Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: guess what this does..

From: Christian Sciberras <uuf6429 () gmail com>
Date: Wed, 13 Apr 2011 16:29:28 +0200
Cal /Ryan,

I'm not sure what you're trying to achieve.
If we're talking about absolutely stupid bots, the following easily defeats
them:
    <form>
        <stuff/>
        <script type=text/javascript>document.write('<input type="hidden"
name="access" value="code"/>');</script>
    <form>

I suppose you could obfuscate it all if you wanted to cater for script
kiddies.
But considering this is very weak protection (as opposed to proper captcha),
I'm not sure if it's even worthwhile.
One of the ways I can see this work is against automated, "JS-ignorant",
MITM systems.

As indeed is true, you should never trust the end user.
But in a MITM scenario, the user we're not trusting is the one conducting
the attack, not the other.

Chris.



On Wed, Apr 13, 2011 at 1:07 PM, Cal Leeming <cal () foxwhisper co uk> wrote:


Lol, I've just realised something.. I didn't include the seed key variable
itself, so this code would have been pretty much useless on it own *DOH*.

So, here's something else a bit tasty.. this is the server side code used
to check and create the seedkey itself (secret lookup table has been changed
obv.).

This code allows seedkeys to be generated from epoch time. Now,
cryptographically I don't know how "sane" this is, but I'm fairly sure that
if the lookup table contained large integers it would become almost
impossible to do a pattern based brute force. I actually had quite a lot of
fun trying to break my own code. :D

PS) you have been awarded 1 internets.


    function get_valid_keys() {
        // Create key store
        $_s = array();

        // Create valid key ranges (+900 seconds)
        for($x=300;$x>=900;$x+=300):
            $_s[] = $this->create_key($offset=$x);
        endfor;

        // Create valid key ranges (-900 seconds)
        for($x=300;$x>=-900;$x-=300):
            $_s[] = $this->create_key($offset=$x);
        endfor;

        $_s[] = $this->create_key();

        return $_s;
    }

    function create_packed_key() {
        // Create a new valid key
        $key = $this->create_key();

        // Now generate the packed key
        $k = array();
        // Now convert it into an array
        for($x=0;$x<strlen($key);$x++):
            $_v = unpack("H*", $key[$x]);
            $k[]='\x'.$_v[1];
        endfor;

        // Okay, here is your brand new shiney key, sir :)
        $m = '"'.implode('","', $k).'"';
        $m = strrev($m);
        $_m = array();
        for($x=0;$x<strlen($m);$x++):
            $_m[]=$m[$x];
        endfor;
        return json_encode(implode("ZPAK", $_m));
    }

    function create_key($offset=0) {
        // Secret key table, used to mix up the seed
        $enc = array(
                0       =>       "67892",
                1       =>       "3953",
                2       =>       "49474",
                3       =>       "494755",
                4       =>       "30585",
                5       =>       "30582",
                6       =>       "20485",
                7       =>       "20486",
                8       =>       "97294",
                9       =>       "10284"
        );

        // Generate new seed
        $time = time();
        if ($offset):
            $time=$time+$offset;
        endif;
        $c=(int)($time/$this->_security_key_refresh);
        $_c = "$c";

        // Extract the last 5 digits of the number
        $char1 = substr($_c, strlen($c)-1, 1);
        $char2 = substr($_c, strlen($c)-2, 1);
        $char3 = substr($_c, strlen($c)-3, 1);
        $char4 = substr($_c, strlen($c)-4, 1);
        $char5 = substr($_c, strlen($c)-5, 1);

        // Lookup the modifier from the secret key table
        $mt1 = $enc[$char1];
        $mt2 = $enc[$char2];
        $mt3 = $enc[$char3];
        $mt4 = $enc[$char4];
        $mt5 = $enc[$char5];

        // Generate a new key, based on the modifiers
        $key = round((($c+$mt1) + ($c+$mt2) + ($c+$mt3) + ($c+$mt4) +
($c+$mt5))/256);
        $key = "$key";
        return $key;
    }





On Wed, Apr 13, 2011 at 3:56 AM, Ryan Sears <rdsears () mtu edu> wrote:


Me thinks I may have it right (mostly)...

It seems to be some jquery to append a hidden input element to the
"theform" id (presumably a form on the page ;) ) called "seedkey", and has a
value of whatever t is evaluated to (which I'm still stuck on as I don't
know jquery much at all, so I can't figure out the s[] array, but I know it
has something to do with the bracket notation...).

=================================================
+= Orig =+
$(function () {
       var _0xafd3 = ["\x74\x20\x3D\x20\x22", "", "\x6A\x6F\x69\x6E",
"\x72\x65\x76\x65\x72\x73\x65", "\x73\x70\x6C\x69\x74",
"\x72\x65\x70\x6C\x61\x63\x65", "\x22"];

       eval(_0xafd3[0] + s[_0xafd3[5]](/ZPAK/gi,
_0xafd3[1])[_0xafd3[5]](/\",\"/gi, _0xafd3[1])[_0xafd3[5]](/\"/gi,
_0xafd3[1])[_0xafd3[4]](_0xafd3[1])[_0xafd3[3]]()[_0xafd3[2]](_0xafd3[1]) +
_0xafd3[6]);
       var _0x5bfa = ["\x3C\x69\x6E\x70\x75\x74\x20\x2F\x3E",
"\x74\x79\x70\x65", "\x68\x69\x64\x64\x65\x6E", "\x61\x74\x74\x72",
"\x6E\x61\x6D\x65", "\x73\x65\x65\x64\x6B\x65\x79", "\x76\x61\x6C\x75\x65",
"\x61\x70\x70\x65\x6E\x64", "\x23\x74\x68\x65\x66\x6F\x72\x6D"];
       _n = $(_0x5bfa[0]);
       _n[_0x5bfa[3]](_0x5bfa[1], _0x5bfa[2]);
       _n[_0x5bfa[3]](_0x5bfa[4], _0x5bfa[5]);
       _n[_0x5bfa[3]](_0x5bfa[6], t);
       $(_0x5bfa[8])[_0x5bfa[7]](_n);
});

+= De-obfuscated =+
$(function () {
       var _0xafd3 = ['t = "', '', 'join', 'reverse', 'split', 'replace',
'"'];
       var _0x5bfa = ['<input />', 'type', 'hidden', 'attr', 'name',
'seedkey', 'value', 'append', '#theform'];

       eval('t = "' + s['replace'](/ZPAK/gi, '')['replace'](/\",\"/gi,
'')['replace'](/\"/gi, '')['split']('')['reverse']()['join']('') + '"');

       _n = $('<input />');
       _n['attr']('type', 'hidden');
       _n['attr']('name', 'seedkey');
       _n['attr']('value', t);
       $('#theform')['append'](_n);
});

=================================================

Fun stuffs. I can haz a internetz? :-P

Ryan


----- Original Message -----
From: "Cal Leeming" <cal () foxwhisper co uk>
To: full-disclosure () lists grok org uk
Sent: Tuesday, April 12, 2011 5:28:22 PM GMT -05:00 US/Canada Eastern
Subject: [Full-disclosure] guess what this does..

   $(function() {
   var

_0xafd3=["\x74\x20\x3D\x20\x22","","\x6A\x6F\x69\x6E","\x72\x65\x76\x65\x72\x73\x65","\x73\x70\x6C\x69\x74","\x72\x65\x70\x6C\x61\x63\x65","\x22"];eval(_0xafd3[0]+s[_0xafd3[5]](/ZPAK/gi,_0xafd3[1])[_0xafd3[5]](/\",\"/gi,_0xafd3[1])[_0xafd3[5]](/\"/gi,_0xafd3[1])[_0xafd3[4]](_0xafd3[1])[_0xafd3[3]]()[_0xafd3[2]](_0xafd3[1])+_0xafd3[6]);
   var

_0x5bfa=["\x3C\x69\x6E\x70\x75\x74\x20\x2F\x3E","\x74\x79\x70\x65","\x68\x69\x64\x64\x65\x6E","\x61\x74\x74\x72","\x6E\x61\x6D\x65","\x73\x65\x65\x64\x6B\x65\x79","\x76\x61\x6C\x75\x65","\x61\x70\x70\x65\x6E\x64","\x23\x74\x68\x65\x66\x6F\x72\x6D"];_n=$(_0x5bfa[0]);_n[_0x5bfa[3]](_0x5bfa[1],_0x5bfa[2]);_n[_0x5bfa[3]](_0x5bfa[4],_0x5bfa[5]);_n[_0x5bfa[3]](_0x5bfa[6],t);$(_0x5bfa[8])[_0x5bfa[7]](_n);
   });

enjoy ;p

ps) yes I obfuscated this, and no it doesn't contain any nasties.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: