Kill 0-Day IE Exploits - Printable Version

Kill 0-Day IE Exploits - Printable Version

+- The Un-Official Proxomitron Forum (https://www.prxbx.com/forums)
+-- Forum: Proxomitron Filters (/forumdisplay.php?fid=38)
+--- Forum: FIP (/forumdisplay.php?fid=36)
+--- Thread: Kill 0-Day IE Exploits (/showthread.php?tid=765)

Kill 0-Day IE Exploits - Kye-U - Mar. 27, 2006 10:42 PM

Due to the increased threat in regards to 2 0-Day IE Exploits, I've decided to take some time from schoolwork and work on two filters to address these two issues, while not being overkill:

Code:

[Patterns]

Name = "IE: Kill Excessive JS Event Handlers [hpguru] {Kye-U}"

Active = TRUE

Multi = TRUE

URL = "($TYPE(htm)|$TYPE(js))"

Limit = 512

Match = "(\son[a-z]+{3,16}=$AVQ(*))++{20,*}"

Replace = "\k$ALERT(Excessive JS Event Handlers have been detected and killed on:\n\n\u\n\nThe page will not be displayed properly.)"

Name = "IE: Detect createTextRange() Function [Kye-U]"

Active = TRUE

URL = "($TYPE(htm)|$TYPE(js))"

Limit = 17

Match = ".createTextRange\("

        "$CONFIRM(The function "createTextRange()" has been detected on:\n\n\u\n\nWould you like this function to be removed?)"

Replace = ".Shonenscape\("

Feel free to comment on these two filters as I look for more exploits to knock down in my next KBSP release!

Test JS Event Handler here:

http://testing.onlytherightanswers.com/iedie.html

Test "createTextRange" filter here:

http://testing.onlytherightanswers.com/TextRange.html

- Siamesecat - Mar. 28, 2006 07:30 AM

Quote:Test JS Event Handler here:

http://testing.onlytherightanswers.com/iedie.html

My antivirus was triggered by that one.