[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <BANLkTi=1qQr_VZXeqWbJ_zCdNHkKGQpvXQ@mail.gmail.com>
Date: Mon, 18 Apr 2011 14:29:45 +0100
From: Cal Leeming <cal@...whisper.co.uk>
To: huj huj huj <datskihuj@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: guess what this does..
Considering that this code is already open source on Github? Not much,
faggot. lol.
On Mon, Apr 18, 2011 at 2:28 PM, huj huj huj <datskihuj@...il.com> wrote:
> caldouche
> what does your company think about you copy pasting production code on fd?
>
> 2011/4/13 Cal Leeming <cal@...whisper.co.uk>
>
>> Absolutely nothing. It really is only meant to stop "stupid bots", which
>> for us, was good enough at the time ;p
>>
>>
>> On Wed, Apr 13, 2011 at 7:07 PM, Chris M <chris@...lroute.net> wrote:
>>
>>> How does all of this stop someone feeding the obfuscated code into
>>> jsunpack and reloading it into a bot application with an inbuilt browser
>>> object and just following links etc?
>>>
>>>
>>> On Wed, Apr 13, 2011 at 3:50 PM, Christian Sciberras <uuf6429@...il.com>wrote:
>>>
>>>> Is it me or are spammers recruiting more script kiddies as of late?
>>>> Not much of a big deal considering their numbers are on the
>>>> rise...*ahem* anonymous *ahem*.
>>>>
>>>> Chris.
>>>>
>>>>
>>>>
>>>>
>>>> On Wed, Apr 13, 2011 at 4:47 PM, Cal Leeming <cal@...whisper.co.uk>wrote:
>>>>
>>>>> Well, the problem was the person(s) running the bots kept bypassing the
>>>>> simple protections such as these. Although it isn't 100% fool proof, it does
>>>>> make things *extremely* difficult for the person(s) with the bots, so much
>>>>> so, that they usually give up, unless they have specifically targeted you
>>>>> for some reason.
>>>>>
>>>>> So, instead we created hundreds of these little JS chunks, all with
>>>>> different lookup tables applied, and cycled them on an hourly basis. It
>>>>> meant if they wanted to continuously bot the service, they would have to de
>>>>> obfuscate the protection code, or find a mathmatical/bruteforce attack that
>>>>> would generate the seedkey for them. It would either involve manual
>>>>> intervention or code modification on the bot to make it work.. I'd
>>>>> have preferred to have added captcha, but there was a reasonable explanation
>>>>> as to why the client didn't want it.
>>>>>
>>>>> Either way, once we put this in, they gave up pretty quickly lol.
>>>>>
>>>>>
>>>>> On Wed, Apr 13, 2011 at 3:29 PM, Christian Sciberras <
>>>>> uuf6429@...il.com> wrote:
>>>>>
>>>>>> Cal /Ryan,
>>>>>>
>>>>>> I'm not sure what you're trying to achieve.
>>>>>> If we're talking about absolutely stupid bots, the following easily
>>>>>> defeats them:
>>>>>> <form>
>>>>>> <stuff/>
>>>>>> <script type=text/javascript>document.write('<input
>>>>>> type="hidden" name="access" value="code"/>');</script>
>>>>>> <form>
>>>>>>
>>>>>> I suppose you could obfuscate it all if you wanted to cater for script
>>>>>> kiddies.
>>>>>> But considering this is very weak protection (as opposed to proper
>>>>>> captcha), I'm not sure if it's even worthwhile.
>>>>>> One of the ways I can see this work is against automated,
>>>>>> "JS-ignorant", MITM systems.
>>>>>>
>>>>>> As indeed is true, you should never trust the end user.
>>>>>> But in a MITM scenario, the user we're not trusting is the one
>>>>>> conducting the attack, not the other.
>>>>>>
>>>>>> Chris.
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Wed, Apr 13, 2011 at 1:07 PM, Cal Leeming <cal@...whisper.co.uk>wrote:
>>>>>>
>>>>>>> Lol, I've just realised something.. I didn't include the seed key
>>>>>>> variable itself, so this code would have been pretty much useless on it own
>>>>>>> *DOH*.
>>>>>>>
>>>>>>> So, here's something else a bit tasty.. this is the server side code
>>>>>>> used to check and create the seedkey itself (secret lookup table has been
>>>>>>> changed obv.).
>>>>>>>
>>>>>>> This code allows seedkeys to be generated from epoch time. Now,
>>>>>>> cryptographically I don't know how "sane" this is, but I'm fairly sure that
>>>>>>> if the lookup table contained large integers it would become almost
>>>>>>> impossible to do a pattern based brute force. I actually had quite a lot of
>>>>>>> fun trying to break my own code. :D
>>>>>>>
>>>>>>> PS) you have been awarded 1 internets.
>>>>>>>
>>>>>>>
>>>>>>> function get_valid_keys() {
>>>>>>> // Create key store
>>>>>>> $_s = array();
>>>>>>>
>>>>>>> // Create valid key ranges (+900 seconds)
>>>>>>> for($x=300;$x>=900;$x+=300):
>>>>>>> $_s[] = $this->create_key($offset=$x);
>>>>>>> endfor;
>>>>>>>
>>>>>>> // Create valid key ranges (-900 seconds)
>>>>>>> for($x=300;$x>=-900;$x-=300):
>>>>>>> $_s[] = $this->create_key($offset=$x);
>>>>>>> endfor;
>>>>>>>
>>>>>>> $_s[] = $this->create_key();
>>>>>>>
>>>>>>> return $_s;
>>>>>>> }
>>>>>>>
>>>>>>> function create_packed_key() {
>>>>>>> // Create a new valid key
>>>>>>> $key = $this->create_key();
>>>>>>>
>>>>>>> // Now generate the packed key
>>>>>>> $k = array();
>>>>>>> // Now convert it into an array
>>>>>>> for($x=0;$x<strlen($key);$x++):
>>>>>>> $_v = unpack("H*", $key[$x]);
>>>>>>> $k[]='\x'.$_v[1];
>>>>>>> endfor;
>>>>>>>
>>>>>>> // Okay, here is your brand new shiney key, sir :)
>>>>>>> $m = '"'.implode('","', $k).'"';
>>>>>>> $m = strrev($m);
>>>>>>> $_m = array();
>>>>>>> for($x=0;$x<strlen($m);$x++):
>>>>>>> $_m[]=$m[$x];
>>>>>>> endfor;
>>>>>>> return json_encode(implode("ZPAK", $_m));
>>>>>>> }
>>>>>>>
>>>>>>> function create_key($offset=0) {
>>>>>>> // Secret key table, used to mix up the seed
>>>>>>> $enc = array(
>>>>>>> 0 => "67892",
>>>>>>> 1 => "3953",
>>>>>>> 2 => "49474",
>>>>>>> 3 => "494755",
>>>>>>> 4 => "30585",
>>>>>>> 5 => "30582",
>>>>>>> 6 => "20485",
>>>>>>> 7 => "20486",
>>>>>>> 8 => "97294",
>>>>>>> 9 => "10284"
>>>>>>> );
>>>>>>>
>>>>>>> // Generate new seed
>>>>>>> $time = time();
>>>>>>> if ($offset):
>>>>>>> $time=$time+$offset;
>>>>>>> endif;
>>>>>>> $c=(int)($time/$this->_security_key_refresh);
>>>>>>> $_c = "$c";
>>>>>>>
>>>>>>> // Extract the last 5 digits of the number
>>>>>>> $char1 = substr($_c, strlen($c)-1, 1);
>>>>>>> $char2 = substr($_c, strlen($c)-2, 1);
>>>>>>> $char3 = substr($_c, strlen($c)-3, 1);
>>>>>>> $char4 = substr($_c, strlen($c)-4, 1);
>>>>>>> $char5 = substr($_c, strlen($c)-5, 1);
>>>>>>>
>>>>>>> // Lookup the modifier from the secret key table
>>>>>>> $mt1 = $enc[$char1];
>>>>>>> $mt2 = $enc[$char2];
>>>>>>> $mt3 = $enc[$char3];
>>>>>>> $mt4 = $enc[$char4];
>>>>>>> $mt5 = $enc[$char5];
>>>>>>>
>>>>>>> // Generate a new key, based on the modifiers
>>>>>>> $key = round((($c+$mt1) + ($c+$mt2) + ($c+$mt3) + ($c+$mt4) +
>>>>>>> ($c+$mt5))/256);
>>>>>>> $key = "$key";
>>>>>>> return $key;
>>>>>>> }
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Wed, Apr 13, 2011 at 3:56 AM, Ryan Sears <rdsears@....edu> wrote:
>>>>>>>
>>>>>>>> Me thinks I may have it right (mostly)...
>>>>>>>>
>>>>>>>> It seems to be some jquery to append a hidden input element to the
>>>>>>>> "theform" id (presumably a form on the page ;) ) called "seedkey", and has a
>>>>>>>> value of whatever t is evaluated to (which I'm still stuck on as I don't
>>>>>>>> know jquery much at all, so I can't figure out the s[] array, but I know it
>>>>>>>> has something to do with the bracket notation...).
