Post Reply 
problem with IE: "Shell"/"Res" Cross Zon
Jul. 16, 2005, 05:16 AM
Post: #2
 
It's matching the "res" parts of the HJT logs Sad

Replace "IE: "Shell"/"Res" Cross Zone Exploit [Kye-U]" and "Prevent file access [Siamesecat] {Modified by Kye-U}" with the following filters:

Code:
[Patterns]
Name = "Prevent file access [Siamesecat] {Modified by Kye-U}"
Active = TRUE
URL = "(^(\w.|)(castlecops.com|short-media.com/forum)/)"
Bounds = "<(a|img|input|(no|)script|applet|object|area)\s*<(/*|br)>"
Limit = 1000
Match = "*((GetObject|open)\w|)[^a-z0-9]([a-z]:([\\]+{1,*})(*|)|"
        "(file://(/|)|(res|shell):|)[^a-z0-9][a-z](:|\|)([/]+{1,*})(*|)|"
        "document.open|uploadFile=)*"
Replace = "File Access Removed!"

Name = "IE: "Shell"/"Res" Cross Zone Exploit [Kye-U]"
Active = TRUE
URL = "(^(\w.|)(castlecops.com|short-media.com/forum)/)(^*.(gif|jp(e|)g|png|ico))(^$TYPE(css))"
Limit = 512
Match = "(=|\()$AV(((shell|res)(|2(shell|res)))([:]+{1,3})*)"
        ""
        "&*$SET(Msg=)($TST(svAlert=1)$SET(Msg=$ALERT(IE: "Shell"/"Res" Cross Zone Exploit Detected on:\n\n\u))|)"
        "$SET(\9=This exploit can execute possibly malicious programs with permissions of the My Computer Zone."
        ""
        "Version(s) Vulnerable: 6.0 (SP1)"
        "http://www.securityfocus.com/bid/9628/info/"
        "http://www.securityfocus.com/bid/10943/info/)"
Replace = "$GET(Msg)$SET(Msg=)"

I will include this in my next release. (Perhaps I'll have to implement a bypass list...)
Visit this user's website
Add Thank You Quote this message in a reply
Post Reply 


Messages In This Thread
problem with IE: "Shell"/"Res" Cross Zon - crunchie - Jul. 16, 2005, 04:45 AM
[] - Kye-U - Jul. 16, 2005 05:16 AM

Forum Jump: