-
Notifications
You must be signed in to change notification settings - Fork 65
/
pre.js
429 lines (406 loc) · 14.5 KB
/
pre.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
var zzzactivex = [];
function Plugin(name,fname,desc){
this.name = name;
this.filename = fname;
this.description = desc;
}
var PluginArray = function _PluginArray(){
this.toString = function(){
return '';
};
};
PluginArray.prototype = new Array;
var my_plugins = new PluginArray();
my_plugins.push(new Plugin('getPlusPlus for Adobe 16263','np_gp.dll','getplusplusadobe16263'));
my_plugins.push(new Plugin('Google Talk Plugin','npgoogletalk.dll','Version 1,0,21,0'));
my_plugins.push(new Plugin('Adobe Acrobat','nppdf32.dll','Adobe PDF Plug-In For Firefox and Netscape'));
my_plugins.push(new Plugin('Mozilla Default Plug-in','npnul32.dll','Default Plug-in'));
my_plugins.push(new Plugin('Microsoft Office 2003','NPOFFICE.DLL','Office Plugin for Netscape Navigator'));
my_plugins.push(new Plugin('Google Update','npGoogleOneClick8.dll','Google Update'));
my_plugins.push(new Plugin('Shockwave Flash','NPSWF32.dll','Shockwave Flash 10.0 r32'));
my_plugins.push(new Plugin('Silverlight Plug-In','npctrl.dll','3.0.50106.0'));
my_plugins.push(new Plugin('Microsoft Office Live Plug-in for Firefox','npOLW.dll','Office Live Update v1.4'));
my_plugins.push(new Plugin('Windows Live® Photo Gallery','NPWLPG.dll','NPWLPG'));
my_plugins.push(new Plugin('Java Deployment Toolkit 6.0.140.8','npdeploytk.dll','NPRuntime Script Plug-in Library for Java(TM) Deploy'));
my_plugins.push(new Plugin('Java(TM) Platform SE 6 U14','npjp2.dll','Next Generation Java Plug-in 1.6.0_14 for Mozilla browsers'));
function my_navigator(){
this.appCodeName = String("Mozilla");
this.appMinorVersion = String(";SP2;");
this.appName = String("Microsoft Internet Explorer");
this.appVersion = String("4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)");
this.browserLanguage = String("en");
this.cookieEnabled = String("true");
this.cpuClass = String("x86");
this.onLine = String("true");
this.platform = String("Win32");
this.systemLanguage = String("en");
this.userAgent = String("Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)");
this.userLanguage = String("en ");
this.javaEnabled = function(){ return true; }
this.taintEnabled = function(){ return 0; }
this.mimeTypes = {};
this.plugins = my_plugins;
}
var navigator= new my_navigator();
var screen = {};
var app = {
viewerVersion:Number(8.0),
viewerType:String('Reader'),
setTimeOut:function(txt,wait){ eval(txt); print ("; //jsunpack.called setTimeOut with "+txt + ', ' + wait);},
clearTimeOut:function(a){},
eval:function(a){eval(a);},
alert:function(a){ print ("/*** app.alert " + a + "*/"); },
};
function my_activex(){
zzzactivex.push(this);
this.donePath = 0;
this.SaveToFile = this.savetofile = function (txt){ print("//jsunpack.save " + txt) }
this.close = function(){ }
this.ChatRoom = function (txt){ print("//alert CVE-2007-5722 ChatRoom len(" + txt+ ")") }
this.LinkSBIcons = function (txt) { print("//alert CVE-2006-5820 LinkSBIcons len("+ txt.length + ")"); }
this.Write = this.write = function (txt){ print("//jsunpack.write " + txt) }
this.Send = this.send = function (){}
this.OpenWebFile = function(url){
print("//jsunpack.url OpenWebFile = " + url)
}
this.Open = this.open = function (method,url,t_f){
if (arguments.length >= 2){
//var method = arguments[0];
var url = arguments[1];
//var t_or_f = arguments[2];
print("//jsunpack.url open = " + url)
}
}
