Adds support for the WScriptNetwork object which was used in some recent samples.

Ideally the attributes shouldn't be static but retrieved using WScriptShell.ExpandEnvironmentStrings(). Any comments on how to do that?

Also did some improvements on the Scripting.FileSystemObject module.

Hi! Let's take a look at this situation: At hxxp://localhost:1337/ek_tests/dummy_redirect_chain/exploit.html some code was added by nasty hacker.

<html>
<head>
<title>Dummy sploit</title>
</head>
<body>
<!-- malicious code start -->
<script src="javascript.php?option=0"></script>
<!-- malicious code end -->
</body>
</html>

That code redirects (indirectly) to (imaginated) exploit kit's gate (that uses alert(1) from js as exploit). It creates some new scripts on the way to gate. At the backend side, it looks like this:

<?php
/**
* javascript.php
*/
$i = $_GET['option'];
$to_write = "";
switch ($i) {
    case 0:
        $to_write =  "var script = document.createElement('script');
script.src = 'javascript.php?option=1';
document.body.appendChild(script);";
        break;
    case 1:
        header('Location: javascript.php?option=2');
        break;
    case 2:
        $to_write = "document.write(\"<iframe src='iframe.php?option=1'></iframe>\");";
        break;
   case 3:
        $to_write =  "var script = document.createElement('script');
script.src = 'javascript.php?option=4';";
    case 4:
       $to_write = "alert('1');";
}
echo $to_write;
?>

Also uses iframes

<?php
/**
* iframe.php
*/
$i = $_GET['option'];
$to_write = "";
switch ($i) {
    case 0:
        $to_write =  "var script = document.createElement('script');
script.src = 'javascript.php?option=1';";
        break;
    case 1:
        $to_write = "<script src='javascript.php?option=3'></script>";
        break;
    case 2:
        $to_write = "document.write(\"<iframe src='iframe.php?option=1'></iframe>\");";
        break;
   case 3:
        $to_write =  "var script = document.createElement('script');
script.src = 'javascript.php?option=4';";
    case 4:
       $to_write = "document.alert(1);";
}
echo '<html><head></head><body>';
echo $to_write;
echo '</body></html>';
?>

When user (thug) enters that site, it produces some redirects with alert(1) at the end. It looks like this: http://svgur.com/i/1XW.svg - graph made by thug itself.

The problem is: Even if one script leads to another, we are not informed about that. We cannot build proper redirect chains for that redirections. We get such output:

 | -> 1    / (2->3 redirected by HTTP Location header)
0| -> 2 -> 3
 | -> 4

Even if that really should be:

0 -> 1 -> 2 -> 3 -> 4

I know that this is caused by, for example, that newly created scripts are executed within base (0's) DOM. I believe we could somehow get information about real source of some action from V8. It is critical aspect for analysis of web threats, because at the moment we don't really know what part of website is malicious, and what is not. Also, thanks for a great tool :)

Using thug via docker installation, very good tool. Recently installed the new version but it seems the graph.svg file is not being created within the analysis folder.

Is this feature removed completely or can it be enabled?

Thanks

Hi, firstly I am on Ubuntu 16.04 and have gone through the Thug installation guide multiple time and am currently stuck as where to go from here. I installed all packages except HoneyAgent & VirusTotal (both optional). My problem is that when I run thug --list-ua I get this:

[2017-03-28 10:11:03] [HTML Classifier] Skipping not existing default classification rule file
[2017-03-28 10:11:03] [HTML Classifier] Skipping not existing default filter file
[2017-03-28 10:11:03] [JS Classifier] Skipping not existing default classification rule file
[2017-03-28 10:11:03] [JS Classifier] Skipping not existing default filter file
[2017-03-28 10:11:03] [VBS Classifier] Skipping not existing default classification rule file
[2017-03-28 10:11:03] [VBS Classifier] Skipping not existing default filter file
[2017-03-28 10:11:03] [URL Classifier] Skipping not existing default classification rule file
[2017-03-28 10:11:03] [URL Classifier] Skipping not existing default filter file
[2017-03-28 10:11:03] [Sample Classifier] Skipping not existing default classification rule file
[2017-03-28 10:11:03] [Sample Classifier] Skipping not existing default filter file
[2017-03-28 10:11:03] [Text Classifier] Skipping not existing default classification rule file
[2017-03-28 10:11:03] [Text Classifier] Skipping not existing default filter file

