Jump to content
Ketarin forum

Combofix


Guest MikeyJ
 Share

Recommended Posts

Hi All,

 

Anyone figured out the right configuration to get the latest version of Combofix?

 

The URL is here:

http://www.bleepingc...nload/combofix/

 

I'm not quite sure how to grab it since there is a link on that page that redirects to another page that auto starts the download (although it also includes a direct download link that changes every time you access the page).

 

Thanks!

Mike

Link to comment
Share on other sites

This is a perfect example of the use of variables to capture the content of multiple pages sequentially. The first variable calls the link above and captures the current download page (this page is likely static, but that's okay, as it minimizes risk later on), then a new variable uses the captured download page URL to capture the direct download link (regex: "; url=([^"]+)"). Finally, use that variable within your download URL and you're fine.

 

Be aware that some sites track the IP address and user-agent to ensure it's a valid request, thus minimizing the server and bandwidth abuse, so you might need to make sure you limit the number of attempts you try to make on this site on a regular basis (check it no more than once every day), and you might need to assign a common user-agent such as IE9, too. Here's a working template that takes each of these into account:

 

<?xml version='1.0' encoding='utf-8'?>
<Jobs>
 <ApplicationJob xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" Guid="703cd577-a49e-46a1-9826-596cc5473d2b">
   <Category>Security</Category>
   <WebsiteUrl>http://www.bleepingcomputer.com/download/combofix/</WebsiteUrl>
   <UserAgent>{ie32}</UserAgent>
   <UserNotes />
   <IgnoreFileInformation>false</IgnoreFileInformation>
   <VariableChangeIndicator>version</VariableChangeIndicator>
   <CanBeShared>false</CanBeShared>
   <ShareApplication>false</ShareApplication>
   <ExclusiveDownload>false</ExclusiveDownload>
   <HttpReferer>{sdownload}</HttpReferer>
   <SetupInstructions />
   <Variables>
  <item>
    <key>
	  <string>version</string>
    </key>
    <value>
	  <UrlVariable>
	    <RegexRightToLeft>false</RegexRightToLeft>
	    <VariableType>Textual</VariableType>
	    <TextualContent>{yyyy}{MM}{dd}</TextualContent>
	    <Name>version</Name>
	  </UrlVariable>
    </value>
  </item>
  <item>
    <key>
	  <string>schangelog</string>
    </key>
    <value>
	  <UrlVariable>
	    <RegexRightToLeft>false</RegexRightToLeft>
	    <VariableType>Textual</VariableType>
	    <Regex />
	    <TextualContent />
	    <Name>schangelog</Name>
	  </UrlVariable>
    </value>
  </item>
  <item>
    <key>
	  <string>snotes</string>
    </key>
    <value>
	  <UrlVariable>
	    <RegexRightToLeft>false</RegexRightToLeft>
	    <VariableType>Textual</VariableType>
	    <Regex />
	    <Name>snotes</Name>
	  </UrlVariable>
    </value>
  </item>
  <item>
    <key>
	  <string>swebsite</string>
    </key>
    <value>
	  <UrlVariable>
	    <RegexRightToLeft>false</RegexRightToLeft>
	    <VariableType>Textual</VariableType>
	    <Regex />
	    <TextualContent>http://www.bleepingcomputer.com/download/combofix/</TextualContent>
	    <Name>swebsite</Name>
	  </UrlVariable>
    </value>
  </item>
  <item>
    <key>
	  <string>homepage</string>
    </key>
    <value>
	  <UrlVariable>
	    <RegexRightToLeft>false</RegexRightToLeft>
	    <VariableType>RegularExpression</VariableType>
	    <Regex>(http://www.bleepingcomputer.com/download/combofix/dl/\d+/)</Regex>
	    <Url>http://www.bleepingcomputer.com/download/combofix/</Url>
	    <Name>homepage</Name>
	  </UrlVariable>
    </value>
  </item>
  <item>
    <key>
	  <string>sdownload</string>
    </key>
    <value>
	  <UrlVariable>
	    <RegexRightToLeft>false</RegexRightToLeft>
	    <VariableType>RegularExpression</VariableType>
	    <Regex>; url=([^"]+)</Regex>
	    <Url>{homepage}</Url>
	    <Name>sdownload</Name>
	  </UrlVariable>
    </value>
  </item>
   </Variables>
   <ExecuteCommand />
   <ExecutePreCommand />
   <ExecuteCommandType>Batch</ExecuteCommandType>
   <ExecutePreCommandType>Batch</ExecutePreCommandType>
   <SourceType>FixedUrl</SourceType>
   <DeletePreviousFile>true</DeletePreviousFile>
   <Enabled>true</Enabled>
   <TargetPath>.\{category}\{appname:regexreplace:([\s\t\r\n\-\\&\/]+):_}.{url:ext}</TargetPath>
   <FixedDownloadUrl>{sdownload}</FixedDownloadUrl>
   <Name>ComboFix</Name>
 </ApplicationJob>
</Jobs>

 

You'll need to set a global variable in Ketarin for 'ie32'. I use this value:

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C)

Link to comment
Share on other sites

  • 1 month later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.