert "Fixes large-string expansion in JSObfu."

This reverts commit 14fed8c.

Author: joevennix

lib/rex/exploitation/jsobfu.rb

@@ -48,68 +48,14 @@ module Exploitation
 #
 class JSObfu
 
-  # A single Javascript scope, used as a key-value store
-  # to maintain uniqueness of members in generated closures.
-  # For speed this class is implemented as a subclass of Hash.
-  class Scope < Hash
-
-    # these keywords should never be used as a random var name
-    # source: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Reserved_Words
-    RESERVED_KEYWORDS = %w(
-      break case catch continue debugger default delete do else finally
-      for function if in instanceof new return switch this throw try
-      typeof var void while with class enum export extends import super
-      implements interface let package private protected public static yield
-    )
-
-    # these vars should not be shadowed as they may be used in other obfuscated code
-    BUILTIN_VARS = %w(
-      String window unescape
-    )
-
-    # @param [Rex::Exploitation::JSObfu::Scope] parent an optional parent scope,
-    #   sometimes necessary to prevent needless var shadowing
-    def initialize(parent=nil)
-      @parent = parent
-      @rand_gen = Rex::RandomIdentifierGenerator.new(
-        :max_length => 15,
-        :first_char_set => Rex::Text::Alpha+"_$",
-        :char_set => Rex::Text::AlphaNumeric+"_$"
-      )
-    end
-
-    # @return [String] a unique random var name that is not a reserved keyword
-    def random_var_name
-      loop do
-        text = random_string
-        unless has_key?(text) or
-          RESERVED_KEYWORDS.include?(text) or
-          BUILTIN_VARS.include?(text)
-
-          self[text] = nil
-          return text
-        end
-      end
-    end
-
-    # @return [Boolean] var is in scope
-    def has_key?(key)
-      super or (@parent and @parent.has_key?(key))
-    end
-
-    # @return [String] a random string
-    def random_string
-      @rand_gen.generate
-    end
-
-  end
-
-  #
-  # The maximum length of a string that will be passed through
-  # #transform_string without being chopped up into separate
-  # expressions and concatenated
-  #
-  MAX_STRING_CHUNK = 10000
+  # these keywords should never be used as a random var name
+  # source: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Reserved_Words
+  RESERVED_KEYWORDS = %w(
+    break case catch continue debugger default delete do else finally
+    for function if in instanceof new return switch this throw try
+    typeof var void while with class enum export extends import super
+    implements interface let package private protected public static yield
+  )
 
   #
   # Abstract Syntax Tree generated by RKelly::Parser#parse
@@ -123,8 +69,12 @@ def initialize(code)
     @code = code
     @funcs = {}
     @vars  = {}
-    @scope = Scope.new
     @debug = false
+    @rand_gen = Rex::RandomIdentifierGenerator.new(
+      :max_length => 15,
+      :first_char_set => Rex::Text::Alpha+"_$",
+      :char_set => Rex::Text::AlphaNumeric+"_$"
+    )
   end
 
   #
@@ -172,8 +122,23 @@ def obfuscate
     obfuscate_r(@ast)
   end
 
+  # @return [String] a unique random var name that is not a reserved keyword
+  def random_var_name
+    loop do
+      text = random_string
+      unless @vars.has_value?(text) or RESERVED_KEYWORDS.include?(text)
+        return text
+      end
+    end
+  end
+
 protected
 
+  # @return [String] a random string
+  def random_string
+    @rand_gen.generate
+  end
+
   #
   # Recursive method to obfuscate the given +ast+.
   #
@@ -217,12 +182,12 @@ def obfuscate_r(ast)
       # Variables
       when ::RKelly::Nodes::VarDeclNode
         if @vars[node.name].nil?
-          @vars[node.name] = @scope.random_var_name
+          @vars[node.name] = random_var_name
         end
         node.name = @vars[node.name]
       when ::RKelly::Nodes::ParameterNode
         if @vars[node.value].nil?
-          @vars[node.value] = @scope.random_var_name
+          @vars[node.value] = random_var_name
         end
         node.value = @vars[node.value]
       when ::RKelly::Nodes::ResolveNode
@@ -244,7 +209,7 @@ def obfuscate_r(ast)
         # Functions can also act as objects, so store them in the vars
         # and the functions list so we can replace them in both places
         if @funcs[node.value].nil? and not @funcs.values.include?(node.value)
-          @funcs[node.value] = @scope.random_var_name
+          @funcs[node.value] = random_var_name
           if @vars[node.value].nil?
             @vars[node.value] = @funcs[node.value]
           end
@@ -346,16 +311,14 @@ def transform_string(str)
     str = str[1,str.length - 2]
     return quote*2 if str.length == 0
 
-    if str.length > MAX_STRING_CHUNK
-      return safe_split(str, quote).map { |args| transform_string(args[1]) }.join('+')
-    end
-
-    transformed = nil
     case rand(2)
     when 0
       transformed = transform_string_split_concat(str, quote)
     when 1
       transformed = transform_string_fromCharCode(str)
+    #when 2
+    #	# Currently no-op
+    #	transformed = transform_string_unescape(str)
     end
 
     #$stderr.puts "Obfuscating str: #{str.ljust 30} #{transformed}"
@@ -390,12 +353,12 @@ def safe_split(str, quote)
         break unless str[len]
         break if len > max_len
         # randomize the length of each part
-        break if (rand(max_len) == 0)
+        break if (rand(4) == 0)
       end
 
       part = str.slice!(0, len)
 
