Re: [Full-disclosure] guess what this does..



That's been happening for years tho lol.

In this case, the botters were trying to use the join pages as a cc checker
lol.

On Wed, Apr 13, 2011 at 3:50 PM, Christian Sciberras <uuf6429@xxxxxxxxx>wrote:

Is it me or are spammers recruiting more script kiddies as of late?
Not much of a big deal considering their numbers are on the rise...*ahem*
anonymous *ahem*.

Chris.




On Wed, Apr 13, 2011 at 4:47 PM, Cal Leeming <cal@xxxxxxxxxxxxxxxx> wrote:

Well, the problem was the person(s) running the bots kept bypassing the
simple protections such as these. Although it isn't 100% fool proof, it does
make things *extremely* difficult for the person(s) with the bots, so much
so, that they usually give up, unless they have specifically targeted you
for some reason.

So, instead we created hundreds of these little JS chunks, all with
different lookup tables applied, and cycled them on an hourly basis. It
meant if they wanted to continuously bot the service, they would have to de
obfuscate the protection code, or find a mathmatical/bruteforce attack that
would generate the seedkey for them. It would either involve manual
intervention or code modification on the bot to make it work.. I'd
have preferred to have added captcha, but there was a reasonable explanation
as to why the client didn't want it.

Either way, once we put this in, they gave up pretty quickly lol.


On Wed, Apr 13, 2011 at 3:29 PM, Christian Sciberras <uuf6429@xxxxxxxxx>wrote:

Cal /Ryan,

I'm not sure what you're trying to achieve.
If we're talking about absolutely stupid bots, the following easily
defeats them:
<form>
<stuff/>
<script type=text/javascript>document.write('<input type="hidden"
name="access" value="code"/>');</script>
<form>

I suppose you could obfuscate it all if you wanted to cater for script
kiddies.
But considering this is very weak protection (as opposed to proper
captcha), I'm not sure if it's even worthwhile.
One of the ways I can see this work is against automated, "JS-ignorant",
MITM systems.

As indeed is true, you should never trust the end user.
But in a MITM scenario, the user we're not trusting is the one conducting
the attack, not the other.

Chris.



On Wed, Apr 13, 2011 at 1:07 PM, Cal Leeming <cal@xxxxxxxxxxxxxxxx>wrote:

Lol, I've just realised something.. I didn't include the seed key
variable itself, so this code would have been pretty much useless on it own
*DOH*.

So, here's something else a bit tasty.. this is the server side code
used to check and create the seedkey itself (secret lookup table has been
changed obv.).

This code allows seedkeys to be generated from epoch time. Now,
cryptographically I don't know how "sane" this is, but I'm fairly sure that
if the lookup table contained large integers it would become almost
impossible to do a pattern based brute force. I actually had quite a lot of
fun trying to break my own code. :D

PS) you have been awarded 1 internets.


function get_valid_keys() {
// Create key store
$_s = array();

// Create valid key ranges (+900 seconds)
for($x=300;$x>=900;$x+=300):
$_s[] = $this->create_key($offset=$x);
endfor;

// Create valid key ranges (-900 seconds)
for($x=300;$x>=-900;$x-=300):
$_s[] = $this->create_key($offset=$x);
endfor;

$_s[] = $this->create_key();

return $_s;
}

function create_packed_key() {
// Create a new valid key
$key = $this->create_key();

// Now generate the packed key
$k = array();
// Now convert it into an array
for($x=0;$x<strlen($key);$x++):
$_v = unpack("H*", $key[$x]);
$k[]='\x'.$_v[1];
endfor;

// Okay, here is your brand new shiney key, sir :)
$m = '"'.implode('","', $k).'"';
$m = strrev($m);
$_m = array();
for($x=0;$x<strlen($m);$x++):
$_m[]=$m[$x];
endfor;
return json_encode(implode("ZPAK", $_m));
}

function create_key($offset=0) {
// Secret key table, used to mix up the seed
$enc = array(
0 => "67892",
1 => "3953",
2 => "49474",
3 => "494755",
4 => "30585",
5 => "30582",
6 => "20485",
7 => "20486",
8 => "97294",
9 => "10284"
);

// Generate new seed
$time = time();
if ($offset):
$time=$time+$offset;
endif;
$c=(int)($time/$this->_security_key_refresh);
$_c = "$c";

// Extract the last 5 digits of the number
$char1 = substr($_c, strlen($c)-1, 1);
$char2 = substr($_c, strlen($c)-2, 1);
$char3 = substr($_c, strlen($c)-3, 1);
$char4 = substr($_c, strlen($c)-4, 1);
$char5 = substr($_c, strlen($c)-5, 1);

// Lookup the modifier from the secret key table
$mt1 = $enc[$char1];
$mt2 = $enc[$char2];
$mt3 = $enc[$char3];
$mt4 = $enc[$char4];
$mt5 = $enc[$char5];

// Generate a new key, based on the modifiers
$key = round((($c+$mt1) + ($c+$mt2) + ($c+$mt3) + ($c+$mt4) +
($c+$mt5))/256);
$key = "$key";
return $key;
}





On Wed, Apr 13, 2011 at 3:56 AM, Ryan Sears <rdsears@xxxxxxx> wrote:

Me thinks I may have it right (mostly)...

