Threaded Mode | Linear Mode

Siamesecat · Sep. 25, 2005, 10:10 PM

Kye-U,
When I examined the Javascript charAt remover filter closely, I noticed that there were 2 end parentheses after the wildcard in the
first instance, and after the number added or subtracted in the second. I don't quite understand why the second end parenthesis is used. The structure would be 'charAt(whatever))+[or -]1-9' or 'charAt(whatever+[or -]1-9))'.
I made a small modification to my copy of your filter and it seems to work more effectively for me, specifically in the popup test problem at
http://www.popupcheck.com/freescan/popup...ndard.asp.
I used it in conjunction with a hex to ASCII filter.

Code:

Name = "Javascript "charAt" Remover"

Active = TRUE

URL = "($TYPE(htm)|$TYPE(js))"

Limit = 128

Match = "(\w.|)charAt\(\w\)(\)|)(\+|\-)[#1-9]\)"

        "|(\w.|)charAt\(\w(\+|\-)[#1-9]\)(\)|)"

        "$SET(\9=Adding a number to an "encoded" set of characters can often lead to the"

        "download/installation of unauthorized applications/scripts to your hard-drive.)"

Replace = "Shonenscape"

***Kye-U*** · Sep. 25, 2005, 10:41 PM

Version 4.47 is Released!

Last Updated: September 25th, 2005 - 6:41 PM EST

What's New?

Quote:[-Version 4.47-]

-Modified (Javascript "charAt" Remover [Kye-U])
--Renamed to (Javascript "charAt" Remover [Kye-U] {Siamesecat})
--Improvement in the Matching Expression

-Modified (Mozilla: 'Print IFRAME' Crash [Kye-U])
--Improved Matching Expression to remove False Positives

-Modified (URL-Killer: Kill Suspicious Extensions [Kye-U] (Out))
--Added extension ".anr"

http://www.prxbx.com/forums/viewtopic.php?p=1115#1115

Download here!

MD5: FB5514370CA4CADF2B5D1154523E7849

Oct. 20, 2005, 03:07 AM

Kye-U,

You da uber geek. Bows to you.

laighleas · Nov. 11, 2005, 01:17 AM

[quote="Kye-U"]Version 4.47 is Released!

<snip>

http://www.prxbx.com/forums/viewtopic.php?p=1115#1115

Download here!

First time I tried to download it, I got "Host Name Lookup Failed The Proxomitron couldn't find the site named...
kyeu.hostingzero.com
Check that the name is correct. If so, the site may have changed or may no longer exist."

Changing 'hostingzero' for 'info' sorted it though - so looks as if the link needs updating.

Kevin

***Kye-U*** · Nov. 11, 2005, 01:30 AM

Whoops, forgot to update the paFileDB download files Smile!

Will do.

EDIT: Done Smile!

Thanks!

***Kye-U*** · Nov. 22, 2005, 06:23 AM

Version 4.48 is Released!

Last Updated: November 22nd, 2005 - 1:21 AM EST

What's New?

Quote:[-Version 4.48-]

-Added (IE: Body OnLoad "Window();" DoS [Kye-U])
http://www.computerterrorism.com/researc...1-2005.htm
http://secunia.com/advisories/15546/

http://prxbx.com/forums/viewtopic.php?p=1115#1115

Download here!

MD5: 80706297D21F17FE12A6DC720DCEC5A5

Siamesecat · Nov. 23, 2005, 06:09 AM

Kye-U,

Quote:Name = "IE: Body OnLoad "Window();" DoS [Kye-U]"
Active = TRUE
URL = "($TYPE(htm)|$TYPE(js))"
Limit = 128
Match = "onload=$AVQ(*window$(*|)$(;|)*)"
"&*$SET(Msg=)($TST(svAlert=1)$SET(Msg=$ALERT(IE: Body OnLoad "Window();" DoS Exploit Detected on:\n\n\u))|)"
"$SET(\9=Arbitrary code on a vulnerable browser can be executed through some specially crafted JavaScript"
"code called directly when a site has been loaded."
""
"Version(s) Vulnerable: IE 5.5, 6.x"
""
"http://www.computerterrorism.com/research/ie/ct21-11-2005.htm"
"http://secunia.com/advisories/15546/)"
Replace = "onload="Shonenscape""

In this filter, there is a message set up in the match but not called in the replacement.
Why not just add a warning line of text to the page instead of opening a message box?
If you remove the $SET message and add to the replacement, I think it would be better.

