PaulDotCom mailing list archives
ultrasurf communication structure
From: brianwgray at gmail.com (Brian Gray)
Date: Mon, 1 Feb 2010 13:49:25 -0500
I bring this up not so much for the need of a solution as much as the communication method is functionally a neat use of xss. Has anyone taken a look at how ultrasurf is configured to communicate? (brief summary below) It's initial communications are http, here is a small list of examples. GET http://googil.com/gwt/n?u=http://rss.3j3f.info/NTBhMTNhZ/WEaC5DN3rnqE/OTJyIUcHTTP/1.1 GET http://google-analytics.com/gwt/n?u=http://rss.44cn.info/Mjk0YzczNDn6UHmg/Fg1w4Siv/Ss1FbokCL1ks/cGdNAN6prFhlHTTP/1.1 GET http://google.dk/gwt/n?u=http://rss.5bne.info/NjdiMjg3MmO/8ugnbYCE/9nlDF0mFrsB/ejm9emjFm8k/koKpRvGF/59SNKr3DQHTTP/1.1 GET http://oingo.com/gwt/n?u=http://rss.580k.info/NzI0MmYwOGK8Q/CSGg1jn6X/8LHIIejoO2gb/aIB6DgHTTP/1.1 GET http://googlemaps.com/gwt/n?u=http://rss.20ju.info/OTliNDZjM/TK7k7m5LnxqA/Z7E9KSXHTTP/1.1 GET http://74.125.77.104/gwt/n?u=http://rss.3ddn.info/NTExNmM4MS/-jZOhodJXWxro/WNpZQQy2K/222WLhJwWMPN/_3gmBdxXZgHTTP/1.1 GET http://googlee.com/gwt/n?u=http://rss.5iny.info/ZTE3Y2ExZDZI/VyeCv57Qhmhu/R_9d9ndt/V5_rU2IcZi3/DrgHTTP/1.1 GET http://webservicehost.com/gwt/n?u=http://rss.265e.info/ZDgxYTJlYWV4/JjwYr5XOBJB/sHCVO_L0ic/bQz3e6Si/QUnV7MrOgLp/vQGU-eBNHTTP/1.1 GET http://ggoogle.com/gwt/n?u=http://rss.51js.info/NzFlNzc5Yzbq9S/rCqy2POd/XKWQX_rqZoGHAHTTP/1.1 GET http://googledesktop.com/gwt/n?u=http://rss.5i5j.info/NjM4OTg/xNWRRTXDyuF/28lbqy7y73c/MiQLyVl/z0YvtLmAsVZcs/d86QqA-5KxpHTTP/1.1 etc. etc. etc. Then these feeds provide a pgp'd msg ex. http://rss.51js.info/NzFlNzc5Yzbq9S/rCqy2POd/XKWQX_rqZoGHA Yesterday, January 31, 2010, 8:35:47 PM -----BEGIN PGP MESSAGE----- OzEyB0H7/kkQpyLtaoEQb7awYAbd4QsOShRqyvuApAPdapws1YcbNc45jIOKi7ciZz/cu65tvOI6F8OC8RUD0dl9A55NhJ0HEvKuP9LSrS2W3cXT7IkJPx/dp5TJ33mHARllsfD27yij9Az/2nnoBG5A6w4NtnhkXsy5ULVpAbKL8IDmp7xwYL+NJ0z9vNqaVwqWvuwGvH6HW8BT6ck= -----END PGP MESSAGE----- 1, 2, skip a few... steps Once it acquires it's list it makes an ssl connection either directly or through a proxy server. ex. CONNECT 65.49.2.115:443 CONNECT 65.49.2.126:443 CONNECT 220.138.145.215:443 CONNECT 59.112.225.16:443 CONNECT 118.171.209.81:443 CONNECT 122.126.33.66:443 CONNECT 219.85.44.57:443 CONNECT 219.85.91.24:443 CONNECT 65.49.2.115:443 And people don't think xss has any implications. -- -Brian W. Gray -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20100201/45debb45/attachment.htm
Current thread:
- ultrasurf communication structure Brian Gray (Feb 01)