this.shellexecute = this.ShellExecute = function(cmd){ print("//alert CVE-2006-0003 shellexecute with " + cmd); }
this.BuildPath = this.buildpath = function(a,b){ this.donePath = 1; }
this.CompressedPath = this.compressedpath = function(a,b){ this.donePath = 1; }
this.PrintSnapshot = function (){
if (arguments.length >= 2){
file = arguments[0];
dest = arguments[1];
print("//jsunpack.url PrintSnapshot = " + file);
}
if(this.SnapshotPath || this.CompressedPath || this.donePath){
print("//alert CVE-2008-2463 PrintSnapshot");
}
else {
print("//jsunpack.called PrintSnapshot")
}
}
this.GetSpecialFolder = this.getspecialfolder = function (a){ /*print("//alert CVE-2006-0003 GetSpecialFolder");*/ }
this.hgs_startNotify = function (tmp){ print("//alert CVE-2008-0647 hgs_startNotify len("+tmp.length+")") }
this.TransferFile = this.transferfile = function (url,host,local,sploit,md5){ print("//alert CVE-2008-1724 Tumbleweed FileTransferActiveX len(" + sploit.length + ")"); }
this.setRequestHeader = function (a,b){ if(typeof a == 'object'){ print ("//alert CVE-2006-5745 MSXMLCoreServices setRequestHeader with [Object]"); } }
this.getIcon = function (i){ print("//alert CVE-20090927 getIcon len("+i.length+")") }
this.SetFormatLikeSample = function (a){ print("//alert CVE-2007-0018 SetFormatLikeSample len(" + a.length + ")\n") }
this.PlayerProperty = function (s){ return "6.0.14.544"; }
this.import = function (a,b,c,d,e){ print("//alert CVE-2007-5601 import playlist length=" + b.length); }
this.msDataSourceObject = function(a){ print("//alert CVE-2009-1136 msDataSourceObject"); }
}
var the_activex = new my_activex();
function my_element(){
this.setAttribute=function (name,value){
if(name=='src'){
print("//jsunpack.url setAttribute src = " + value);
}
}
this.CreateObject=function (){
var name = '';
var other = '';
if (arguments.length >= 1){
name = arguments[0];
}
if (arguments.length >= 2){
for (var i = 1; i < arguments.length; i++){
other = other + arguments[i];
}
}
text = "//jsunpack.CreateObject " + name + " " + other;
if(exploits.indexOf(text) == -1){
print (text);
exploits.push(text);
}
return new my_activex();
}
this.createobject = this.CreateObject;
this.appendChild=function (obj1){
//This is an object, may be more interesting if we extract attributes
if ('text' in obj1){
print ('//appendChild text');
print (obj1.text);
}
}
}
var exploits = [];
var namezzz = {}; //for getElementByTagName
//For getElementById , innerHTML
var idzzz = []; var valzzz = []; var txtzzz = [];
//For activex array
function my_style(){
this.display = 'none';
}
style = new my_style();
function my_value(i){
this.value = valzzz[i];
this.innerText = txtzzz[i];
this.innerHTML = txtzzz[i];
this.style = style;
this.object = new my_activex();
this.onclick = function(){};
this.appendChild = function(obj1){
try{
if (obj1.src){
print ('//jsunpack.url var appendChildsrc = ' + obj1.src);
}
}
catch(e){}
};
}
var elements = [];
var elementn = -1;
var documenttxt = String('');
var document= {
writeln : function(){
var thisWrite = String();
for (var i = 0; i < arguments.length; i++){
thisWrite = thisWrite + escape(arguments[i] + '\n');
}
documenttxt = documenttxt + unescape(thisWrite.replace(/%00/g,''));
},
write : function(){
var thisWrite = String();
for (var i = 0; i < arguments.length; i++){
thisWrite = thisWrite + escape(arguments[i]);
}
documenttxt = documenttxt + unescape(thisWrite.replace(/%00/g,''));
},
createElement : function(ele){print ('//jsunpack.called CreateElement ' +ele); elementn = elementn + 1; elements[elementn] = new my_element(); return elements[elementn]},
