+- The Un-Official Proxomitron Forum (https://www.prxbx.com/forums)
+-- Forum: Proxomitron Filters (/forumdisplay.php?fid=38)
+--- Forum: FIP (/forumdisplay.php?fid=36)
+--- Thread: Remove Obfuscated Code [20081221b] (/showthread.php?tid=1183)
Remove Obfuscated Code [20081221b] - Kye-U - Dec. 17, 2008 03:30 AM
Code:
[Patterns]
Name = "<script>: Remove Obfuscated Code [20081221b]"
Active = TRUE
URL = "($TYPE(htm)|$TYPE(js)|$TYPE(vbs))"
Limit = 32767
Match = "(($TYPE(js)|$TYPE(vbs))$SET(sOpen=1)|(^($TYPE(js)|$TYPE(vbs)))< (script$SET(sOpen=1)|/ script$SET(sOpen=)))PrxFail"
"|"
"$TST(sOpen=1)"
"("
"(=| \( | , )\0(\"|\')\1"
"("
"("
"(\\([0-7]+{1,3}&&[#000:377]))"
"|((%|\\x)([a-f0-9])+{2})"
"|((%|\\)u([a-f0-9])+{4})"
")"
")+{10,*}$SET(2=$ALERT(Obfuscated code detected and removed/broken on:\r\n\r\n\u))"
"|"
"String.fromCharCode \($SET(0=foo)$SET(1=\()"
"|(\s|;|>)\9unescape \( [_a-z0-9]+.replace \($SET(0=\9foo\()$SET(1=bar\()"
"|(\s|;|>)\9eval \( ("
" (([_a-Z0-9]+)(\+|))+{3,*}$SET(0=\9foo)$SET(1=\()"
" |(function|unescape) \($SET(0=\9foo\()$SET(1=bar\()"
" )$SET(2=$ALERT(Obfuscation function detected and removed/broken on:\r\n\r\n\u))"
")"
Replace = "\0\1"
"\2"Test page: http://prxbx.com/test/IEXMLPoC.html (warning, may crash your IE-based browser)
edit by admin: inserted missing " after the ) in the second-to-last line of the Match Code...
Old Versions:
Code:
[Patterns]
Name = "<script>: Remove Obfuscated Code [20081221a]"
Active = TRUE
URL = "($TYPE(htm)|$TYPE(js)|$TYPE(vbs))"
Limit = 32767
Match = "(($TYPE(js)|$TYPE(vbs))$SET(sOpen=1)|(^($TYPE(js)|$TYPE(vbs)))< (script$SET(sOpen=1)|/ script$SET(sOpen=)))PrxFail"
"|"
"$TST(sOpen=1)"
"("
"(=| \( | , )\0(\"|\')\1(^((.(.|)|)/|http(s|)://))( [^"'<>%\\]+ |)"
"("
"("
"(\\([0-7]+{1,3}&&[#000:377]))"
"|((%|\\x)([a-f0-9])+{2})"
"|((%|\\)u([a-f0-9])+{4})"
")"
"( [^"'<>%\\]+ |)"
")+{10,*}$SET(2=$ALERT(Obfuscated code detected and removed/broken on:\r\n\r\n\u))"
"|"
"String.fromCharCode \($SET(0=foo)$SET(1=\()"
"|(\s|;|>)\9unescape \( [_a-z0-9]+.replace \($SET(0=\9foo\()$SET(1=bar\()"
"|(\s|;|>)\9eval \( ("
" (([_a-Z0-9]+)(\+|))+{3,*}$SET(0=\9foo)$SET(1=\()"
" |(function|unescape) \($SET(0=\9foo\()$SET(1=bar\()"
" )"
")"
Replace = "\0\1"
"\2"RE: Remove Obfuscated Code [20081216] - DarthTrader - Dec. 17, 2008 04:22 PM
Thanks, KyeU, for this filter. Looks like it replaces the PoC code with this:
Code:
var shellcode = unescape["%u0066%u006F%u006F%u0062%u0061%u0072This seems cause Avira to quarantine the whole thing even with WebGuard disabled.
Just thought I'd let you know.Thanks again,
DarthTrader.
**Edited by Kye-U: the filter is matching the code in this post**
RE: Remove Obfuscated Code [20081216] - lnminente - Dec. 17, 2008 05:10 PM
DarthTrader, try deleting \1 in the replacement code
RE: Remove Obfuscated Code [20081216] - DarthTrader - Dec. 17, 2008 05:55 PM
(Dec. 17, 2008 05:10 PM)lnminente Wrote: DarthTrader, try deleting \1 in the replacement code
Now I get this:
Code:
var shellcode = unescape("
RE: Remove Obfuscated Code [20081216] - lnminente - Dec. 17, 2008 06:09 PM
Maybe the text wich Avira matches for detecting this exploit is still present, but it wouldn't bad after this filter deactivated it...
RE: Remove Obfuscated Code [20081216] - Kye-U - Dec. 17, 2008 06:11 PM
I'd highly recommend keeping the \k in the Replacement Text (and also the $ALERT, so you'll know if it's producing any false positives).
I think the content is loaded through Avira before it reaches Proxomitron, so that's why you still get the message.
