Threaded Mode | Linear Mode

***Kye-U*** · Jul. 17, 2004, 12:15 AM

Updated: 8:15 PM EST
http://prxbx.com/forums/index.ph...topic=131&st=0#

-Added (URI Protocol Handler Exploit [Kye-U])
http://www.securityfocus.com/bid/10341/info/

-Added (IE: %USERPROFILE% File Execution Exploit [Kye-U])
http://www.securityfocus.com/bid/7826/info/

-Added (IE: ADODB.Stream Exploit [Kye-U])
http://www.securityfocus.com/bid/10514/info/

-Added (IE: external.AutoScan Exploit [Kye-U])
http://www.securityfocus.com/bid/8169/info/

-Added (IE: File Download Warning Bypass Exploit [Kye-U])
http://www.securityfocus.com/bid/9278/info/

-Added (IE: Javascript Full Screen Exploit [Kye-U])
http://www.securityfocus.com/bid/3469

-Added (IE: Javascript Invalid "For" Exploit [Kye-U])
http://www.securityfocus.com/bid/10694/info/

-Added (IE: Javascript Pop-Up Window Object Type Exploit [Kye-U])
http://www.securityfocus.com/bid/8556/info/

-Added (IE: Known CLASSID-Crash Exploit [Kye-U])
http://www.securityfocus.com/bid/7384/info/

-Added (IE: Meta Tag Exploit [Kye-U])
http://www.securityfocus.com/bid/10351/info/

-Added (IE: Meta Tag Foreign Domain Exploit [Kye-U])
http://www.securityfocus.com/bid/10248/info/

-Added (IE: Non-FQDN URI Exploit [Kye-U])
http://www.securityfocus.com/bid/10579/info/

-Added (IE: IE: vbscript LoadPicture Exploit [Kye-U])
http://www.securityfocus.com/bid/9611/info/

-Added (IE: window.createPopup [Kye-U])
http://www.securityfocus.com/bid/8176/info/

-Added (Opera: Large Javascript Handling Exploit [Kye-U])
http://www.securityfocus.com/bid/9869/info/

-Added (Opera: URI Handling Exploit [Kye-U])
http://www.securityfocus.com/bid/9021

-Added (Opera: Malformed Server Name Exploit [Kye-U])
http://www.securityfocus.com/bid/8853

-Added (Opera: Permanent Denial Of Service Exploit [Kye-U])
http://www.securityfocus.com/bid/7430/info/

--Modified (IE: Search Exploit [Kye-U])
--Renamed filter to (IE: Search/Media-Pane Injection Exploit [Kye-U])
--Made it also match Media-Pane Injection codes

-Modified (IE: showHelp() Exploit [Kye-U])
--Made it look for "chm:" and "showHelp(*)"

-Modified (IE: Spoof Address [Kye-U])
--Fixed Second Match, and Renamed filter to (Spoofed Address Exploit [Kye-U]) as it applies to all browsers.
--Made it to also match: http://www.securityfocus.com/bid/10517/info/

-Modified (IE: View-Source Exploit [Kye-U])
--Renamed filter to (View-Source Exploit [Kye-U]) as it applies to all browsers (or most)

-Modified (Invisible Object Tag [Kye-U])
--"=" instead of "\="

-Removed "$SET(INFO=)" since it conflicted with the matching abilities of the filters

***Kye-U*** · Jul. 17, 2004, 01:50 AM

Last Updated: July 16, 2004 - 9:49 PM EST
http://prxbx.com/forums/index.ph...topic=131&st=0#

-Modified (IE: Javascript Invalid "For" Exploit [Kye-U])
--Fixed False Positive

Siamesecat · Jul. 17, 2004, 06:50 AM

Quote:-Removed "$SET(INFO=)" since it conflicted with the matching abilities of the filters

I tested one of the filters for a match with such a statement in it with one of the demo exploits. It matched up without a problem. How does this interfere? Is there any other way of adding a brief sentence or two of information into the filters?

***sidki3003*** · Jul. 17, 2004, 10:10 AM

If a global variable has a long string as value, things get slower.
It's no problem with positional variables. $SET(\0=some stuff here)

sidki

***Kye-U*** · Jul. 17, 2004, 06:10 PM

sidki3003 Wrote:If a global variable has a long string as value, things get slower.
It's no problem with positional variables. $SET(\0=some stuff here)

sidki

I see....I'll add descriptions to as many as I can, Thanks for the super brief tutorial Sidki! Eyes Closed Smile

***Kye-U*** · Jul. 17, 2004, 07:40 PM

Last Updated: July 17, 2004 - 3:40 PM EST

http://prxbx.com/forums/index.ph...topic=131&st=0#

-Added descriptions to all of my filters

-Modified (Hide ClipBoard Contents [Kye-U])
--Made it also match another function

-Renamed (IE: Restricted Cookie Exploit [Kye-U])
--Changed to (Restricted Cookie Bypass Exploit [Kye-U]) as it applies to multiple browsers

Siamesecat · Jul. 18, 2004, 01:06 AM

Quote: $SET(\0=some stuff here)

According to the help file with Proxomitron, the syntax is more like:

Quote:Set \1 equal to "foobar": $SET(1=foobar)

I really appreciate you guys' help in educating me. I am learning a lot here!

