[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] guess what this does..

To: Christian Sciberras <uuf6429@xxxxxxxxx>
Subject: Re: [Full-disclosure] guess what this does..
From: Cal Leeming <cal@xxxxxxxxxxxxxxxx>
Date: Wed, 13 Apr 2011 15:47:19 +0100

Well, the problem was the person(s) running the bots kept bypassing the
simple protections such as these. Although it isn't 100% fool proof, it does
make things *extremely* difficult for the person(s) with the bots, so much
so, that they usually give up, unless they have specifically targeted you
for some reason.

So, instead we created hundreds of these little JS chunks, all with
different lookup tables applied, and cycled them on an hourly basis. It
meant if they wanted to continuously bot the service, they would have to de
obfuscate the protection code, or find a mathmatical/bruteforce attack that
would generate the seedkey for them. It would either involve manual
intervention or code modification on the bot to make it work.. I'd
have preferred to have added captcha, but there was a reasonable explanation
as to why the client didn't want it.

Either way, once we put this in, they gave up pretty quickly lol.


On Wed, Apr 13, 2011 at 3:29 PM, Christian Sciberras <uuf6429@xxxxxxxxx>wrote:

> Cal /Ryan,
>
> I'm not sure what you're trying to achieve.
> If we're talking about absolutely stupid bots, the following easily defeats
> them:
>     <form>
>         <stuff/>
>         <script type=text/javascript>document.write('<input type="hidden"
> name="access" value="code"/>');</script>
>     <form>
>
> I suppose you could obfuscate it all if you wanted to cater for script
> kiddies.
> But considering this is very weak protection (as opposed to proper
> captcha), I'm not sure if it's even worthwhile.
> One of the ways I can see this work is against automated, "JS-ignorant",
> MITM systems.
>
> As indeed is true, you should never trust the end user.
> But in a MITM scenario, the user we're not trusting is the one conducting
> the attack, not the other.
>
> Chris.
>
>
>
> On Wed, Apr 13, 2011 at 1:07 PM, Cal Leeming <cal@xxxxxxxxxxxxxxxx> wrote:
>
>> Lol, I've just realised something.. I didn't include the seed key variable
>> itself, so this code would have been pretty much useless on it own *DOH*.
>>
>> So, here's something else a bit tasty.. this is the server side code used
>> to check and create the seedkey itself (secret lookup table has been changed
>> obv.).
>>
>> This code allows seedkeys to be generated from epoch time. Now,
>> cryptographically I don't know how "sane" this is, but I'm fairly sure that
>> if the lookup table contained large integers it would become almost
>> impossible to do a pattern based brute force. I actually had quite a lot of
>> fun trying to break my own code. :D
>>
>> PS) you have been awarded 1 internets.
>>
>>
>>     function get_valid_keys() {
>>         // Create key store
>>         $_s = array();
>>
>>         // Create valid key ranges (+900 seconds)
>>         for($x=300;$x>=900;$x+=300):
>>             $_s[] = $this->create_key($offset=$x);
>>         endfor;
>>
>>         // Create valid key ranges (-900 seconds)
>>         for($x=300;$x>=-900;$x-=300):
>>             $_s[] = $this->create_key($offset=$x);
>>         endfor;
>>
>>         $_s[] = $this->create_key();
>>
>>         return $_s;
>>     }
>>
>>     function create_packed_key() {
>>         // Create a new valid key
>>         $key = $this->create_key();
>>
>>         // Now generate the packed key
>>         $k = array();
>>         // Now convert it into an array
>>         for($x=0;$x<strlen($key);$x++):
>>             $_v = unpack("H*", $key[$x]);
>>             $k[]='\x'.$_v[1];
>>         endfor;
>>
>>         // Okay, here is your brand new shiney key, sir :)
>>         $m = '"'.implode('","', $k).'"';
>>         $m = strrev($m);
>>         $_m = array();
>>         for($x=0;$x<strlen($m);$x++):
>>             $_m[]=$m[$x];
>>         endfor;
>>         return json_encode(implode("ZPAK", $_m));
>>     }
>>
>>     function create_key($offset=0) {
>>         // Secret key table, used to mix up the seed
>>         $enc = array(
>>                 0       =>       "67892",
>>                 1       =>       "3953",
>>                 2       =>       "49474",
>>                 3       =>       "494755",
>>                 4       =>       "30585",
>>                 5       =>       "30582",
>>                 6       =>       "20485",
>>                 7       =>       "20486",
>>                 8       =>       "97294",
>>                 9       =>       "10284"
>>         );
>>
>>         // Generate new seed
>>         $time = time();
>>         if ($offset):
>>             $time=$time+$offset;
>>         endif;
>>         $c=(int)($time/$this->_security_key_refresh);
>>         $_c = "$c";
>>
>>         // Extract the last 5 digits of the number
>>         $char1 = substr($_c, strlen($c)-1, 1);
>>         $char2 = substr($_c, strlen($c)-2, 1);
>>         $char3 = substr($_c, strlen($c)-3, 1);
>>         $char4 = substr($_c, strlen($c)-4, 1);
>>         $char5 = substr($_c, strlen($c)-5, 1);
>>
>>         // Lookup the modifier from the secret key table
>>         $mt1 = $enc[$char1];
>>         $mt2 = $enc[$char2];
>>         $mt3 = $enc[$char3];
>>         $mt4 = $enc[$char4];
>>         $mt5 = $enc[$char5];
>>
>>         // Generate a new key, based on the modifiers
>>         $key = round((($c+$mt1) + ($c+$mt2) + ($c+$mt3) + ($c+$mt4) +
>> ($c+$mt5))/256);
>>         $key = "$key";
>>         return $key;
>>     }
>>
>>
>>
>>
>>
>> On Wed, Apr 13, 2011 at 3:56 AM, Ryan Sears <rdsears@xxxxxxx> wrote:
>>
>>> Me thinks I may have it right (mostly)...
>>>
>>> It seems to be some jquery to append a hidden input element to the
>>> "theform" id (presumably a form on the page ;) ) called "seedkey", and has a
>>> value of whatever t is evaluated to (which I'm still stuck on as I don't
>>> know jquery much at all, so I can't figure out the s[] array, but I know it
>>> has something to do with the bracket notation...).
>>>
>>> =================================================
>>> += Orig =+
>>> $(function () {
>>>        var _0xafd3 = ["\x74\x20\x3D\x20\x22", "", "\x6A\x6F\x69\x6E",
>>> "\x72\x65\x76\x65\x72\x73\x65", "\x73\x70\x6C\x69\x74",
>>> "\x72\x65\x70\x6C\x61\x63\x65", "\x22"];