-      var = @scope.random_var_name
+      var = Rex::Text.rand_text_alpha(4)
       parts.push( [ var, "#{quote}#{part}#{quote}" ] )
     end
 
@@ -446,6 +409,12 @@ def transform_string_split_concat(str, quote)
     final
   end
 
+
+  # TODO
+  #def transform_string_unescape(str)
+  #	str
+  #end
+
   #
   # Return a call to String.fromCharCode() with each char of the input as arguments
   #
@@ -454,17 +423,9 @@ def transform_string_split_concat(str, quote)
   #   output: String.fromCharCode(0x41, 10)
   #
   def transform_string_fromCharCode(str)
-    "String.fromCharCode(#{string_to_bytes(str)})"
-  end
-
-  #
-  # Return a comma-separated list of byte values with random encodings (decimal/hex/octal)
-  #
-  def string_to_bytes(str)
-    len = 0
+    buf = "String.fromCharCode("
     bytes = str.unpack("C*")
-    encoded_bytes = []
-
+    len = 0
     while str.length > 0
       if str[0,1] == "\\"
         str.slice!(0,1)
@@ -511,12 +472,16 @@ def string_to_bytes(str)
       else
         char = str.slice!(0,1).unpack("C").first
       end
-      encoded_bytes << rand_base(char)
+      buf << "#{rand_base(char)},"
     end
+    # Strip off the last comma
+    buf = buf[0,buf.length-1] + ")"
+    transformed = buf
 
-    encoded_bytes.join(',')
+    transformed
   end
 
+
 end
 end
 end

spec/lib/rex/exploitation/jsobfu_scope_spec.rb

@@ -7,66 +7,44 @@
     described_class.new("")
   end
 
-  # surround the string in quotes
-  def quote(str, q='"'); "#{q}#{str}#{q}" end
+  describe '#random_var_name' do
+    subject(:random_var_name) { jsobfu.random_var_name }
 
-  describe '#transform_string' do
-    context 'when given a string of length > MAX_STRING_CHUNK' do
-      let(:js_string) { quote "ABC"*Rex::Exploitation::JSObfu::MAX_STRING_CHUNK }
+    it { should be_a String }
+    it { should_not be_empty }
 
-      it 'calls itself recursively' do
-        expect(jsobfu).to receive(:transform_string).at_least(2).times.and_call_original
-        jsobfu.send(:transform_string, js_string.dup)
-      end
+    it 'is composed of _, $, alphanumeric chars' do
+      20.times { expect(jsobfu.random_var_name).to match(/\A[a-zA-Z0-9$_]+\Z/) }
     end
 
-    context 'when given a string of length < MAX_STRING_CHUNK' do
-      let(:js_string) { quote "A"*(Rex::Exploitation::JSObfu::MAX_STRING_CHUNK/2).to_i }
-
-      it 'does not call itself recursively' do
-        expect(jsobfu).to receive(:transform_string).once.and_call_original
-        jsobfu.send(:transform_string, js_string.dup)
-      end
+    it 'does not start with a number' do
+      20.times { expect(jsobfu.random_var_name).not_to match(/\A[0-9]/) }
     end
-  end
 
-  describe '#safe_split' do
-    let(:js_string) { Rex::Text.to_hex("ABCDEFG"*100, "\\x") }
-    let(:quote)     { '"' }
-    let(:parts) { 50.times.map { jsobfu.send(:safe_split, js_string.dup, quote).map{ |a| a[1] } } }
+    context 'when a reserved word is generated' do
+      let(:reserved)  { described_class::RESERVED_KEYWORDS.first }
+      let(:random)    { 'abcdef' }
+      let(:generated) { [reserved, reserved, reserved, random] }
 
-    describe 'quoting' do
-      context 'when given a double-quote' do
-        let(:quote) { '"' }
-        it 'surrounds all the split strings with the same quote' do
-          expect(parts.flatten.all? { |part| part.start_with?(quote) }).to be_true
-        end
+      before do
+        jsobfu.stub(:random_string) { generated.shift }
       end
 
-      context 'when given a single-quote' do
-        let(:quote) { "'" }
-        it 'surrounds all the split strings with the same quote' do
-          expect(parts.flatten.all? { |part| part.start_with?(quote) }).to be_true
-        end
-      end
+      it { should be random }
     end
 
-    describe 'splitting' do
-      context 'when given a hex-escaped series of bytes' do
-        let(:js_string) { Rex::Text.to_hex("ABCDEFG"*100, "\\x") }
+    context 'when a non-unique random var is generated' do
+      let(:preexisting) { 'preexist' }
+      let(:random)      { 'abcdef' }
+      let(:vars)        { { 'jQuery' => preexisting } }
+      let(:generated)   { [preexisting, preexisting, preexisting, random] }
 
-        it 'never splits in the middle of a hex escape' do
-          expect(parts.flatten.all? { |part| part.start_with?('"\\') }).to be_true
-        end
+      before do
+        jsobfu.stub(:random_string) { generated.shift }
+        jsobfu.instance_variable_set("@vars", vars)
       end
 
-      context 'when given a unicode-escaped series of bytes' do
-        let(:js_string) { Rex::Text.to_unescape("ABCDEFG"*100).gsub!('%', '\\') }
-
-        it 'never splits in the middle of a unicode escape' do
-          expect(parts.flatten.all? { |part| part.start_with?('"\\') }).to be_true
-        end
-      end
+      it { should be random }
     end
   end