***Kye-U*** · Jul. 18, 2004, 01:09 AM

Last Updated: July 17, 2004 - 9:09 PM EST

http://prxbx.com/forums/index.ph...topic=131&st=0#

-Added (Opera: Address Bar Spoofing Exploit [Kye-U])
http://www.securityfocus.com/bid/10679/info/

***Kye-U*** · Jul. 18, 2004, 01:26 AM

Siamesecat Wrote:
Quote: $SET(\0=some stuff here)
According to the help file with Proxomitron, the syntax is more like:

Quote:Set \1 equal to "foobar": $SET(1=foobar)

I really appreciate you guys' help in educating me. I am learning a lot here!

I suppose $SET(1=STUFF) is more suitable in more matching/replacing abilities.

$SET(\1=) I think won't do anything.

***Kye-U*** · Jul. 18, 2004, 01:40 AM

Last Updated: July 17, 2004 - 9:40 PM EST

http://prxbx.com/forums/index.ph...topic=131&st=0#

-Modified (Opera: Address Bar Spoofing Exploit [Kye-U])
--Fixed False Positive

Siamesecat · Jul. 18, 2004, 04:23 AM

Code:

Name = "IE: Meta Tag Exploit [Kye-U]"

Match = "*<meta*>*"

Isn't that a bit drastic to remove all meta tags? Why not remove 'window.createpopup()' instead?
IE: window.createPopup [Kye-U] involves createpopup() as well, so could one not kill both problems with one removal?

Code:

Name = "Opera: URI Handling Exploit [Kye-U]"

Match = "*opera:/*..%5C*([a-z]+{1,4})*"

The article mentioned both '..%5c' and '..%2f' characters. Is the use of %2f not as dangerous?

Code:

Name = "Opera: Malformed Server Name Heap Exploit [Kye-U]"

Match = "\0://*((%)+{2,*})*"

Should the (%) not be [%], or am I totally off base?

***Kye-U*** · Jul. 18, 2004, 04:33 AM

Last Updated: July 18, 2004 - 12:33 AM EST

http://prxbx.com/forums/index.ph...topic=131&st=0#

-Removed (IE: Meta Tag Exploit [Kye-U])
--Overlapped (IE: window.createPopup [Kye-U])

-Modified (Opera: URI Handling Exploit [Kye-U])
--Added (%2F) to match

-Modified (Opera: Malformed Server Name Exploit [Kye-U])
--Changed (%) to [%] on Advice

--------

Thanks Siamesecat! I guess I should've taken a rest instead of doing all of the filters at once. As a good and true saying goes, "A fresh pair of eyes is always good." Eyes Closed Smile

***Kye-U*** · Jul. 18, 2004, 04:59 AM

Last Updated: July 18, 2004 - 1:00 AM EST

http://prxbx.com/forums/index.ph...topic=131&st=0#

-Modified (IE: Local Zone Access Exploit [Kye-U])
--Fixed False Positive

Siamesecat · Jul. 18, 2004, 10:37 AM

Code:

Name = "Restricted Cookie Bypass Exploit [Kye-U]"

Replace = "<strong>[Cookie Zone Bypass Exploit Removed]</strong>"

I thought the cookie bypass was for subdirectories, not zones. If one restricted a cookie to "www.joeblow.com/good/", the exploit would allow cookies from anywhere on "www.joeblow.com".

Quote:"$SET(\9=This exploit can bypass cookie restrictions by using known patch errors in multiple browsers.)"

What are patch errors for cookies? Does that mean the browser patch caused the problem?

***Kye-U*** · Jul. 18, 2004, 05:14 PM

Siamesecat, I fixed the type in (Restricted Cookie Bypass Exploit) Smile!

Argh, Firefox crashed when I loaded a "while (true)" exploit! Proxomitron was set on bypass... >_<

I had my ChangeLog Draft typed in the Reply box, so that went along with Firefox...

So, no changelog for this one... haha...but there's not much change in this one anyway. Just 1 or 2 additions, 2 renames, and I've added URL References after the descriptions of most of the filters, except 1 or 2 Mozilla filters.

Also, I've decided to use a version number system! Eyes Closed Smile

This will be version 4.07.

Last Updated: July 18, 2004 - 1:13 PM EST

http://prxbx.com/forums/index.ph...topic=131&st=0#