Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: Decoding Diyer’s Ascii bypass: - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Decoding Diyer’s Ascii bypass:
A user wrote in that he was seeing some exploit sites using the ""cooldiyer" ascii encoding for web filtering bypass.
The user’s question was how can I decode these?

Thanks to DanielW another handler we have an answer.
“This one is very straight forward to decode - all you have to do is convert it into 7bit ASCII or clear the highest bit with some Perl-Fu like cat gamefile.htm | perl -pe 's/(.)/chr(ord($1)&127)/ge'.
This is what they do with the HTML line above the code block as well (charset US-ASCII is 7bit). The decoded URL is a plain ordinary MS.XMLHTTP exploit which tries to download svc.exe but this file is no longer there”

I do want to warn users sites using this are mostly BAD sites with malware and exploits on them. Be very careful about any sites you find using this as they could have an exploit for your webbrowser/OS that you have no defenses against.

206 Posts
Feb 11th 2007

Sign Up for Free or Log In to start participating in the conversation!