From fde87fd95cce30b469d6a2523660504a6f4e4e1e Mon Sep 17 00:00:00 2001 From: Windham Wong Date: Sat, 21 Oct 2017 07:51:03 +0100 Subject: [PATCH] Gzip decryption now supports 2 libraries and threshold search. Gzip decryption now stop decrypting at the position of plaintext searched by threshold --- src/core/config/OperationConfig.js | 17 +++++++-- src/core/config/modules/Compression.js | 24 ++++++------- src/core/operations/Compress.js | 48 +++++++++++++++++++++++--- 3 files changed, 70 insertions(+), 19 deletions(-) diff --git a/src/core/config/OperationConfig.js b/src/core/config/OperationConfig.js index 3b866a60..6b6e7fa2 100755 --- a/src/core/config/OperationConfig.js +++ b/src/core/config/OperationConfig.js @@ -1759,10 +1759,21 @@ const OperationConfig = { }, "HTTP gzip Decrypt": { module: "Compression", - description: "Decrypts Gzip payload from a request or response and returning plaintext of the header and decrypted payload.", + description: "Decrypts Gzip payload from a request or response and returning plaintext of the header and decrypted payload.

Arguments:
Library: The library used for decoding GZIP data.
Threshold: The threshold value for searching non-GZIP data. It has to be at least 8.", inputType: "byteArray", outputType: "byteArray", - args: [] + args: [ + { + name: "Library", + type: "option", + value: Compress.HTTP_GZIP_OPTION + }, + { + name: "Threshold", + type: "number", + value: Compress.HTTP_GZIP_THRESHOLD + }, + ] }, "Parse User Agent": { module: "HTTP", @@ -3879,7 +3890,7 @@ const OperationConfig = { }, "Strip TCP Headers": { module: "Packets", - description: "Remove selected TCP headers from hexstream", + description: "Remove selected TCP headers from hexstream using Regular Expressions.

Ethernet Header: /^(([0-9a-f]{4} ){6,8}0800 )/igm
IP Header: /^((45[0-9a-f]{2} ([0-9a-f]{4} ){9}))/igm
TCP Header: /^([0-9a-f]{4} ){6}((80[0-9a-f]{2} ([0-9a-f]{4} ?){9})|(50[0-9a-f]{2} ([0-9a-f]{4} ?){3}))/igm", inputType: "string", outputType: "string", args: [ diff --git a/src/core/config/modules/Compression.js b/src/core/config/modules/Compression.js index bbe05bfa..9d55b400 100644 --- a/src/core/config/modules/Compression.js +++ b/src/core/config/modules/Compression.js @@ -15,18 +15,18 @@ import Compress from "../../operations/Compress.js"; let OpModules = typeof self === "undefined" ? {} : self.OpModules || {}; OpModules.Compression = { - "Raw Deflate": Compress.runRawDeflate, - "Raw Inflate": Compress.runRawInflate, - "Zlib Deflate": Compress.runZlibDeflate, - "Zlib Inflate": Compress.runZlibInflate, - "Gzip": Compress.runGzip, - "Gunzip": Compress.runGunzip, - "Zip": Compress.runPkzip, - "Unzip": Compress.runPkunzip, - "Bzip2 Decompress": Compress.runBzip2Decompress, - "Tar": Compress.runTar, - "Untar": Compress.runUntar, - "HTTP gzip Decrypt":Compress.runHttpGzip, + "Raw Deflate": Compress.runRawDeflate, + "Raw Inflate": Compress.runRawInflate, + "Zlib Deflate": Compress.runZlibDeflate, + "Zlib Inflate": Compress.runZlibInflate, + "Gzip": Compress.runGzip, + "Gunzip": Compress.runGunzip, + "Zip": Compress.runPkzip, + "Unzip": Compress.runPkunzip, + "Bzip2 Decompress": Compress.runBzip2Decompress, + "Tar": Compress.runTar, + "Untar": Compress.runUntar, + "HTTP gzip Decrypt": Compress.runHttpGzip, }; diff --git a/src/core/operations/Compress.js b/src/core/operations/Compress.js index 2614c6f5..7748f9d9 100755 --- a/src/core/operations/Compress.js +++ b/src/core/operations/Compress.js @@ -255,6 +255,17 @@ const Compress = { }, + /** + * @constant + * @default + */ + HTTP_GZIP_OPTION: ["pako.js", "zlib.js"], + /** + * @constant + * @default + */ + HTTP_GZIP_THRESHOLD: 8, + /** * HTTP Gzip operation. * @@ -263,18 +274,47 @@ const Compress = { * @returns {byteArray} */ runHttpGzip: function(input, args) { + const library = Compress.HTTP_GZIP_OPTION.indexOf(args[0]); + let threshold = Compress.HTTP_GZIP_THRESHOLD; + if (args[1] > 8) { + threshold = args[1]; + } input = Utils.byteArrayToHexNoSpace(input); + let output = input; let regexStr = /1f8b080[0-8][0-9a-f]{12}/; let gzipPos = input.search(regexStr); if (gzipPos === -1) { return Utils.hexToByteArray(input); } - let plainData = input.substr(0, gzipPos); - let gzipData = input.substr(gzipPos); - gzipData = Utils.hexToByteArray(gzipData); - return Utils.hexToByteArray(plainData).concat(Array.prototype.slice.call(pako.ungzip(gzipData))); + while (gzipPos !== -1) { + output = input; + + let plainData = output.substr(0, gzipPos); + let gzipData = output.substr(gzipPos); + let httpDataAfter = ""; + + let httpDataPosRegex = new RegExp("/((3[0-9])|(6[0-9a-f])|(7[0-9a])|(4[0-9a-f])|(5[0-9a])|(2[e-f])|(2b)|(20)){" + threshold + "}/"); + let httpDataPos = gzipData.search(httpDataPosRegex); + if (httpDataPos !== -1) { + httpDataAfter = gzipData.substr(httpDataPos); + gzipData = gzipData.substr(0, httpDataPos); + } + + console.log(httpDataPos); + gzipData = Utils.hexToByteArray(gzipData); + if (library === 0) { + output = Utils.hexToByteArray(plainData).concat(Array.prototype.slice.call(pako.inflate(gzipData))).concat(Utils.hexToByteArray(httpDataAfter)); + } else if (library === 1) { + let gzipDataRaw = new Zlib.Gunzip(gzipData); + output = Utils.hexToByteArray(plainData).concat(Array.prototype.slice.call(gzipDataRaw.decompress())).concat(Utils.hexToByteArray("0d0a 0d0a")).concat(Utils.hexToByteArray(httpDataAfter)); + } + + input = Utils.byteArrayToHexNoSpace(output); + gzipPos = input.search(regexStr); + } + return output; },