Synopsis:
    Thug: Pure Python honeyclient implementation

    Available User-Agents:

So lots of skipping, I don't know if that is a problem but no User-Agents? Also when I try to run Thug I get the following:

[2017-03-28 10:15:41] [HTML Classifier] Skipping not existing default classification rule file
[2017-03-28 10:15:41] [HTML Classifier] Skipping not existing default filter file
[2017-03-28 10:15:41] [JS Classifier] Skipping not existing default classification rule file
[2017-03-28 10:15:41] [JS Classifier] Skipping not existing default filter file
[2017-03-28 10:15:41] [VBS Classifier] Skipping not existing default classification rule file
[2017-03-28 10:15:41] [VBS Classifier] Skipping not existing default filter file
[2017-03-28 10:15:41] [URL Classifier] Skipping not existing default classification rule file
[2017-03-28 10:15:41] [URL Classifier] Skipping not existing default filter file
[2017-03-28 10:15:41] [Sample Classifier] Skipping not existing default classification rule file
[2017-03-28 10:15:41] [Sample Classifier] Skipping not existing default filter file
[2017-03-28 10:15:41] [Text Classifier] Skipping not existing default classification rule file
[2017-03-28 10:15:41] [Text Classifier] Skipping not existing default filter file
[2017-03-28 10:15:41] [WARNING] VirusTotal disabled (no configuration file found)
[2017-03-28 10:15:41] [CRITICAL] Logging subsystem not initialized (configuration file not found)
Traceback (most recent call last):
  File "/usr/local/bin/thug", line 11, in <module>
    sys.exit(main())
  File "/usr/local/lib/python2.7/dist-packages/thug/thug.py", line 334, in main
    Thug(sys.argv[1:])()
  File "/usr/local/lib/python2.7/dist-packages/thug/ThugAPI/ThugAPI.py", line 86, in __call__
    self.analyze()
  File "/usr/local/lib/python2.7/dist-packages/thug/thug.py", line 324, in analyze
    ThugPlugins(PRE_ANALYSIS_PLUGINS, self)()
  File "/usr/local/lib/python2.7/dist-packages/thug/Plugins/ThugPlugins.py", line 44, in __init__
    self.get_plugins()
  File "/usr/local/lib/python2.7/dist-packages/thug/Plugins/ThugPlugins.py", line 68, in get_plugins
    for p in os.listdir(PLUGINS_PATH):
OSError: [Errno 2] No such file or directory: '/etc/thug/plugins'

I have followed the installation guide step by step and it is now at the Usage section? Am I meant to install the Docker too or is there something else I have missed?

Thank you for your help in advance!

There is malicious code and normal code in javascript. If a reference error occurs in the normal code, the malicious code will not be analyzed in the future. Can I pass(skip) the reference error?... and then I want to continue analyzing the malicious code

[2018-11-12 21:47:41] Traceback (most recent call last):    File "/usr/lib/python2.7/site-packages/thug-0.9.37-py2.7.egg/thug/Debugger/Shellcode.py", line 162, in run      result = self.ctxt.eval (self.script) ReferenceError: ReferenceError: functions is not defined (@ 1: 0) -> functions.validateAndSubmitForm ();

Hi, I wonder how possible it would be to push most of the data in analysis.xml/avlog.json and graph.svg into mongodb so it can be used by eg. a web interface.

I really want to use thug, but I find the lack of a web interface for viewing the reports quite the problem.

