How to take over vcenter (6.7 or 7.0) chaining CVE 2021-21972, CVE-2021-21985, CVE-2021-3156 and CVE-2020-3952
- π Past researches on ... CVE-2020-3952, CVE-2021-21991
Sandbox for semi-automatic Javascript malware analysis, deobfuscation and payload extraction. Written for Node.js
License: MIT License
How to take over vcenter (6.7 or 7.0) chaining CVE 2021-21972, CVE-2021-21985, CVE-2021-3156 and CVE-2020-3952
hi ,
i have a script from the latest ransomware that appear can you please check it why dont run on your sandbox.
ps: this sandbox is awesome
this script is a ransomware downloader so is zipped with the same password as always
best regards
joao azevedo
Is it possible to define different browser plugin versions, such as Flash, Java?
Hey @HynekPetrak, great project! π
This is more of a doubt, rather than an issue and would like to hear your thoughts on the same. I have seen syntax which is non-compliant to the ECMAScript standard supported by JScript. For example:
function a () {
}
function a.prototype.b () {
}
c = new a();
c.b();
How do you think is a proper way to handle such files in the jail?
mailware-jail, a malware sandbox ver. 0.12
Is this a typo? s/mailware-jail/malware-jail
I came across this project when I was looking for malicious html/javascript detection, this project works perfectly when processing javascript files, but for javascripts in html files, it needs many manual things to do and sometimes it could not work properly due to the DOM interactive.
Any plan for you to support html scanning in the future?
For all of those looking at this repository, @CybercentreCanada has "forked" this tool into its JsJaws service for Assemblyline and will be providing support and maintenance for their version of the tool: https://github.com/CybercentreCanada/assemblyline-service-jsjaws/tree/main/tools/malwarejail
Thank you @HynekPetrak for your work on this tool!
π¨π¦
Topic says it:
[13:30:22 j:~/build/malware-jail$] nodejs jailme.js
/build/malware-jail/jailme.js:95
var _proxy = function(o, verbose = false, what = undefined) {
^
SyntaxError: Unexpected token =
at exports.runInThisContext (vm.js:53:16)
at Module._compile (module.js:373:25)
at Object.Module._extensions..js (module.js:416:10)
at Module.load (module.js:343:32)
at Function.Module._load (module.js:300:12)
at Function.Module.runMain (module.js:441:10)
at startup (node.js:139:18)
at node.js:990:3
installed via Ubuntu apt which installed node.js 4.7.2. There is no "node" command, but "nodejs".
Sample : http://pastebin.com/dTvva02n
Error
13 Dec 18:45:47 - mailware-jail, a malware sandbox ver. 0.10
...
13 Dec 18:45:47 - new Function(, lesleyA = new Function('','return \"TVM=\".extractAll();' ) ;) => Function[10]
13 Dec 18:45:47 - Exception occured: object ReferenceError: WSH is not defined
at /samples/31cc.jse:182:4
at ContextifyScript.Script.runInContext (vm.js:35:29)
at Object.exports.runInContext (vm.js:67:17)
at run_in_ctx (/malware-jail/jailme.js:261:16)
at Object.<anonymous> (/malware-jail/jailme.js:291:1)
at Module._compile (module.js:570:32)
at Object.Module._extensions..js (module.js:579:10)
at Module.load (module.js:487:32)
at tryModuleLoad (module.js:446:12)
at Function.Module._load (module.js:438:3)
13 Dec 18:45:47 - ==> Cleaning up sandbox.
Changing WSH
at (Line:182) to 1
and the script ran as expected.
if(WSH)
{
lesleyA2();
}
Hi, how can we get all URLS inside the JS (
this is one of the lately JS that downloads locky and encrypts files with .ykcol from multiple URLS
$node jailme.js -h -b list
/home/alfonso/malware-jail/jailme.js:95
var _proxy = function(o, verbose = false, what = undefined) {
^
SyntaxError: Unexpected token =
at exports.runInThisContext (vm.js:53:16)
at Module._compile (module.js:373:25)
at Object.Module._extensions..js (module.js:416:10)
at Module.load (module.js:343:32)
at Function.Module._load (module.js:300:12)
at Function.Module.runMain (module.js:441:10)
at startup (node.js:140:18)
at node.js:1043:3
Hello :)
When I was dealing with one of the JScript malwares, I got the following error:
- Exception occured: object TypeError: AB$D[((("e" + "nvironmen") + (intermediate value)(intermediate value)(intermediate value)) + "")] is not a function at eval (eval at <anonymous> (C:\Users\Sandbox\Desktop\original.js:3:29), <anonymous>:2:802) at Object.eval [as toString] (eval at <anonymous> (C:\Users\Sandbox\Desktop\original.js:3:29), <anonymous>:2:63571) at C:\Users\Sandbox\Desktop\original.js:4:25 at ContextifyScript.Script.runInContext (vm.js:35:29) at Object.exports.runInContext (vm.js:67:17) at run_in_ctx (C:\tools\malware-jail\jailme.js:145:16) at Object.<anonymous> (C:\tools\malware-jail\jailme.js:168:1) at Module._compile (module.js:570:32) at Object.Module._extensions..js (module.js:579:10) at Module.load (module.js:487:32)
I runned malware-jail with config_wscript_only config. (download sample: https://ufile.io/31a14)
Thank a lot, awesome tool.
When emulate the following file I get the error: TypeError: Array.prototype.sort called on null or undefined
File is malware, be careful !
Password is infected
4dc67aaa7133c5245da8234b2dadbf88-info_141926248.zip
This is my eval.js
eval.zip
A declarative, efficient, and flexible JavaScript library for building user interfaces.
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. πππ
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google β€οΈ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.