vendredi 3 mai 2013

Unpacking exploit kits with Fiddler

Most exploit kits use javascript packing to avoid the code appearing in plain text. Figure 1 shows an example of such a packed script. Multiple techniques and tools exist to help in the task of unpacking and analyzing these kits, for example Kahu Security has many articles on his blog about this. This post presents a quick and dirty method I have been using a lot recently; it uses Fiddler and its AutoResponder feature. The idea is to modify the Javascript code and then replay the HTTP traffic in the browser. If you want to try this technique, here is the Fiddler HTTP archive I used as an example (archive password is "infected").

Figure 1 Packed Blackhole Exploit kit
The first step involves capturing the kit with Fiddler. Then activate the AutoResponder feature as shown in Figure 2. Next drag the sessions corresponding the kit traffic in the AutoResponder panel. In this example  this is the first session.

Figure 2 Enabling AutoResponder
Next edit the session, you can use the context menu or just press Enter.

Figure 3 Editing the response

Now I want to modify the script to be able to see the unpacked code so I open the Syntax View tab. This part is different from one pack to another and you might need multiple attempts to figure out the best way to do it. In this example the pack is Blackhole, there is an eval statement at the end very end that executes the script after it is unpacked.I use console.log to get the content, so I replace w(c) by console.log(c) and hit Save.

Figure 4 Deciding what to modify

Next I open Google Chrome (make sure it is configured to use Fiddle as a proxy), open the Developer Console with F12 and click on the Console tab. I then browse to the pack URL, in this example (you can use Ctrl+U to copy the URL from a session). If all went well the unpacked code should appear in the logs.

Figure 5 unpacked script in the logs
Another neat feature of Fiddler is the code beautifier. I copy the script from the log, replace the original script in the SyntaxView and click on Format Script/JSON. The code is now well formatted and ready for analysis.You can find the unpacked code here. Note that this is an old version of Blackhole v1 from February 2012 but the technique still works today.

Figure 6 Format Javascript code

Figure 7 Formatted Blackhole code

This is a quick and dirty technique and could easily be defeated but it works with many packs. If you have any question leave a comment or email me at