Last active
February 21, 2017 19:19
-
-
Save tonejito/2ef68c1bc8d86514385ca29978c1f0d3 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ::1 - - [21/Feb/2017:12:13:14 -0600] "GET /%3CVAST%20version=%222.0%22%3E%3CAd%20id=%22VPAID%22%3E%3CInLine%3E%3CAdSystem%20version=%221.2%22%3ELKQD%3C/AdSystem%3E%3CAdTitle%3ELKQD%20VPAID%3C/AdTitle%3E%3CImpression/%3E%3CCreatives%3E%3CCreative%20sequence=%221%22%3E%3CLinear%3E%3CDuration%3E00:00:15%3C/Duration%3E%3CMediaFiles%3E%3CMediaFile%20delivery=%22progressive%22%20width=%22601%22%20height=%22481%22%20scalable=%221%22%20type=%22application/x-shockwave-flash%22%20apiFramework=%22VPAID%22%3E%3C![CDATA[https://ad.lkqd.net/vpaid/vpaid.swf]]%3E%3C/MediaFile%3E%3CMediaFile%20delivery=%22progressive%22%20width=%22601%22%20height=%22481%22%20scalable=%221%22%20type=%22application/javascript%22%20apiFramework=%22VPAID%22%3E%3C![CDATA[https://ad.lkqd.net/vpaid/vpaid.js?fusion=1.0]]%3E%3C/MediaFile%3E%3C/MediaFiles%3E%3CAdParameters%3E%3C![CDATA[dG9uZWppdG8=]]%3E%3C/AdParameters%3E%3C/Linear%3E%3C/Creative%3E%3C/Creatives%3E%3C/InLine%3E%3C/Ad%3E%3C/VAST%3E&cbts=14322794362784807000 HTTP/1.1" 301 1166 "-" "curl/7.38.0" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # httpd-VAST.conf | |
| # Tear down all those annoying urlencoded XML-based VAST requests sent to @Apache. Tested with @cURL | |
| # Andres Hernandez (tonejito) | |
| # This might need a ProxyPassMatch regex ! if you use mod_proxy* | |
| # Clear ErrorDocument for this URL | |
| <LocationMatch "^(.*VAST( version=.*(Ad id=.*version=.*([CDATA[.*]])?)?)?.*)$"> | |
| ErrorDocument 301 " " | |
| </LocationMatch> | |
| # Send the request elsewhere | |
| # We could forward this into a honeypot, be sure to set $0 to include all the payload | |
| RedirectMatch permanent "^(.*VAST( version=.*(Ad id=.*version=.*([CDATA[.*]])?)?)?.*)$" http://localhost:1/$0 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| * Hostname was NOT found in DNS cache | |
| * Trying ::1... | |
| * Connected to localhost (::1) port 80 (#0) | |
| > GET /%3CVAST%20version=%222.0%22%3E%3CAd%20id=%22VPAID%22%3E%3CInLine%3E%3CAdSystem%20version=%221.2%22%3ELKQD%3C/AdSystem%3E%3CAdTitle%3ELKQD%20VPAID%3C/AdTitle%3E%3CImpression/%3E%3CCreatives%3E%3CCreative%20sequence=%221%22%3E%3CLinear%3E%3CDuration%3E00:00:15%3C/Duration%3E%3CMediaFiles%3E%3CMediaFile%20delivery=%22progressive%22%20width=%22601%22%20height=%22481%22%20scalable=%221%22%20type=%22application/x-shockwave-flash%22%20apiFramework=%22VPAID%22%3E%3C![CDATA[https://ad.lkqd.net/vpaid/vpaid.swf]]%3E%3C/MediaFile%3E%3CMediaFile%20delivery=%22progressive%22%20width=%22601%22%20height=%22481%22%20scalable=%221%22%20type=%22application/javascript%22%20apiFramework=%22VPAID%22%3E%3C![CDATA[https://ad.lkqd.net/vpaid/vpaid.js?fusion=1.0]]%3E%3C/MediaFile%3E%3C/MediaFiles%3E%3CAdParameters%3E%3C![CDATA[dG9uZWppdG8=]]%3E%3C/AdParameters%3E%3C/Linear%3E%3C/Creative%3E%3C/Creatives%3E%3C/InLine%3E%3C/Ad%3E%3C/VAST%3E&cbts=14322794362784807000 HTTP/1.0 | |
| > User-Agent: curl/7.38.0 | |
| > Host: localhost | |
| > Accept: */* | |
| > | |
| < HTTP/1.1 301 Moved Permanently | |
| < Date: Tue, 21 Feb 2017 18:13:14 GMT | |
| * Server Apache is not blacklisted | |
| < Server: Apache | |