RE: Remove Obfuscated Code [20081216] - DarthTrader - Dec. 17, 2008 06:56 PM
(Dec. 17, 2008 06:11 PM)Kye-U Wrote: I'd highly recommend keeping the \k in the Replacement Text (and also the $ALERT, so you'll know if it's producing any false positives).
Okay, I will keep both of them.
Quote:I think the content is loaded through Avira before it reaches Proxomitron, so that's why you still get the message.
I think this is only true if WebGuard is enabled. The quarantined page I am seeing has all the Prox code inserted.
DarthTrader
Oops, now I am seeing FPs on this page:
http://www.dslreports.com/forum/security
RE: Remove Obfuscated Code [20081216] - DarthTrader - Dec. 19, 2008 02:41 PM
Here is a modified version (please don't laugh!)
Code:
[Patterns]
Name = "<script>: Remove Obfuscated Code [20081219]"
Active = TRUE
URL = "($TYPE(htm)|$TYPE(js)|$TYPE(vbs))"
Bounds = "$NEST(<script,</script*>)"
Limit = 4096
Match = "*(\\[#000:255])+{15}*"
"|*((%|\\x)\0([a-f]|[0-9])([a-f]|[0-9]))+{15}*"
"|*(((%|\\)u)\0([a-f]|[0-9])([a-f]|[0-9])([a-f]|[0-9])([a-f]|[0-9]))+{15}*"
"|*[^_a-Z0-9]eval \( ((([_a-Z0-9]+)(\+|))+{3,*}*)"
Replace = "$ALERT(Obfuscated code detected and removed from:\r\n\r\n\u\r\n\r\n)"Comments and corrections welcome!
DarthTrader
RE: Remove Obfuscated Code [20081216] - lnminente - Dec. 19, 2008 05:31 PM
(Dec. 19, 2008 02:41 PM)DarthTrader Wrote: please don't laugh!Nobody never will
DarthTrader, one recomendation:
If you write (*bla1*|*bla2*) this will be slower than *(bla1*|bla2*)
the reason is when bla1 doesn't match it goes to te beginning again
RE: Remove Obfuscated Code [20081216] - ProxRocks - Dec. 19, 2008 06:04 PM
i've not messed much with the "speed" of filters...
so let me ask, which of these would be faster?
1) *(bla1*|bla2*)
2) *(bla1|bla2)*
RE: Remove Obfuscated Code [20081216] - lnminente - Dec. 19, 2008 06:33 PM
I'm not sure in these two, maybe the first. I think the second could not match very well sometimes, can't give you examples, but maybe in some header filters the second code could not match while first yes...
RE: Remove Obfuscated Code [20081216] - DarthTrader - Dec. 19, 2008 06:47 PM
(Dec. 19, 2008 06:04 PM)ProxRocks Wrote: i've not messed much with the "speed" of filters...
so let me ask, which of these would be faster?
1) *(bla1*|bla2*)
2) *(bla1|bla2)*
This seems to work and should be better:
Code:
*((\\[#000:255])+{15}
|((%|\\x)\0([a-f]|[0-9])([a-f]|[0-9]))+{15}
|(((%|\\)u)\0([a-f]|[0-9])([a-f]|[0-9])([a-f]|[0-9])([a-f]|[0-9]))+{15}
|[^_a-Z0-9]eval \( ((([_a-Z0-9]+)(\+|))+{3,*}))*Thanks for the help!
DarthTrader
RE: Remove Obfuscated Code [20081216] - z12 - Dec. 20, 2008 12:53 PM
Seems that this:
Code:
([a-f]|[0-9])could be simplified to this:
Code:
[a-f0-9]which could then reduce to to this:
Code:
((%|\\x)\0[a-f0-9]+{2})+{15}$SET(1=\066\06F\06F\062\061\072\000)
(((%|\\)u)\0[a-f0-9]+{4})+{15}$SET(1=\00066\0006F\0006F\00062\00061\00072)If this is the octal match, strictly speaking, it doesn't limit matching to octal:
Code:
(\\[#000:255])+{3}But for matching exploit code, maybe it doesn't matter, as there shouldn't be any 8 or 9 present.
For the heck of it, here's an octal character only match:
Code:
(\\([0-7][0-7]+&&[#000:377]))+{3}But for this filter, maybe the inner numeric match should be limited to 3 numbers though.
Code:
[0-7]+{1,3}foobar !!!
z12
RE: Remove Obfuscated Code [20081216] - Graycode - Dec. 20, 2008 06:39 PM
The trailing \000 in one of the replacements would become a binary zero by unescape(). Is that what's desired??
$SET(1=\066\06F\06F\062\061\072\000)
RE: Remove Obfuscated Code [20081216] - Kye-U - Dec. 20, 2008 07:06 PM
That's not intentional; that simply translates to "foobar" (or so I'd hope so).
I'll be revising the filter today; I came across some false positives, and I'll implement z12's ideas into the filter to make it more readable.
Thanks!
EDIT: Updated. Got rid of the "foobar" replacement texts, updated the octal and hex matching expressions (thanks z12), and I also added $TYPE(vbs).
I should have fixed most/all false positives by simply ensuring there is a double/single quote at the beginning (I had to increase the byte size to 91 to accommodate for this additional byte).