[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] guess what this does..



hitting on me will get you nowhere caldouche
2011/4/18 Cal Leeming <cal@xxxxxxxxxxxxxxxx>

> Considering that this code is already open source on Github? Not much,
> faggot. lol.
>
>
> On Mon, Apr 18, 2011 at 2:28 PM, huj huj huj <datskihuj@xxxxxxxxx> wrote:
>
>> caldouche
>> what does your company think about you copy pasting production code on fd?
>>
>> 2011/4/13 Cal Leeming <cal@xxxxxxxxxxxxxxxx>
>>
>>> Absolutely nothing. It really is only meant to stop "stupid bots", which
>>> for us, was good enough at the time ;p
>>>
>>>
>>> On Wed, Apr 13, 2011 at 7:07 PM, Chris M <chris@xxxxxxxxxxxxx> wrote:
>>>
>>>> How does all of this stop someone feeding the obfuscated code into
>>>> jsunpack and reloading it into a bot application with an inbuilt browser
>>>> object and just following links etc?
>>>>
>>>>
>>>> On Wed, Apr 13, 2011 at 3:50 PM, Christian Sciberras <uuf6429@xxxxxxxxx
>>>> > wrote:
>>>>
>>>>> Is it me or are spammers recruiting more script kiddies as of late?
>>>>> Not much of a big deal considering their numbers are on the
>>>>> rise...*ahem* anonymous *ahem*.
>>>>>
>>>>> Chris.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Wed, Apr 13, 2011 at 4:47 PM, Cal Leeming <cal@xxxxxxxxxxxxxxxx>wrote:
>>>>>
>>>>>> Well, the problem was the person(s) running the bots kept bypassing
>>>>>> the simple protections such as these. Although it isn't 100% fool proof, 
>>>>>> it
>>>>>> does make things *extremely* difficult for the person(s) with the bots, 
>>>>>> so
>>>>>> much so, that they usually give up, unless they have specifically 
>>>>>> targeted
>>>>>> you for some reason.
>>>>>>
>>>>>> So, instead we created hundreds of these little JS chunks, all with
>>>>>> different lookup tables applied, and cycled them on an hourly basis. It
>>>>>> meant if they wanted to continuously bot the service, they would have to 
>>>>>> de
>>>>>> obfuscate the protection code, or find a mathmatical/bruteforce attack 
>>>>>> that
>>>>>> would generate the seedkey for them. It would either involve manual
>>>>>> intervention or code modification on the bot to make it work.. I'd
>>>>>> have preferred to have added captcha, but there was a reasonable 
>>>>>> explanation
>>>>>> as to why the client didn't want it.
>>>>>>
>>>>>> Either way, once we put this in, they gave up pretty quickly lol.
>>>>>>
>>>>>>
>>>>>> On Wed, Apr 13, 2011 at 3:29 PM, Christian Sciberras <
>>>>>> uuf6429@xxxxxxxxx> wrote:
>>>>>>
>>>>>>> Cal /Ryan,
>>>>>>>
>>>>>>> I'm not sure what you're trying to achieve.
>>>>>>> If we're talking about absolutely stupid bots, the following easily
>>>>>>> defeats them:
>>>>>>>     <form>
>>>>>>>         <stuff/>
>>>>>>>         <script type=text/javascript>document.write('<input
>>>>>>> type="hidden" name="access" value="code"/>');</script>
>>>>>>>     <form>
>>>>>>>
>>>>>>> I suppose you could obfuscate it all if you wanted to cater for
>>>>>>> script kiddies.
>>>>>>> But considering this is very weak protection (as opposed to proper
>>>>>>> captcha), I'm not sure if it's even worthwhile.
>>>>>>> One of the ways I can see this work is against automated,
>>>>>>> "JS-ignorant", MITM systems.
>>>>>>>
>>>>>>> As indeed is true, you should never trust the end user.
>>>>>>> But in a MITM scenario, the user we're not trusting is the one
>>>>>>> conducting the attack, not the other.
