urule99 / jsunpack-n

Automatically exported from code.google.com/p/jsunpack-n
GNU General Public License v2.0
162 stars 65 forks source link

ASCII85 Decode issue #2

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago

What steps will reproduce the problem?
1. go to http://jsunpack.jeek.org/dec/go
2. submit an active malware that is ASCII85 encoded without "<~" and "~>" (for 
example : hxxp://bigiqwars.ru/ppp/exp/pdf.php?user=admin&pdf_acces=on <-- 
active malware, be careful )
3. you'll see jsunpack marks it as benign :)

What is the expected output? What do you see instead?
- expected output is to detect as malicious behavior, but because of using "<~" 
and "~>" as a mandatory index, pdf will marked as benign!

What version of the product are you using? On what operating system?
- latest version that is active on site(http://jsunpack.jeek.org/dec/go?)

Please provide any additional information below.
- needed to provide andother way to index 
https://code.google.com/p/jsunpack-n/source/browse/trunk/pdf.py#274

Original issue reported on code.google.com by scorp...@gmail.com on 30 Jul 2010 at 8:08

GoogleCodeExporter commented 9 years ago
This malicious file didn't start with %PDF-... I've modified pdf.py and 
jsunpackn.py to correctly handle any PDF where %PDF- occurs within the first 
1024 bytes.

Original comment by urul...@gmail.com on 26 May 2011 at 3:13