>>>>>>>>
>>>>>>>> =================================================
>>>>>>>> += Orig =+
>>>>>>>> $(function () {
>>>>>>>> var _0xafd3 = ["\x74\x20\x3D\x20\x22", "",
>>>>>>>> "\x6A\x6F\x69\x6E", "\x72\x65\x76\x65\x72\x73\x65", "\x73\x70\x6C\x69\x74",
>>>>>>>> "\x72\x65\x70\x6C\x61\x63\x65", "\x22"];
>>>>>>>>
>>>>>>>> eval(_0xafd3[0] + s[_0xafd3[5]](/ZPAK/gi,
>>>>>>>> _0xafd3[1])[_0xafd3[5]](/\",\"/gi, _0xafd3[1])[_0xafd3[5]](/\"/gi,
>>>>>>>> _0xafd3[1])[_0xafd3[4]](_0xafd3[1])[_0xafd3[3]]()[_0xafd3[2]](_0xafd3[1]) +
>>>>>>>> _0xafd3[6]);
>>>>>>>> var _0x5bfa = ["\x3C\x69\x6E\x70\x75\x74\x20\x2F\x3E",
>>>>>>>> "\x74\x79\x70\x65", "\x68\x69\x64\x64\x65\x6E", "\x61\x74\x74\x72",
>>>>>>>> "\x6E\x61\x6D\x65", "\x73\x65\x65\x64\x6B\x65\x79", "\x76\x61\x6C\x75\x65",
>>>>>>>> "\x61\x70\x70\x65\x6E\x64", "\x23\x74\x68\x65\x66\x6F\x72\x6D"];
>>>>>>>> _n = $(_0x5bfa[0]);
>>>>>>>> _n[_0x5bfa[3]](_0x5bfa[1], _0x5bfa[2]);
>>>>>>>> _n[_0x5bfa[3]](_0x5bfa[4], _0x5bfa[5]);
>>>>>>>> _n[_0x5bfa[3]](_0x5bfa[6], t);
>>>>>>>> $(_0x5bfa[8])[_0x5bfa[7]](_n);
>>>>>>>> });
>>>>>>>>
>>>>>>>> += De-obfuscated =+
>>>>>>>> $(function () {
>>>>>>>> var _0xafd3 = ['t = "', '', 'join', 'reverse', 'split',
>>>>>>>> 'replace', '"'];
>>>>>>>> var _0x5bfa = ['<input />', 'type', 'hidden', 'attr', 'name',
>>>>>>>> 'seedkey', 'value', 'append', '#theform'];
>>>>>>>>
>>>>>>>> eval('t = "' + s['replace'](/ZPAK/gi,
>>>>>>>> '')['replace'](/\",\"/gi, '')['replace'](/\"/gi,
>>>>>>>> '')['split']('')['reverse']()['join']('') + '"');
>>>>>>>>
>>>>>>>> _n = $('<input />');
>>>>>>>> _n['attr']('type', 'hidden');
>>>>>>>> _n['attr']('name', 'seedkey');
>>>>>>>> _n['attr']('value', t);
>>>>>>>> $('#theform')['append'](_n);
>>>>>>>> });
>>>>>>>>
>>>>>>>> =================================================
>>>>>>>>
>>>>>>>> Fun stuffs. I can haz a internetz? :-P
>>>>>>>>
>>>>>>>> Ryan
>>>>>>>>
>>>>>>>>
>>>>>>>> ----- Original Message -----
>>>>>>>> From: "Cal Leeming" <cal@...whisper.co.uk>
>>>>>>>> To: full-disclosure@...ts.grok.org.uk
>>>>>>>> Sent: Tuesday, April 12, 2011 5:28:22 PM GMT -05:00 US/Canada
>>>>>>>> Eastern
>>>>>>>> Subject: [Full-disclosure] guess what this does..
>>>>>>>>
>>>>>>>> $(function() {
>>>>>>>> var
>>>>>>>>
>>>>>>>> _0xafd3=["\x74\x20\x3D\x20\x22","","\x6A\x6F\x69\x6E","\x72\x65\x76\x65\x72\x73\x65","\x73\x70\x6C\x69\x74","\x72\x65\x70\x6C\x61\x63\x65","\x22"];eval(_0xafd3[0]+s[_0xafd3[5]](/ZPAK/gi,_0xafd3[1])[_0xafd3[5]](/\",\"/gi,_0xafd3[1])[_0xafd3[5]](/\"/gi,_0xafd3[1])[_0xafd3[4]](_0xafd3[1])[_0xafd3[3]]()[_0xafd3[2]](_0xafd3[1])+_0xafd3[6]);
>>>>>>>> var
>>>>>>>>
>>>>>>>> _0x5bfa=["\x3C\x69\x6E\x70\x75\x74\x20\x2F\x3E","\x74\x79\x70\x65","\x68\x69\x64\x64\x65\x6E","\x61\x74\x74\x72","\x6E\x61\x6D\x65","\x73\x65\x65\x64\x6B\x65\x79","\x76\x61\x6C\x75\x65","\x61\x70\x70\x65\x6E\x64","\x23\x74\x68\x65\x66\x6F\x72\x6D"];_n=$(_0x5bfa[0]);_n[_0x5bfa[3]](_0x5bfa[1],_0x5bfa[2]);_n[_0x5bfa[3]](_0x5bfa[4],_0x5bfa[5]);_n[_0x5bfa[3]](_0x5bfa[6],t);$(_0x5bfa[8])[_0x5bfa[7]](_n);
>>>>>>>> });
>>>>>>>>
>>>>>>>> enjoy ;p
>>>>>>>>
>>>>>>>> ps) yes I obfuscated this, and no it doesn't contain any nasties.
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Full-Disclosure - We believe in it.
>>>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Full-Disclosure - We believe in it.
>>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> Full-Disclosure - We believe in it.
>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>
>>>
>>>
>>>
>>> --
>>> I’m a hot-wired, heat seeking, warm-hearted cool customer, voice
>>> activated and bio-degradable. I interface with my database, my database is
>>> in cyberspace, so I’m interactive, I’m hyperactive and from time to time I’m
>>> radioactive.
>>>
>>
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists