Decoding Diyer?s Ascii bypass:
A user wrote in that he was seeing some exploit sites using the ""cooldiyer" ascii encoding for web filtering bypass.
The user’s question was how can I decode these?
Thanks to DanielW another handler we have an answer.
“This one is very straight forward to decode - all you have to do is convert it into 7bit ASCII or clear the highest bit with some Perl-Fu like cat gamefile.htm | perl -pe 's/(.)/chr(ord($1)&127)/ge'.
This is what they do with the HTML line above the code block as well (charset US-ASCII is 7bit). The decoded URL is a plain ordinary MS.XMLHTTP exploit which tries to download svc.exe but this file is no longer there”
I do want to warn users sites using this are mostly BAD sites with malware and exploits on them. Be very careful about any sites you find using this as they could have an exploit for your webbrowser/OS that you have no defenses against.
The user’s question was how can I decode these?
Thanks to DanielW another handler we have an answer.
“This one is very straight forward to decode - all you have to do is convert it into 7bit ASCII or clear the highest bit with some Perl-Fu like cat gamefile.htm | perl -pe 's/(.)/chr(ord($1)&127)/ge'.
This is what they do with the HTML line above the code block as well (charset US-ASCII is 7bit). The decoded URL is a plain ordinary MS.XMLHTTP exploit which tries to download svc.exe but this file is no longer there”
I do want to warn users sites using this are mostly BAD sites with malware and exploits on them. Be very careful about any sites you find using this as they could have an exploit for your webbrowser/OS that you have no defenses against.
Keywords:
0 comment(s)
×
Diary Archives
Comments