{"id":13437927,"url":"https://github.com/taviso/avscript","last_synced_at":"2025-03-19T18:31:16.495Z","repository":{"id":148963243,"uuid":"246085941","full_name":"taviso/avscript","owner":"taviso","description":"Avast JavaScript Interactive Shell ","archived":true,"fork":false,"pushed_at":"2020-03-12T15:44:27.000Z","size":3652,"stargazers_count":665,"open_issues_count":0,"forks_count":63,"subscribers_count":15,"default_branch":"master","last_synced_at":"2024-08-01T03:25:20.804Z","etag":null,"topics":["reverse-engineering","security"],"latest_commit_sha":null,"homepage":null,"language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/taviso.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2020-03-09T16:25:12.000Z","updated_at":"2024-07-10T21:12:38.000Z","dependencies_parsed_at":null,"dependency_job_id":"14176a04-d788-40fd-bc03-85fb8bb61724","html_url":"https://github.com/taviso/avscript","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/taviso%2Favscript","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/taviso%2Favscript/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/taviso%2Favscript/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/taviso%2Favscript/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/taviso","download_url":"https://codeload.github.com/taviso/avscript/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":221729761,"owners_count":16871102,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["reverse-engineering","security"],"created_at":"2024-07-31T03:01:01.281Z","updated_at":"2024-10-27T20:30:50.518Z","avatar_url":"https://github.com/taviso.png","language":"C","funding_links":[],"categories":["C"],"sub_categories":[],"readme":"# Avast Antivirus JavaScript Interpreter\n\n\u003e NOTE: On 03/11/2020 Avast [announced](https://twitter.com/avast_antivirus/status/1237685343580753925)\n\u003e they had decided to disable this interpreter globally!\n\nThe main Avast antivirus process is called AvastSvc.exe, which runs as SYSTEM.\n\n![AvastSvc.exe](doc/avastsvc.png)\n\nThat service loads the low level antivirus engine, and analyzes untrusted data\nreceived from sources like the filesystem minifilter or intercepted network\ntraffic.\n\nDespite being highly privileged and processing untrusted input by design, it is\nunsandboxed and has poor mitigation coverage. Any vulnerabilities in this\nprocess are critical, and easily accessible to remote attackers.\n\nSo.. maybe not great that it includes a custom JavaScript interpreter....???? 🙃\n\n![screenshot](doc/screenshot.png)\n\n\nThis repository contains an interactive shell that lets you test the\ninterpreter on Linux for vulnerability research.\n\n# Building\n\nHere's how to try it out, first install the dependencies.\n\n#### Ubuntu\n```\n$ sudo apt install libreadline-dev:i386 libc6-dev-i386 gcc-multilib\n```\n\n#### Fedora\n```\n$ sudo yum install readline-devel.i686 glibc-devel.i686 libgcc.i686\n```\n\nNow you can clone this repository.\n\n```\n$ git clone https://github.com/taviso/avscript.git\n$ cd avscript\n$ git submodule update --init --recursive\n```\n\nIf everything looks good, build it and `avscript` should be ready.\n\n```\n$ make\n```\n\n# Notes\n\n###  Reproducing Vulnerabilities on Windows\n\nFor performance reasons, Avast do not interpret every JavaScript file they\nencounter, they use a heuristic to determine if it's necessary. I've found that\nappending the file `javascript.txt` included in this repository is enough to\nalways trigger the heuristic.\n\nFor example, if you have found a vulnerability and want to reproduce it on\nWindows, you would first do this:\n\n```\n$ cat yourtestcase.js javascript.txt \u003e ReproForWindows.js\n```\n\nNow verify that it still does what you expect, e.g.\n\n```\n$ ./avscript ReproForWindows.js\nmain(): File ReproForWindows.js` loaded, about to initialize interpreter...\nSegmentation fault (core dumped)\n```\n\nThen verify the crash reproduced on Windows.\n\n### Protected Process\n\nThe Avast service is a protected process, which means debugging it from\nuserspace is tricky. If you have kd configured, you can simply undo this\nand then debugging in userspace works fine.\n\nA quick and easy solution that works on 32-bit is to do this (note that\n[PatchGuard](https://en.wikipedia.org/wiki/Kernel_Patch_Protection) won't\npermit this on x64, but you can do something similar with [breakpoint\ncommands](https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/setting-a-conditional-breakpoint)).\n\n![screenshot](doc/protected.png)\n\nThere is also a setting under \"Troubleshooting\" called \"Enable Self-Defense\"\nthat should be disabled. I believe this setting disables hooking `OpenProcess()`\nin the SSDT, where they normally blacklist their own process.\n\nYou may need to temporarily disable \"shields\" in the Avast UI while you\nattach so that filesystem operations don't deadlock while the service is\nsuspended.\n\n### Debugging\n\nAvast does not publish any symbols for their engine, but debugging with IDA or gdb\nis still possible. There are some notes on debugging Windows code from Linux in\nthe [loadlibrary documentation](https://github.com/taviso/loadlibrary).\n\nIf you want to use IDA, I would recommend using the `gdbserver` backend.\n\nSimply use something like this, you might need to install the gdbserver package first:\n\n`$ gdbserver 0.0.0.0:23946 ./avscript`\n\nThis works surprisingly well, even pseudocode breakpoints work.\n\n![IDA screenshot](doc/debugging.png)\n\n### Vulnerabilities\n\nIf you find a vulnerability, it is likely **critical** and **wormable**.\n\n🔥 Please [report it](https://www.avast.com/coordinated-vulnerability-disclosure) urgently. 🔥\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftaviso%2Favscript","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftaviso%2Favscript","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftaviso%2Favscript/lists"}