Quote:Match = "onload=$AVQ(*window$(*|)$(;|)*)"
"$SET(\9=Arbitrary code on a vulnerable browser can be executed through some specially crafted JavaScript"
"code called directly when a site has been loaded."
""
"Version(s) Vulnerable: IE 5.5, 6.x"
""
"http://www.computerterrorism.com/research/ie/ct21-11-2005.htm"
"http://secunia.com/advisories/15546/)"
Replace = "onload="Shonenscape""
"<font color="Red"><strong>[IE: Body OnLoad "Window();" DoS Exploit removed]</strong></font>"

The example given by Secunia was: <body onload="window();">
Does that mean that "body" must be included for the exploit to work? The filter match does not include that word.

***Kye-U*** · Nov. 23, 2005, 04:25 PM

Good thinking Smile!

I didn't include "body" in the match since I wanted this to match even .js files, where the code may be garbled enough to put something like:

Code:

writeln "<body"+"onload='window();'"+">"

I will update the filter later today after school Big Teeth

Thanks again.

***Kye-U*** · Dec. 30, 2005, 05:09 AM

Version 4.49 is Released!

Last Updated: December 30th, 2005 - 12:09 AM EST

What's New?

Quote:[-Version 4.49-]

-Added (Windows: Kill Infected .WMF Files [Kye-U])
http://isc.sans.org/diary.php?storyid=972

-Added (URL: All File Extensions Force Filter {JJoe} (Out))
--Allows (Windows: Kill Infected .WMF Files [Kye-U]) to kill infected files

-Modified (IE: Body OnLoad "Window();" DoS [Kye-U])
--Changed Matching and Replacement method

http://prxbx.com/forums/viewtopic.php?p=1115#1115

Download here!

MD5: D8E224D4AF0C4FA37B11BB70A11CC503

Dec. 30, 2005, 01:00 PM

Keep on getting directed to 403/404 pages. How do I get the update?

***Kye-U*** · Dec. 30, 2005, 07:58 PM

Download

Make sure Referrers is enabled.

I've installed a protection script that checks the referrer header Smile!

***Kye-U*** · Dec. 30, 2005, 08:49 PM

Version 4.50 is Released!

Last Updated: December 30th, 2005 - 3:49 PM EST

What's New?

Quote:[-Version 4.50-]

-Modified (Windows: Kill Infected .WMF Files [Kye-U])
--Renamed to (Windows: Kill WMF-Exploit Files [Kye-U])
--Removed URL Match to make it apply to all file types

-Modified (URL: All File Extensions Force Filter {JJoe} (Out))
--Renamed to (!-|||||||||||| URL: All File Extensions Force Filter {JJoe} (out))
--Required this prefix because it was breaking Sidki's filter set.

http://prxbx.com/forums/viewtopic.php?p=1115#1115

Download here!

MD5: FCC686CF0925683BB603D957E914228E

***Kye-U*** · Dec. 31, 2005, 01:16 AM

Version 4.51 is Released!

Last Updated: December 30th, 2005 - 8:16 PM EST

What's New?

Quote:[-Version 4.51-]

-Added (Host: All File Extensions Force Filter {JJoe} (out))
--Different method to allow Proxomitron to filter all file extensions

-Modified (Windows: Kill Infected .WMF Files [Kye-U])
--Made matching expression more specific to remove false positives

-Removed (!-|||||||||||| URL: All File Extensions Force Filter {JJoe} (out))
--Was crashing Proxomitron for some people

http://prxbx.com/forums/viewtopic.php?p=1115#1115

Download here!

MD5: ACB84912A99561A459F22AA24DEA3B84

Dec. 31, 2005, 02:22 PM

Kye-U Wrote:I've browsed through IE, Opera, and Mozilla vulnerabilities, and I've created filters to fix them.

Hi Kye-U!

It seem everybody is too lazy to rate your filterset, they just download it and don't give any credits to this wonderfull piece of work! Shame

I appreciate what you are doing, therefore i gave the first rating. Cool

To all lazy downloaders: Microphone

Best regards,

Smokey

***Kye-U*** · Dec. 31, 2005, 10:29 PM

*Ignore this post*