getElementById : function(i){ return new my_value(idzzz.indexOf(i)); },
getElementsByTagName : function(name){ if (name in namezzz){return namezzz[name];} return []; },
createEventObject : function(evt){ /* object returned has srcElement property */},
};
document.title = String('My Title');
document.location = String('http://localhost/');
document.body = new my_element();
document.cookie = String();
document.documentElement = new Array();
var remainingActiveXobjects = 100;
function ActiveXObject(text){
if(remainingActiveXobjects > 0){
remainingActiveXobjects = remainingActiveXobjects -1;
text = '\n//info.ActiveXObject '+text+'\n';
if(exploits.indexOf(text) == -1){
print(text);
exploits.push(text);
}
return new my_activex();
}
return null;
}
this.frames = new Array();
this.frames.self=this;
this.self = this;
var window = this;
window.unescape = unescape;
window.parent = window;
window.execScript = eval;
window.eval = eval;
window.Option = 1;
window.open = function (url){
print("//jsunpack.url open = " + url)
};
String.eval = eval;
this.addEventListener = function (action, func, torf){
eval(func);
}
this.attachEvent = function (action, func){
eval(func);
}
var parent = window;
var parentWindow = window;
document.parentWindow = parentWindow;
var self = this;
self.self = this;
/* //If you don't plan to modify and compile spidermonkey, enable this!
var my_eval = this.eval;
this.eval=function (str){
print('\n//eval\n'+str);
return my_eval(str);
}*/
this.setTimeout=function(fn,time){
eval(fn);
print("/*** called setTimeout with " + fn + ", " + time + " */\n");
}
var app;
var intervalExec = '';
app.setInterval = function(fn,time){
if (time > 500){
//delay until the end of execution
intervalExec += fn;
print("/*** called setInterval with " + fn + ", " + time + " (delaying) */\n");
}
else {
eval(fn);
print("/*** called setInterval with " + fn + ", " + time + " */\n");
}
}
this.setInterval = app.setInterval;
var info = { title : '' };
var media = {
newPlayer : function(a){
if (a == null){
print("//alert CVE-2009-4324 media.newPlayer with NULL parameter");
}
else {
print("//warning CVE-2009-4324 media.newPlayer access");
}
},
createPlayer : function(a){
print("//warning CVE-2009-4324 media.newPlayer access");
},
};
var zzzannot = [];
var zzzannot2 = {};
app.doc = {
syncAnnotScan : function(){},
getAnnot : function(pageNo,name){
if (name in zzzannot2){
return zzzannot2[name];
}
if (zzzannot.length > pageNo){
return zzzannot[pageNo][0];
}
},
getAnnots : function(){
for (var i = 0; i < arguments.length; i++){
npage = -1;
if (typeof arguments[i] == 'number'){
npage = arguments[i];
}
else if ('nPage' in arguments[i]){
npage = arguments[i].nPage;
}
if (npage > -1){
if (zzzannot.length > npage){
return zzzannot[npage];
}
}
}
if (arguments.length == 0){
if (zzzannot.length > 0){
return zzzannot[0];
}
}
},
Function : function(thefunc){
print (thefunc);
},
printSeps : function(){
print ("//alert CVE-2010-4091 doc.printSeps access");
},
};
function my_collab(){
this.collectEmailInfo = function (txt){ print ("//jsunpack.called Collab.collectEmailInfo"); }
this.getIcon = function (i){ print("//jsunpack.called collab.getIcon ") }
}
var Collab = new my_collab();
var getAnnot = app.doc.getAnnot;
var getAnnots = app.doc.getAnnots;
var syncAnnotScan = app.doc.syncAnnotScan;
app.doc.Collab = Collab;
app.doc.media = this.media;
app.media = this.media;
var doc = app.doc;
var printSeps = app.doc.printSeps;
this.exportDataObject = function(){
