Babelfish obfuscation

2009-10-05 Thread Joseph Brennan 



From spam today:



a 
href=http://66.196.80.202/babelfish/translate_url_content?.intl=uslp=es_entrurl=http://johnnie2006.mcafaloj%2E%63%6E; 
style=text-decoration: none; color: #0099ff;click here/a



Double obfuscation-- first the indirect through 66.196.80.202 (yahoo) and
then %2E%63%6E for .cn

Joseph Brennan
Columbia University Information Technology

Re: Babelfish obfuscation

2009-10-05 Thread Karsten Bräckelmann 
On Mon, 2009-10-05 at 11:06 -0400, Joseph Brennan wrote:
 Double obfuscation-- first the indirect through 66.196.80.202 (yahoo) and
 then %2E%63%6E for .cn

Without checking -- I believe, all you need is a redirector_pattern for
the IP redirector, to extract the target URI. The list of URIs should
also contain a cleaned version of the extracted target URI, with the
escapes converted.


-- 
char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128  (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: Babelfish obfuscation

2009-10-05 Thread John Hardin 

On Mon, 5 Oct 2009, Joseph Brennan wrote:


From spam today:


a 
href=http://66.196.80.202/babelfish/translate_url_content?.intl=uslp=es_entrurl=http://johnnie2006.mcafaloj%2E%63%6E; 
style=text-decoration: none; color: #0099ff;click here/a


Double obfuscation-- first the indirect through 66.196.80.202 (yahoo) and
then %2E%63%6E for .cn


Warren:

I guess that's an argument against anchoring CN_EIGHT at the beginning of 
the URI...


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  You cannot bring about prosperity by discouraging thrift. You
  cannot help small men by tearing down big men. You cannot
  strengthen the weak by weakening the strong. You cannot lift the
  wage-earner by pulling down the wage-payer. You cannot help the
  poor man by destroying the rich. You cannot keep out of trouble by
  spending more than your income. You cannot further the brotherhood
  of man by inciting class hatred. You cannot establish security on
  borrowed money. You cannot build character and courage by taking
  away men's initiative and independence. You cannot help men
  permanently by doing for them what they could and should do for
  themselves.   -- William J. H. Boetcker
---
 Approximately 9183900 firearms legally purchased in the U.S. this year

Re: Babelfish obfuscation

2009-10-05 Thread Karsten Bräckelmann 
On Mon, 2009-10-05 at 08:27 -0700, John Hardin wrote:
 I guess that's an argument against anchoring CN_EIGHT at the beginning of 
 the URI...

No, it is not.

It's an argument for a new redirector_pattern. The extracted target URIs
are provided for uri rules.

Or alternatively, seriously kicking some redirector provider's butts...


-- 
char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128  (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: Babelfish obfuscation

2009-10-05 Thread Benny Pedersen 

On man 05 okt 2009 17:06:19 CEST, Joseph Brennan wrote


Double obfuscation-- first the indirect through 66.196.80.202 (yahoo) and
then %2E%63%6E for .cn


yahoo accept content to be on there ip ?

lets blcok that ip so

--
xpoint

Re: Babelfish obfuscation

2009-10-05 Thread Benny Pedersen 

On man 05 okt 2009 17:16:06 CEST, Karsten Bräckelmann wrote

Without checking -- I believe, all you need is a redirector_pattern for
the IP redirector, to extract the target URI. The list of URIs should
also contain a cleaned version of the extracted target URI, with the
escapes converted.


i have had this in mind for so long with alot of spam on yahoo, but  
dont know how to make that work :/


--
xpoint

Re: Babelfish obfuscation

2009-10-05 Thread Warren Togami 

On 10/05/2009 11:27 AM, John Hardin wrote:

Warren:

I guess that's an argument against anchoring CN_EIGHT at the beginning
of the URI...



I wasn't the one that suggested anchoring.

Did the old rule decode %2E%63%6E as .cn though?

Warren

Re: Babelfish obfuscation

2009-10-05 Thread Karsten Bräckelmann 
On Mon, 2009-10-05 at 19:56 +0200, Benny Pedersen wrote:
 On man 05 okt 2009 17:16:06 CEST, Karsten Bräckelmann wrote

  Without checking -- I believe, all you need is a redirector_pattern for
  the IP redirector, to extract the target URI. The list of URIs should
  also contain a cleaned version of the extracted target URI, with the
  escapes converted.
 
 i have had this in mind for so long with alot of spam on yahoo, but  
 dont know how to make that work :/

redirector_pattern  m~http://example.net/redir?uri=(target)~
   
The redirector_pattern pretty much is a simple uri rule. With one
notable difference: It needs exactly one capturing match. The captured
match will be added to the list of URIs, just the same as if it would
have appeared as a plain, ordinary URI in the message.

Entirely from memory -- down with a cold, can't be arsed to cross-check
my claims today. ;)

  guenther


-- 
char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128  (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: Babelfish obfuscation (fwd)

2009-10-05 Thread Karsten Bräckelmann 
On Mon, 2009-10-05 at 11:21 -0700, John Hardin wrote:
 On Mon, 5 Oct 2009, Warren Togami wrote:
 
   Did the old rule decode %2E%63%6E as .cn though?
 
 The URI parser does that for you:
 
 [11433] dbg: rules: ran uri rule ALL_URI == got hit: 
 http://fnord:b...@321%2e%63%6e;
 [11433] dbg: rules: ran uri rule ALL_URI == got hit: http://321.cn;
 [11433] dbg: rules: ran uri rule ALL_URI == got hit: 
 http://fnord:b...@321.cn;

Didn't I say that? ;)

The list of URIs does contain cleaned and decoded versions, in addition
to the raw URI.

-- 
char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128  (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: Babelfish obfuscation

2009-10-05 Thread John Hardin 

On Mon, 5 Oct 2009, Karsten Br�ckelmann wrote:


On Mon, 2009-10-05 at 19:56 +0200, Benny Pedersen wrote:

On man 05 okt 2009 17:16:06 CEST, Karsten Bräckelmann wrote



Without checking -- I believe, all you need is a redirector_pattern for
the IP redirector, to extract the target URI. The list of URIs should
also contain a cleaned version of the extracted target URI, with the
escapes converted.


i have had this in mind for so long with alot of spam on yahoo, but
dont know how to make that work :/


redirector_pattern  m~http://example.net/redir?uri=(target)~


Tested:

redirector_pattern  m;^https?://[^/]+/babelfish/.*\?.*url=(http:.+)$;


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  The question of whether people should be allowed to harm themselves
  is simple. They *must*.   -- Charles Murray
---
 Approximately 9194940 firearms legally purchased in the U.S. this year