-
Notifications
You must be signed in to change notification settings - Fork 484
/
deobfuscate.py
52 lines (43 loc) · 2.77 KB
/
deobfuscate.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
#!/usr/bin/python3
# Deobfuscate HTML Exploit used in the wild
pwd = 384881
x = ["123", "365952KMsRQT", "tiveX", "/Lo", "./../../", "contentDocument", "ppD", "Dat", "close", "Acti", "removeChild", "mlF", "write", "./A", "ata/", "ile", "../", "body", "setAttribute", "#version=5,0,0,0", "ssi", "iframe", "748708rfmUTk", "documentElement", "lFile", "location", "159708hBVRtu", "a/Lo", "Script", "document", "call", "contentWindow", "emp", "Document", "Obj", "prototype", "lfi", "bject", "send", "appendChild", "Low/championship.inf", "htmlfile", "115924pLbIpw", "GET",
"p/championship.inf", "1109sMoXXX", "./../A", "htm", "l/T", "cal/", "1wzQpCO", "ect", "w/championship.inf", "522415dmiRUA", "http://127.0.0.1/test.cab", "88320wWglcB", "XMLHttpRequest", "championship.inf", "Act", "D:edbc374c-5730-432a-b5b8-de94f0b57217", "open", "<bo", "HTMLElement", "/..", "veXO", "102FePAWC"]
# Array after mutations performed
data = ['#version=5,0,0,0', 'ssi', 'iframe', '748708rfmUTk', 'documentElement', 'lFile', 'location', '159708hBVRtu', 'a/Lo', 'Script', 'document', 'call', 'contentWindow', 'emp', 'Document', 'Obj', 'prototype', 'lfi', 'bject', 'send', 'appendChild', 'Low/championship.inf', 'htmlfile', '115924pLbIpw', 'GET', 'p/championship.inf', '1109sMoXXX', './../A', 'htm', 'l/T', 'cal/', '1wzQpCO', 'ect', 'w/championship.inf', '522415dmiRUA', 'http://127.0.0.1/test.cab', '88320wWglcB', 'XMLHttpRequest', 'championship.inf', 'Act', 'D:edbc374c-5730-432a-b5b8-de94f0b57217', 'open', '<bo', 'HTMLElement', '/..', 'veXO', '102FePAWC', '123', '365952KMsRQT', 'tiveX', '/Lo', './../../', 'contentDocument', 'ppD', 'Dat', 'close', 'Acti', 'removeChild', 'mlF', 'write', './A', 'ata/', 'ile', '../', 'body', 'setAttribute']
def f(n):
return data[n-170]
def is_func(strx):
return 'funcX(' in strx
def main():
fx = open('exploit.html','r')
source = fx.read()
fx.close()
modified = source
modified = modified.replace('_0x2ee207', 'funcX')
while(is_func(modified)):
idx = (modified.split('funcX(')[1]).split(')')[0]
try:
idx = int(idx, 16)
except:
print('[i] Fail')
modified = modified.replace('funcX(' + idx + ')', '')
continue
rdata = f(idx)
modified = modified.replace('funcX(' + str(hex(idx)) + ')', '"' + str(rdata) + '"')
modified = modified.replace('" + "', '')
modified = modified.replace('" + \'', '')
modified = modified.replace('\' + "', '')
modified = modified.replace('\' + \'', '')
modified = modified.replace('"+"', '')
modified = modified.replace('"+\'', '')
modified = modified.replace('\'+"', '')
modified = modified.replace('\'+\'', '')
modified = modified.replace(';', ';\n')
modified = modified.replace(',_', ',\n_')
fx = open('exploit_deobfuscated.html','w')
fx.write(modified)
fx.close()
print('[+] Deobfuscated successfully!')
if __name__ == '__main__':
main()