>>>
>>>        eval(_0xafd3[0] + s[_0xafd3[5]](/ZPAK/gi,
>>> _0xafd3[1])[_0xafd3[5]](/\",\"/gi, _0xafd3[1])[_0xafd3[5]](/\"/gi,
>>> _0xafd3[1])[_0xafd3[4]](_0xafd3[1])[_0xafd3[3]]()[_0xafd3[2]](_0xafd3[1]) +
>>> _0xafd3[6]);
>>>        var _0x5bfa = ["\x3C\x69\x6E\x70\x75\x74\x20\x2F\x3E",
>>> "\x74\x79\x70\x65", "\x68\x69\x64\x64\x65\x6E", "\x61\x74\x74\x72",
>>> "\x6E\x61\x6D\x65", "\x73\x65\x65\x64\x6B\x65\x79", "\x76\x61\x6C\x75\x65",
>>> "\x61\x70\x70\x65\x6E\x64", "\x23\x74\x68\x65\x66\x6F\x72\x6D"];
>>>        _n = $(_0x5bfa[0]);
>>>        _n[_0x5bfa[3]](_0x5bfa[1], _0x5bfa[2]);
>>>        _n[_0x5bfa[3]](_0x5bfa[4], _0x5bfa[5]);
>>>        _n[_0x5bfa[3]](_0x5bfa[6], t);
>>>        $(_0x5bfa[8])[_0x5bfa[7]](_n);
>>> });
>>>
>>> += De-obfuscated =+
>>> $(function () {
>>>        var _0xafd3 = ['t = "', '', 'join', 'reverse', 'split', 'replace',
>>> '"'];
>>>        var _0x5bfa = ['<input />', 'type', 'hidden', 'attr', 'name',
>>> 'seedkey', 'value', 'append', '#theform'];
>>>
>>>        eval('t = "' + s['replace'](/ZPAK/gi, '')['replace'](/\",\"/gi,
>>> '')['replace'](/\"/gi, '')['split']('')['reverse']()['join']('') + '"');
>>>
>>>        _n = $('<input />');
>>>        _n['attr']('type', 'hidden');
>>>        _n['attr']('name', 'seedkey');
>>>        _n['attr']('value', t);
>>>        $('#theform')['append'](_n);
>>> });
>>>
>>> =================================================
>>>
>>> Fun stuffs. I can haz a internetz? :-P
>>>
>>> Ryan
>>>
>>>
>>> ----- Original Message -----
>>> From: "Cal Leeming" <cal@xxxxxxxxxxxxxxxx>
>>> To: full-disclosure@xxxxxxxxxxxxxxxxx
>>> Sent: Tuesday, April 12, 2011 5:28:22 PM GMT -05:00 US/Canada Eastern
>>> Subject: [Full-disclosure] guess what this does..
>>>
>>>    $(function() {
>>>    var
>>>
>>> _0xafd3=["\x74\x20\x3D\x20\x22","","\x6A\x6F\x69\x6E","\x72\x65\x76\x65\x72\x73\x65","\x73\x70\x6C\x69\x74","\x72\x65\x70\x6C\x61\x63\x65","\x22"];eval(_0xafd3[0]+s[_0xafd3[5]](/ZPAK/gi,_0xafd3[1])[_0xafd3[5]](/\",\"/gi,_0xafd3[1])[_0xafd3[5]](/\"/gi,_0xafd3[1])[_0xafd3[4]](_0xafd3[1])[_0xafd3[3]]()[_0xafd3[2]](_0xafd3[1])+_0xafd3[6]);
>>>    var
>>>
>>> _0x5bfa=["\x3C\x69\x6E\x70\x75\x74\x20\x2F\x3E","\x74\x79\x70\x65","\x68\x69\x64\x64\x65\x6E","\x61\x74\x74\x72","\x6E\x61\x6D\x65","\x73\x65\x65\x64\x6B\x65\x79","\x76\x61\x6C\x75\x65","\x61\x70\x70\x65\x6E\x64","\x23\x74\x68\x65\x66\x6F\x72\x6D"];_n=$(_0x5bfa[0]);_n[_0x5bfa[3]](_0x5bfa[1],_0x5bfa[2]);_n[_0x5bfa[3]](_0x5bfa[4],_0x5bfa[5]);_n[_0x5bfa[3]](_0x5bfa[6],t);$(_0x5bfa[8])[_0x5bfa[7]](_n);
>>>    });
>>>
>>> enjoy ;p
>>>
>>> ps) yes I obfuscated this, and no it doesn't contain any nasties.
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] guess what this does..
  - From: Christian Sciberras

References:
- Re: [Full-disclosure] guess what this does..
  - From: Cal Leeming
- Re: [Full-disclosure] guess what this does..
  - From: Christian Sciberras

Prev by Date: Re: [Full-disclosure] guess what this does..
Next by Date: Re: [Full-disclosure] guess what this does..
Previous by thread: Re: [Full-disclosure] guess what this does..
Next by thread: Re: [Full-disclosure] guess what this does..
Index(es):
- Date
- Thread