It seems to be some jquery to append a hidden input element to the
"theform" id (presumably a form on the page ;) ) called "seedkey", and has a
value of whatever t is evaluated to (which I'm still stuck on as I don't
know jquery much at all, so I can't figure out the s[] array, but I know it
has something to do with the bracket notation...).

=================================================
+= Orig =+
$(function () {
var _0xafd3 = ["\x74\x20\x3D\x20\x22", "", "\x6A\x6F\x69\x6E",
"\x72\x65\x76\x65\x72\x73\x65", "\x73\x70\x6C\x69\x74",
"\x72\x65\x70\x6C\x61\x63\x65", "\x22"];

eval(_0xafd3[0] + s[_0xafd3[5]](/ZPAK/gi,
_0xafd3[1])[_0xafd3[5]](/\",\"/gi, _0xafd3[1])[_0xafd3[5]](/\"/gi,
_0xafd3[1])[_0xafd3[4]](_0xafd3[1])[_0xafd3[3]]()[_0xafd3[2]](_0xafd3[1]) +
_0xafd3[6]);
var _0x5bfa = ["\x3C\x69\x6E\x70\x75\x74\x20\x2F\x3E",
"\x74\x79\x70\x65", "\x68\x69\x64\x64\x65\x6E", "\x61\x74\x74\x72",
"\x6E\x61\x6D\x65", "\x73\x65\x65\x64\x6B\x65\x79", "\x76\x61\x6C\x75\x65",
"\x61\x70\x70\x65\x6E\x64", "\x23\x74\x68\x65\x66\x6F\x72\x6D"];
_n = $(_0x5bfa[0]);
_n[_0x5bfa[3]](_0x5bfa[1], _0x5bfa[2]);
_n[_0x5bfa[3]](_0x5bfa[4], _0x5bfa[5]);
_n[_0x5bfa[3]](_0x5bfa[6], t);
$(_0x5bfa[8])[_0x5bfa[7]](_n);
});

+= De-obfuscated =+
$(function () {
var _0xafd3 = ['t = "', '', 'join', 'reverse', 'split',
'replace', '"'];
var _0x5bfa = ['<input />', 'type', 'hidden', 'attr', 'name',
'seedkey', 'value', 'append', '#theform'];

eval('t = "' + s['replace'](/ZPAK/gi, '')['replace'](/\",\"/gi,
'')['replace'](/\"/gi, '')['split']('')['reverse']()['join']('') + '"');

_n = $('<input />');
_n['attr']('type', 'hidden');
_n['attr']('name', 'seedkey');
_n['attr']('value', t);
$('#theform')['append'](_n);
});

=================================================

Fun stuffs. I can haz a internetz? :-P

Ryan


----- Original Message -----
From: "Cal Leeming" <cal@xxxxxxxxxxxxxxxx>
To: full-disclosure@xxxxxxxxxxxxxxxxx
Sent: Tuesday, April 12, 2011 5:28:22 PM GMT -05:00 US/Canada Eastern
Subject: [Full-disclosure] guess what this does..

$(function() {
var

_0xafd3=["\x74\x20\x3D\x20\x22","","\x6A\x6F\x69\x6E","\x72\x65\x76\x65\x72\x73\x65","\x73\x70\x6C\x69\x74","\x72\x65\x70\x6C\x61\x63\x65","\x22"];eval(_0xafd3[0]+s[_0xafd3[5]](/ZPAK/gi,_0xafd3[1])[_0xafd3[5]](/\",\"/gi,_0xafd3[1])[_0xafd3[5]](/\"/gi,_0xafd3[1])[_0xafd3[4]](_0xafd3[1])[_0xafd3[3]]()[_0xafd3[2]](_0xafd3[1])+_0xafd3[6]);
var

_0x5bfa=["\x3C\x69\x6E\x70\x75\x74\x20\x2F\x3E","\x74\x79\x70\x65","\x68\x69\x64\x64\x65\x6E","\x61\x74\x74\x72","\x6E\x61\x6D\x65","\x73\x65\x65\x64\x6B\x65\x79","\x76\x61\x6C\x75\x65","\x61\x70\x70\x65\x6E\x64","\x23\x74\x68\x65\x66\x6F\x72\x6D"];_n=$(_0x5bfa[0]);_n[_0x5bfa[3]](_0x5bfa[1],_0x5bfa[2]);_n[_0x5bfa[3]](_0x5bfa[4],_0x5bfa[5]);_n[_0x5bfa[3]](_0x5bfa[6],t);$(_0x5bfa[8])[_0x5bfa[7]](_n);
});

enjoy ;p

ps) yes I obfuscated this, and no it doesn't contain any nasties.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/





_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages