Running JavaScript code from the command line

This post was written by eli on April 14, 2014
Posted Under: Internet,Software

Sometimes, there are JavaScript snippets for the sake of obfuscation (hmmm, including this site). This is code made complicated intentionally, to prevent web spiders from harvesting addresses or emails. But hey, what if I’m the one with the spider?

The simple, and somewhat dangerous solution, is to run the JavaScript code on a local interpreter. I found Google’s V8 project most suitable for this purpose. Download the sources from Google’s SVN:

$ svn checkout http://v8.googlecode.com/svn/trunk/ v8

Following the instructions for building with GYP, change directory to v8/ and download GYP (and other stuff, I suppose)

$ make dependencies

And build for the current platform:

$ time make -j 8 native

which fails, because warnings are treated as errors (on GCC 4.4.4). So this instead:

$ time make werror=no -j 8 native

This worked, and took 2.30 minutes on my computer. The outputs go to out/native, so

$ cd out/native/
$ ./d8
V8 version 3.26.12 [console: dumb]
d8> print("Hello, world");
Hello, world
undefined

Isn’t that sweet? It just executes the command.

Note that d8 always returns the value of the last operation, which is nice when all we want is evaluation an obfuscated expression.

d8> os.system("date");
"Sun Apr 13 18:59:24 IDT 2014
"

Ayyeee! The interpreter allows shelling out! This means that running an alien script on our machine is extremely dangerous: If a spider is calling the interpreter with scripts that it retrieves from the web, one could easily contain code that attempts to run code on the host’s computer, if it detects that the environment isn’t a browser. Protective measures aren’t simple. I don’t know of any way to safely prevent the interpreter from accessing its host’s capabilities, except for applying seLinux or (the weaker option) chroot jailing. Or maybe use Linux namespaces for lightweight virtualization.

Anyhow, there are other executables created as well, for example, “shell”:

$ ./shell
V8 version 3.26.12 [sample shell]
> print("Hello, world");
Hello, world
>

More info can be found on this page. For example, it’s possible to quit the shell with the quit(0) command.

Add a Comment

required, use real name
required, will not be published
optional, your blog address