Ideally I guess a JSON version of the MAEC schema would be the best, but that kinda goes against the MAEC specifications, for now.. :)

An example of a web interface I could make with having all the data in mongodb could be something like http://two.mrfjo.org/02906d5b-a7cd-47f8-9885-6e80eecf967a/

Window object has infinite recursion when the following two conditions:

1. Check whether the V8 JSContext has been initialized through getattr(). It would be a lookup loop which always calls getattr() since the code uses self.context before initializing V8 JSContext.

Fix by: Raise attribute error if getattribute() can't find "_context" variable.

2. Get the nonexistent variable or function by "self.context.eval(name)". When V8 JSContext can't find the variable, it will call getattr() again. It also becomes a lookup loop.

Fix by: Avoid to call getattr() from V8Context internal.

> python -m cProfile thug.py -l ../samples/Events/testEvent10.html

Before fix: ncalls tottime percall cumtime percall filename:lineno(function) 588/5 0.193 0.000 0.759 0.152 Window.py:138(getattr) 6825 0.003 0.000 0.003 0.000 Window.py:196(window) 616/344 0.378 0.001 0.599 0.002 Window.py:850(context)

After fix: ncalls tottime percall cumtime percall filename:lineno(function) 55/37 0.014 0.000 0.014 0.000 Window.py:139(getattr) 35 0.000 0.000 0.000 0.000 Window.py:206(window) 82/4 0.004 0.000 0.020 0.005 Window.py:860(context)

Saw this on a landing page, thug did not follow it:

<script type="text/javascript">
    setTimeout("testTime()", 0);
    function testTime() {
        location = "/";
    }
 </script>

I have successfully installed V8 and PyV8. i have tested it and the result is OK.

but while i was executing python thug.py -h,, the error was appeared. the errors look like:

[email protected]:/home/kafin/thug/src# sudo python thug.py -h Traceback (most recent call last): File "thug.py", line 31, in from DOM import Window, DFT, MIMEHandler, SchemeHandler File "/home/kafin/thug/src/DOM/Window.py", line 32, in from .Location import Location File "/home/kafin/thug/src/DOM/Location.py", line 22, in import DFT File "/home/kafin/thug/src/DOM/DFT.py", line 20, in import pylibemu ImportError: libemu.so.2: cannot open shared object file: No such file or directory

anyone got also this error, or how do i solve this?

thanks

Hello, I think that the shellcode is not properly handled and stored in MongoDB. I get error messages like this one when thug tries to decode the hex encoded shellcode:

...
  File "/usr/local/lib/python2.7/dist-packages/thug/Logging/ThugLogging.py", line 125, in add_shellcode_snippet
    m(snippet, language, relationship, tag.hex, method)
  File "/usr/local/lib/python2.7/dist-packages/thug/Logging/modules/MongoDB.py", line 416, in add_code_snippet
    'snippet'      : self.fix(snippet),
  File "/usr/local/lib/python2.7/dist-packages/thug/Logging/modules/MongoDB.py", line 408, in fix
    return thug_unicode(data).replace("\n", "").strip()
UnicodeDecodeError: 'ascii' codec can't decode byte 0xeb in position 4: ordinal not in range(128) 

The problem is that the shellcode contains non printable characters and thus can not be stored in decoded form. Also even when it is possible to decode the shellcode from unicode encoding the output is not as useful as the original hex encoded form. This exception also breaks the analysis and thus it is not properly finished. I think that the shellcode should not be decoded and should be stored in its original form. What do you think about that? Thank you.

Stanislav

Hello Is it possible that the timeout option (-T) is not working as intended? I was scanning some targets that take a long time or never finish at all (longer than the 600s default timeout), where I noticed that the runs actually don't finish after the default timeout. I still see the timeout message in the log: [2019-03-19 09:09:30] The analysis took more than 60 second(s). Aborting! however the run is not stopped as result, rather it continues as if nothing happened. The same behaviour was occurring after choosing different targets and a shorter timeout.

I am running thug inside a docker container and am starting the scans with the following command (short timeout for testing purposes): docker run --rm -it buffer/thug thug -T 10 -d <target url>

I am misinterpreting what the timeout option is for? I am assuming it should abort the scan as soon as the timeout is reached, but maybe that is not the case.