print ("//warning CVE-NO-MATCH call to exportDataObject, possible social engineering");
};
function PlugIn(name,filename){
this.name = name;
this.path = "/C/Program Files/Adobe Reader 8.0/Reader/plug_ins/" + filename;
this.version = 8;
this.certified = false;
this.loaded = true;
this.toString = function(){ return this.path; }
this.valueOf = function(){ return this.path; }
}
app.plugIns = [];
app.plugIns.push(new PlugIn('Accessibility','Accessibility.api'));
app.plugIns.push(new PlugIn('Forms','AcroForm.api'));
app.plugIns.push(new PlugIn('Annots','Annots.api'));
app.plugIns.push(new PlugIn('Checkers','Checkers.api'));
app.plugIns.push(new PlugIn('DIGSIG','DigSig.api'));
app.plugIns.push(new PlugIn('ADBE:DictionaryValidationAgent','DVA.api'));
app.plugIns.push(new PlugIn('eBook','eBook.api'));
app.plugIns.push(new PlugIn('EScript','EScript.api'));
app.plugIns.push(new PlugIn('EWH','EWH32.api'));
app.plugIns.push(new PlugIn('AcroHLS','HLS.api'));
app.plugIns.push(new PlugIn('InetAxes','IA32.api'));
app.plugIns.push(new PlugIn('SVG','ImageViewer.api'));
app.plugIns.push(new PlugIn('Make Accessible','MakeAccessible.api'));
app.plugIns.push(new PlugIn('Multimedia','Multimedia.api'));
app.plugIns.push(new PlugIn('PDDom','PDDom.api'));
app.plugIns.push(new PlugIn('ppklite','PPKLite.api'));
app.plugIns.push(new PlugIn('ReadOutLoud','ReadOutLoad.api'));
app.plugIns.push(new PlugIn('Reflow','reflow.api'));
app.plugIns.push(new PlugIn('SaveAsRTF','SaveAsRTF.api'));
app.plugIns.push(new PlugIn('ADBE_Search','Search.api'));
app.plugIns.push(new PlugIn('ADBE_Search5','Search5.api'));
app.plugIns.push(new PlugIn('SendMail','SendMail.api'));
app.plugIns.push(new PlugIn('Spelling','Spelling.api'));
app.plugIns.push(new PlugIn('Updater','Updater.api'));
app.plugIns.push(new PlugIn('WebLink','weblink.api'));
var util = {
printf : function(a,b){print ("//alert CVE-2008-2992 util.printf length ("+ a.length + "," + b.length + ")\n"); },
printd : function(){ print("//warning CVE-2009-4324 printd access"); },
};
var zzzpages = [];
this.numPages = 0;
this.pageNum = 0;
var getPageNthWord = function(page,word) { return zzzpages[page][word]; }
var getPageNumWords = function(page) { print ("//info getPageNumWords("+page+")"); return zzzpages[page].length; }
//Static Functions - common but useless
function CollectGarbage(){}
function urchinTracker(){}
function my_location(one,two){
this.href = String(one);
this.host = String(two);
this.assign = function (newurl){
print ('//jsunpack.url locationAssign = ' + newurl);
};
document.location = this;
window.location = this;
windowlocation = this;
location.pathname = String(this.href);
}
function attachEvent(action, fun) {
//print ('attachevent');
}
var location = new my_location('http://example.com','example.com');
document.location = location;
window.location = location;
var windowlocation = location;
var documentlocation = document.location;
var control = {
getVersions: function(){ return 0; }
};
var event = {};
event.target = this;
var alert = function(){}
window.alert = alert;
var prompt = function(){ return 1; }
window.prompt = prompt;
var confirm = function(){ return 1; }
window.confirm = confirm;
window.top = window;
window.self = window;
window.window = window;
var Run = function(arg){
print("//warning CVE-2010-1885 possible hcp URL with Run access");
print ('/* Run arguments:');
print (arg);
print ('*/');
};
var string = String;
var console = new Object();
console.println = function(arg){ print ("/* console.println " + arg + "*/"); }