>>>>>>>
>>>>>>> Chris.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Wed, Apr 13, 2011 at 1:07 PM, Cal Leeming 
>>>>>>> <cal@xxxxxxxxxxxxxxxx>wrote:
>>>>>>>
>>>>>>>> Lol, I've just realised something.. I didn't include the seed key
>>>>>>>> variable itself, so this code would have been pretty much useless on 
>>>>>>>> it own
>>>>>>>> *DOH*.
>>>>>>>>
>>>>>>>> So, here's something else a bit tasty.. this is the server side code
>>>>>>>> used to check and create the seedkey itself (secret lookup table has 
>>>>>>>> been
>>>>>>>> changed obv.).
>>>>>>>>
>>>>>>>> This code allows seedkeys to be generated from epoch time. Now,
>>>>>>>> cryptographically I don't know how "sane" this is, but I'm fairly sure 
>>>>>>>> that
>>>>>>>> if the lookup table contained large integers it would become almost
>>>>>>>> impossible to do a pattern based brute force. I actually had quite a 
>>>>>>>> lot of
>>>>>>>> fun trying to break my own code. :D
>>>>>>>>
>>>>>>>> PS) you have been awarded 1 internets.
>>>>>>>>
>>>>>>>>
>>>>>>>>     function get_valid_keys() {
>>>>>>>>         // Create key store
>>>>>>>>         $_s = array();
>>>>>>>>
>>>>>>>>         // Create valid key ranges (+900 seconds)
>>>>>>>>         for($x=300;$x>=900;$x+=300):
>>>>>>>>             $_s[] = $this->create_key($offset=$x);
>>>>>>>>         endfor;
>>>>>>>>
>>>>>>>>         // Create valid key ranges (-900 seconds)
>>>>>>>>         for($x=300;$x>=-900;$x-=300):
>>>>>>>>             $_s[] = $this->create_key($offset=$x);
>>>>>>>>         endfor;
>>>>>>>>
>>>>>>>>         $_s[] = $this->create_key();
>>>>>>>>
>>>>>>>>         return $_s;
>>>>>>>>     }
>>>>>>>>
>>>>>>>>     function create_packed_key() {
>>>>>>>>         // Create a new valid key
>>>>>>>>         $key = $this->create_key();
>>>>>>>>
>>>>>>>>         // Now generate the packed key
>>>>>>>>         $k = array();
>>>>>>>>         // Now convert it into an array
>>>>>>>>         for($x=0;$x<strlen($key);$x++):
>>>>>>>>             $_v = unpack("H*", $key[$x]);
>>>>>>>>             $k[]='\x'.$_v[1];
>>>>>>>>         endfor;
>>>>>>>>
>>>>>>>>         // Okay, here is your brand new shiney key, sir :)
>>>>>>>>         $m = '"'.implode('","', $k).'"';
>>>>>>>>         $m = strrev($m);
>>>>>>>>         $_m = array();
>>>>>>>>         for($x=0;$x<strlen($m);$x++):
>>>>>>>>             $_m[]=$m[$x];
>>>>>>>>         endfor;
>>>>>>>>         return json_encode(implode("ZPAK", $_m));
>>>>>>>>     }
>>>>>>>>
>>>>>>>>     function create_key($offset=0) {
>>>>>>>>         // Secret key table, used to mix up the seed
>>>>>>>>         $enc = array(
>>>>>>>>                 0       =>       "67892",
>>>>>>>>                 1       =>       "3953",
>>>>>>>>                 2       =>       "49474",
>>>>>>>>                 3       =>       "494755",
>>>>>>>>                 4       =>       "30585",
>>>>>>>>                 5       =>       "30582",
>>>>>>>>                 6       =>       "20485",
>>>>>>>>                 7       =>       "20486",
>>>>>>>>                 8       =>       "97294",
>>>>>>>>                 9       =>       "10284"
>>>>>>>>         );
>>>>>>>>
>>>>>>>>         // Generate new seed
>>>>>>>>         $time = time();
>>>>>>>>         if ($offset):
>>>>>>>>             $time=$time+$offset;
>>>>>>>>         endif;
>>>>>>>>         $c=(int)($time/$this->_security_key_refresh);
>>>>>>>>         $_c = "$c";
>>>>>>>>
>>>>>>>>         // Extract the last 5 digits of the number
>>>>>>>>         $char1 = substr($_c, strlen($c)-1, 1);
>>>>>>>>         $char2 = substr($_c, strlen($c)-2, 1);
>>>>>>>>         $char3 = substr($_c, strlen($c)-3, 1);
>>>>>>>>         $char4 = substr($_c, strlen($c)-4, 1);
>>>>>>>>         $char5 = substr($_c, strlen($c)-5, 1);
>>>>>>>>
>>>>>>>>         // Lookup the modifier from the secret key table
>>>>>>>>         $mt1 = $enc[$char1];
>>>>>>>>         $mt2 = $enc[$char2];
>>>>>>>>         $mt3 = $enc[$char3];
>>>>>>>>         $mt4 = $enc[$char4];
>>>>>>>>         $mt5 = $enc[$char5];
>>>>>>>>
>>>>>>>>         // Generate a new key, based on the modifiers
>>>>>>>>         $key = round((($c+$mt1) + ($c+$mt2) + ($c+$mt3) + ($c+$mt4)
>>>>>>>> + ($c+$mt5))/256);
>>>>>>>>         $key = "$key";
>>>>>>>>         return $key;
>>>>>>>>     }
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Wed, Apr 13, 2011 at 3:56 AM, Ryan Sears <rdsears@xxxxxxx>wrote:
>>>>>>>>
>>>>>>>>> Me thinks I may have it right (mostly)...
>>>>>>>>>
>>>>>>>>> It seems to be some jquery to append a hidden input element to the
>>>>>>>>> "theform" id (presumably a form on the page ;) ) called "seedkey", 
>>>>>>>>> and has a
>>>>>>>>> value of whatever t is evaluated to (which I'm still stuck on as I 
>>>>>>>>> don't
>>>>>>>>> know jquery much at all, so I can't figure out the s[] array, but I 
>>>>>>>>> know it
>>>>>>>>> has something to do with the bracket notation...).
>>>>>>>>>
>>>>>>>>> =================================================
>>>>>>>>> += Orig =+
>>>>>>>>> $(function () {
>>>>>>>>>        var _0xafd3 = ["\x74\x20\x3D\x20\x22", "",
>>>>>>>>> "\x6A\x6F\x69\x6E", "\x72\x65\x76\x65\x72\x73\x65", 
>>>>>>>>> "\x73\x70\x6C\x69\x74",
>>>>>>>>> "\x72\x65\x70\x6C\x61\x63\x65", "\x22"];
>>>>>>>>>
>>>>>>>>>        eval(_0xafd3[0] + s[_0xafd3[5]](/ZPAK/gi,
>>>>>>>>> _0xafd3[1])[_0xafd3[5]](/\",\"/gi, _0xafd3[1])[_0xafd3[5]](/\"/gi,
>>>>>>>>> _0xafd3[1])[_0xafd3[4]](_0xafd3[1])[_0xafd3[3]]()[_0xafd3[2]](_0xafd3[1])
>>>>>>>>>  +
>>>>>>>>> _0xafd3[6]);
>>>>>>>>>        var _0x5bfa = ["\x3C\x69\x6E\x70\x75\x74\x20\x2F\x3E",
>>>>>>>>> "\x74\x79\x70\x65", "\x68\x69\x64\x64\x65\x6E", "\x61\x74\x74\x72",
>>>>>>>>> "\x6E\x61\x6D\x65", "\x73\x65\x65\x64\x6B\x65\x79", 
>>>>>>>>> "\x76\x61\x6C\x75\x65",
>>>>>>>>> "\x61\x70\x70\x65\x6E\x64", "\x23\x74\x68\x65\x66\x6F\x72\x6D"];
>>>>>>>>>        _n = $(_0x5bfa[0]);
>>>>>>>>>        _n[_0x5bfa[3]](_0x5bfa[1], _0x5bfa[2]);
>>>>>>>>>        _n[_0x5bfa[3]](_0x5bfa[4], _0x5bfa[5]);
>>>>>>>>>        _n[_0x5bfa[3]](_0x5bfa[6], t);
>>>>>>>>>        $(_0x5bfa[8])[_0x5bfa[7]](_n);
>>>>>>>>> });
>>>>>>>>>
>>>>>>>>> += De-obfuscated =+
>>>>>>>>> $(function () {
>>>>>>>>>        var _0xafd3 = ['t = "', '', 'join', 'reverse', 'split',
>>>>>>>>> 'replace', '"'];
>>>>>>>>>        var _0x5bfa = ['<input />', 'type', 'hidden', 'attr',
>>>>>>>>> 'name', 'seedkey', 'value', 'append', '#theform'];
>>>>>>>>>
>>>>>>>>>        eval('t = "' + s['replace'](/ZPAK/gi,
>>>>>>>>> '')['replace'](/\",\"/gi, '')['replace'](/\"/gi,
>>>>>>>>> '')['split']('')['reverse']()['join']('') + '"');
>>>>>>>>>
>>>>>>>>>        _n = $('<input />');
>>>>>>>>>        _n['attr']('type', 'hidden');
>>>>>>>>>        _n['attr']('name', 'seedkey');
>>>>>>>>>        _n['attr']('value', t);
>>>>>>>>>        $('#theform')['append'](_n);
>>>>>>>>> });
>>>>>>>>>
>>>>>>>>> =================================================
>>>>>>>>>
>>>>>>>>> Fun stuffs. I can haz a internetz? :-P
>>>>>>>>>
>>>>>>>>> Ryan
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> ----- Original Message -----
>>>>>>>>> From: "Cal Leeming" <cal@xxxxxxxxxxxxxxxx>
>>>>>>>>> To: full-disclosure@xxxxxxxxxxxxxxxxx
>>>>>>>>> Sent: Tuesday, April 12, 2011 5:28:22 PM GMT -05:00 US/Canada
>>>>>>>>> Eastern
>>>>>>>>> Subject: [Full-disclosure] guess what this does..
>>>>>>>>>
>>>>>>>>>    $(function() {
>>>>>>>>>    var
>>>>>>>>>
>>>>>>>>> _0xafd3=["\x74\x20\x3D\x20\x22","","\x6A\x6F\x69\x6E","\x72\x65\x76\x65\x72\x73\x65","\x73\x70\x6C\x69\x74","\x72\x65\x70\x6C\x61\x63\x65","\x22"];eval(_0xafd3[0]+s[_0xafd3[5]](/ZPAK/gi,_0xafd3[1])[_0xafd3[5]](/\",\"/gi,_0xafd3[1])[_0xafd3[5]](/\"/gi,_0xafd3[1])[_0xafd3[4]](_0xafd3[1])[_0xafd3[3]]()[_0xafd3[2]](_0xafd3[1])+_0xafd3[6]);
>>>>>>>>>    var
>>>>>>>>>
>>>>>>>>> _0x5bfa=["\x3C\x69\x6E\x70\x75\x74\x20\x2F\x3E","\x74\x79\x70\x65","\x68\x69\x64\x64\x65\x6E","\x61\x74\x74\x72","\x6E\x61\x6D\x65","\x73\x65\x65\x64\x6B\x65\x79","\x76\x61\x6C\x75\x65","\x61\x70\x70\x65\x6E\x64","\x23\x74\x68\x65\x66\x6F\x72\x6D"];_n=$(_0x5bfa[0]);_n[_0x5bfa[3]](_0x5bfa[1],_0x5bfa[2]);_n[_0x5bfa[3]](_0x5bfa[4],_0x5bfa[5]);_n[_0x5bfa[3]](_0x5bfa[6],t);$(_0x5bfa[8])[_0x5bfa[7]](_n);
>>>>>>>>>    });
>>>>>>>>>
>>>>>>>>> enjoy ;p
>>>>>>>>>
>>>>>>>>> ps) yes I obfuscated this, and no it doesn't contain any nasties.
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> Full-Disclosure - We believe in it.
>>>>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Full-Disclosure - We believe in it.
>>>>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Full-Disclosure - We believe in it.
>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>>  I’m a hot-wired, heat seeking, warm-hearted cool customer, voice
>>>> activated and bio-degradable. I interface with my database, my database is
>>>> in cyberspace, so I’m interactive, I’m hyperactive and from time to time 
>>>> I’m
>>>> radioactive.
>>>>
>>>
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>
>>
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/