Guest MikeyJ Posted December 5, 2012 Report Share Posted December 5, 2012 Hi All, Anyone figured out the right configuration to get the latest version of Combofix? The URL is here: http://www.bleepingc...nload/combofix/ I'm not quite sure how to grab it since there is a link on that page that redirects to another page that auto starts the download (although it also includes a direct download link that changes every time you access the page). Thanks! Mike Link to comment Share on other sites More sharing options...
Guest MikeyJ Posted December 5, 2012 Report Share Posted December 5, 2012 Solved. URL= http://download.blee...ix/ComboFix.exe Variable "CFKEY" Start = <meta http-equiv="refresh" content="3; url=http://download.bleepingcomputer.com/dl/ End = /windows/security/anti-virus/c/combofix/ComboFix.exe Anyone see any problems with this? Thx! Mike Link to comment Share on other sites More sharing options...
shawn Posted December 5, 2012 Report Share Posted December 5, 2012 This is a perfect example of the use of variables to capture the content of multiple pages sequentially. The first variable calls the link above and captures the current download page (this page is likely static, but that's okay, as it minimizes risk later on), then a new variable uses the captured download page URL to capture the direct download link (regex: "; url=([^"]+)"). Finally, use that variable within your download URL and you're fine. Be aware that some sites track the IP address and user-agent to ensure it's a valid request, thus minimizing the server and bandwidth abuse, so you might need to make sure you limit the number of attempts you try to make on this site on a regular basis (check it no more than once every day), and you might need to assign a common user-agent such as IE9, too. Here's a working template that takes each of these into account: <?xml version='1.0' encoding='utf-8'?> <Jobs> <ApplicationJob xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" Guid="703cd577-a49e-46a1-9826-596cc5473d2b"> <Category>Security</Category> <WebsiteUrl>http://www.bleepingcomputer.com/download/combofix/</WebsiteUrl> <UserAgent>{ie32}</UserAgent> <UserNotes /> <IgnoreFileInformation>false</IgnoreFileInformation> <VariableChangeIndicator>version</VariableChangeIndicator> <CanBeShared>false</CanBeShared> <ShareApplication>false</ShareApplication> <ExclusiveDownload>false</ExclusiveDownload> <HttpReferer>{sdownload}</HttpReferer> <SetupInstructions /> <Variables> <item> <key> <string>version</string> </key> <value> <UrlVariable> <RegexRightToLeft>false</RegexRightToLeft> <VariableType>Textual</VariableType> <TextualContent>{yyyy}{MM}{dd}</TextualContent> <Name>version</Name> </UrlVariable> </value> </item> <item> <key> <string>schangelog</string> </key> <value> <UrlVariable> <RegexRightToLeft>false</RegexRightToLeft> <VariableType>Textual</VariableType> <Regex /> <TextualContent /> <Name>schangelog</Name> </UrlVariable> </value> </item> <item> <key> <string>snotes</string> </key> <value> <UrlVariable> <RegexRightToLeft>false</RegexRightToLeft> <VariableType>Textual</VariableType> <Regex /> <Name>snotes</Name> </UrlVariable> </value> </item> <item> <key> <string>swebsite</string> </key> <value> <UrlVariable> <RegexRightToLeft>false</RegexRightToLeft> <VariableType>Textual</VariableType> <Regex /> <TextualContent>http://www.bleepingcomputer.com/download/combofix/</TextualContent> <Name>swebsite</Name> </UrlVariable> </value> </item> <item> <key> <string>homepage</string> </key> <value> <UrlVariable> <RegexRightToLeft>false</RegexRightToLeft> <VariableType>RegularExpression</VariableType> <Regex>(http://www.bleepingcomputer.com/download/combofix/dl/\d+/)</Regex> <Url>http://www.bleepingcomputer.com/download/combofix/</Url> <Name>homepage</Name> </UrlVariable> </value> </item> <item> <key> <string>sdownload</string> </key> <value> <UrlVariable> <RegexRightToLeft>false</RegexRightToLeft> <VariableType>RegularExpression</VariableType> <Regex>; url=([^"]+)</Regex> <Url>{homepage}</Url> <Name>sdownload</Name> </UrlVariable> </value> </item> </Variables> <ExecuteCommand /> <ExecutePreCommand /> <ExecuteCommandType>Batch</ExecuteCommandType> <ExecutePreCommandType>Batch</ExecutePreCommandType> <SourceType>FixedUrl</SourceType> <DeletePreviousFile>true</DeletePreviousFile> <Enabled>true</Enabled> <TargetPath>.\{category}\{appname:regexreplace:([\s\t\r\n\-\\&\/]+):_}.{url:ext}</TargetPath> <FixedDownloadUrl>{sdownload}</FixedDownloadUrl> <Name>ComboFix</Name> </ApplicationJob> </Jobs> You'll need to set a global variable in Ketarin for 'ie32'. I use this value: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C) Link to comment Share on other sites More sharing options...
shawn Posted December 5, 2012 Report Share Posted December 5, 2012 If they change the file name, case, pattern, category, delay time or even spacing on the site then that before/after capture will fail. It's safer to use a loose regex whenever you can. Link to comment Share on other sites More sharing options...
Guest andySF Posted February 2, 2013 Report Share Posted February 2, 2013 For me accessing "http://download.blee...s/ComboFix.exe" directly has worked. Is that not wrong? Link to comment Share on other sites More sharing options...
Guest andySF Posted February 2, 2013 Report Share Posted February 2, 2013 For me accessing "http://download.blee...s/ComboFix.exe" directly has worked. Is that wrong? Link to comment Share on other sites More sharing options...
shawn Posted February 2, 2013 Report Share Posted February 2, 2013 It's not always in sync with the current build. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now