Tuesday, February 5, 2013

PhantomJS against Exploit Kits


PhantomJS is a headless WebKit with JavaScript API. It has fast and native support for various web standards: DOM handling, CSS selector, JSON, Canvas, and SVG. We can make use of PhantomJS to print out various information from exploit kit landing pages. Mainly it can be put into use to extract the de-obfuscated code from highly obfuscated scripts.

You can download PhantomJS from here - http://phantomjs.org/download.html

Once downloaded you can use existing PhantomJS examples to build a script file for our purpose. We can see how PhantomJS can help get the de-obfuscated code from Blackhole Toolkit. Take a look at the below script,

If one has exposure towards Blackhole served obfuscated script he/she can de-obfuscate the script in a quick span of time. But when we come across some new kits, it can take a considerable amount of time to de-obfuscate the script. In such cases PhantomJS can speed things.
It can print properties/values of DOM objects, can print individual variables, can help manipulate DOMs and much more.
Looking at the above script we can have find multiple variables in the encoder part. To print a variable from that block we can have PhantomJS do the work for us. We should let PhantomJS know what variable needs to be printed to the console, for example to print the variable ‘c’,  we can use the below script.


This instructs PhantomJS to return the variable ‘c’, so that we can output the variable to the console and determine what the variable holds. Below is what you get when you run “PhantomJS.exe Blackhole.js > out.txt” (save the above script in Blackhole.js and redirect the output to out.txt. out.txt will then hold the variable ‘c’).


Likewise we can instruct PhantomJS to display a whole DOM tree like,


The output in this case prints the whole ‘document’ DOM to the console in JSON format. We can parse the JSON output to filter out all the required data J.

We can have PhatomJS print individual DOM properties, for instance if you wanted to print the baseURI of the webpage requested you can “return window.document.baseURI”. PhantomJS boasts multiple other features that can be put into great use. The above mentioned examples are just a startup and there’s lot more that can added to the blend.

PS: Take a look at the examples after installation. It can help take snapshots of websites well J

No comments:

Post a Comment