| < Location: http://localhost:1//%3cVAST%20version=%222.0%22%3e%3cAd%20id=%22VPAID%22%3e%3cInLine%3e%3cAdSystem%20version=%221.2%22%3eLKQD%3c/AdSystem%3e%3cAdTitle%3eLKQD%20VPAID%3c/AdTitle%3e%3cImpression/%3e%3cCreatives%3e%3cCreative%20sequence=%221%22%3e%3cLinear%3e%3cDuration%3e00:00:15%3c/Duration%3e%3cMediaFiles%3e%3cMediaFile%20delivery=%22progressive%22%20width=%22601%22%20height=%22481%22%20scalable=%221%22%20type=%22application/x-shockwave-flash%22%20apiFramework=%22VPAID%22%3e%3c!%5bCDATA%5bhttps://ad.lkqd.net/vpaid/vpaid.swf%5d%5d%3e%3c/MediaFile%3e%3cMediaFile%20delivery=%22progressive%22%20width=%22601%22%20height=%22481%22%20scalable=%221%22%20type=%22application/javascript%22%20apiFramework=%22VPAID%22%3e%3c!%5bCDATA%5bhttps://ad.lkqd.net/vpaid/vpaid.js?fusion=1.0]]%3E%3C/MediaFile%3E%3C/MediaFiles%3E%3CAdParameters%3E%3C![CDATA[dG9uZWppdG8=]]%3E%3C/AdParameters%3E%3C/Linear%3E%3C/Creative%3E%3C/Creatives%3E%3C/InLine%3E%3C/Ad%3E%3C/VAST%3E&cbts=14322794362784807000 | |
| < Content-Length: 1 | |
| < Connection: close | |
| < Content-Type: text/html; charset=iso-8859-1 | |
| < | |
| * Closing connection 0 | |
| * Issue another request to this URL: 'http://localhost:1//%3cVAST%20version=%222.0%22%3e%3cAd%20id=%22VPAID%22%3e%3cInLine%3e%3cAdSystem%20version=%221.2%22%3eLKQD%3c/AdSystem%3e%3cAdTitle%3eLKQD%20VPAID%3c/AdTitle%3e%3cImpression/%3e%3cCreatives%3e%3cCreative%20sequence=%221%22%3e%3cLinear%3e%3cDuration%3e00:00:15%3c/Duration%3e%3cMediaFiles%3e%3cMediaFile%20delivery=%22progressive%22%20width=%22601%22%20height=%22481%22%20scalable=%221%22%20type=%22application/x-shockwave-flash%22%20apiFramework=%22VPAID%22%3e%3c!%5bCDATA%5bhttps://ad.lkqd.net/vpaid/vpaid.swf%5d%5d%3e%3c/MediaFile%3e%3cMediaFile%20delivery=%22progressive%22%20width=%22601%22%20height=%22481%22%20scalable=%221%22%20type=%22application/javascript%22%20apiFramework=%22VPAID%22%3e%3c!%5bCDATA%5bhttps://ad.lkqd.net/vpaid/vpaid.js?fusion=1.0]]%3E%3C/MediaFile%3E%3C/MediaFiles%3E%3CAdParameters%3E%3C![CDATA[dG9uZWppdG8=]]%3E%3C/AdParameters%3E%3C/Linear%3E%3C/Creative%3E%3C/Creatives%3E%3C/InLine%3E%3C/Ad%3E%3C/VAST%3E&cbts=14322794362784807000' | |
| * Hostname was NOT found in DNS cache | |
| * Trying ::1... | |
| * connect to ::1 port 1 failed: Connection refused | |
| * Trying 127.0.0.1... | |
| * connect to 127.0.0.1 port 1 failed: Connection refused | |
| * Failed to connect to localhost port 1: Connection refused | |
| * Closing connection 1 | |
| curl: (7) Failed to connect to localhost port 1: Connection refused | |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash -vx | |
| URL='http://localhost/%3CVAST%20version=%222.0%22%3E%3CAd%20id=%22VPAID%22%3E%3CInLine%3E%3CAdSystem%20version=%221.2%22%3ELKQD%3C/AdSystem%3E%3CAdTitle%3ELKQD%20VPAID%3C/AdTitle%3E%3CImpression/%3E%3CCreatives%3E%3CCreative%20sequence=%221%22%3E%3CLinear%3E%3CDuration%3E00:00:15%3C/Duration%3E%3CMediaFiles%3E%3CMediaFile%20delivery=%22progressive%22%20width=%22601%22%20height=%22481%22%20scalable=%221%22%20type=%22application/x-shockwave-flash%22%20apiFramework=%22VPAID%22%3E%3C![CDATA[https://ad.lkqd.net/vpaid/vpaid.swf]]%3E%3C/MediaFile%3E%3CMediaFile%20delivery=%22progressive%22%20width=%22601%22%20height=%22481%22%20scalable=%221%22%20type=%22application/javascript%22%20apiFramework=%22VPAID%22%3E%3C![CDATA[https://ad.lkqd.net/vpaid/vpaid.js?fusion=1.0]]%3E%3C/MediaFile%3E%3C/MediaFiles%3E%3CAdParameters%3E%3C![CDATA[dG9uZWppdG8=]]%3E%3C/AdParameters%3E%3C/Linear%3E%3C/Creative%3E%3C/Creatives%3E%3C/InLine%3E%3C/Ad%3E%3C/VAST%3E&cbts=14322794362784807000' | |
| curl -vk#0gL $URL 2>&1 | tee test.log |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment