Re: alternative way of addressing

From: Jonas M Luster (jluster@d-fensive.com)
Date: 01/26/02 

Date: Sat, 26 Jan 2002 08:56:15 -0800
From: Jonas M Luster <jluster@d-fensive.com>
To: security-basics@securityfocus.com

Quoting John Doe (gakusei2002@hotmail.com):

> I remember a while back on this list, there was a discussion of alternative
> ways of addressing URLs (using hex code and binary, I think). Can anyone
> give me a refresher course?

URLs can be (at least with IE/Win, Mac is a bit picky about this and
under Unix such behavior is controlled by the stack and may differ)
either hex, oct or decimal, dotted quad or single-rep.

| #!/usr/bin/env perl
|
| $IP = $ARGV[0]; ## Usage: perl obfucate.pl 10.1.1.1
| ($one, $two, $three, $four) = split(/\./, $IP); ## Split quads
| $right = (($two * 256 + $three)*256)+$four; ## calculate "right" side
| print $one.".".$right; ## print FIRST.CALCULATED

perl obfuscate.pl 192.168.1.5 yields: 192.11010309

or, you could translate all four quads into their octal, decimal or
binary representations.

Or, you could not have any dots in it at all:

| $sright = (((($one * 256 + $two) * 256) + $three) *256) +$four;
| print $right;

== 3232235781 for $ARGV[1] == 192.168.1.5

This works with Opera, some versions of IE (IE6/WinXP doesn't work),
some versions of Netscape, OmniWeb, iCab, etc.

This trick is used by SPAMmers to obfuscate their URLs and by
malicious attackers to trick unsuspecting victims into opening a
seemingly benign website:

http://www.cnn.com?article-id=0xdeadbeef&data=extract@3232235781

will in fact not open cnn's website but 192.168.1.5 (note the @ sign,
which is used to decalre everything prior to it as a "username" and
passed as such.

jonas 

-- 
Jonas M Luster -- d-fensive networks, Inc. -- http://www.d-fensive.com