Search
Member List
Calendar
Help
|
Kill WMF-Exploit Files
|
|
Jan. 02, 2006, 01:49 PM
Post: #16
|
|||
|
|||
|
I can also confirm the filter breaks my firefox 1.0.7 in that pages where I normally filter out certain header sections that contain banners or variable content (like an online newspaper), these sections all of a sudden are now showing up
when I disable these latest rules, my pages load normally again |
|||
|
![[-]](images/ONi/collapse.gif)
|
Jan. 02, 2006, 07:41 PM
Post: #17
|
|||
|
|||
|
Interesting conflict with sidki's set. Or maybe it's my setup, but o well.
After merging the latest version of your WMF exploit filters, it seems like (some?) large gif images just stop downloading/only partially render. It happens for example on the large benchmark graphs here (Tomshardware.com). And a few other sites as well. I'm no proxo expert, but I guess it's because (with filtering enabled for all extensions), some of sidki's web filters are corrupting the images. I've resolved this problem I think by modifying "Top All Mark: Start 4.07.11 (multi) [sd] (d.r)". Code: Name = "Top All Mark: Start 4.07.11 (multi) [sd] (d.r)"Added "(^$IHDR(Content-Type: *image/jpeg*))" to the matching expression. I guess that turns off whatever filter(s) would corrupt the image. Filters that shouldn't be touching binary files. The wmf exploit filter still works, so I guess that's good enough. Oh, and thanks for the hard work Kye-U. - Kevin |
|||
|
|
|
Jan. 02, 2006, 09:19 PM
Post: #18
|
|||
|
|||
|
Antaeogo,
This is the first Proxomitron filter of its kind, and its bound to conflict with existing filters, and one reason is because its URL Match isn't specific enough. I mean, leaving it blank was fine, but now with this filter, it must be stated that the filter would filter everything else other than non-standard files, by the use of (^$TYPE(oth)) into the URL Match. I think adding this in the above filter would also fix the problem  Code: Name = "Top All Mark: Start 4.07.11 (multi) [sd] (d.r)" |
|||
|
|
Jan. 02, 2006, 09:22 PM
Post: #19
|
|||
|
|||
susa Wrote:I can also confirm the filter breaks my firefox 1.0.7 in that pages where I normally filter out certain header sections that contain banners or variable content (like an online newspaper), these sections all of a sudden are now showing up That's very weird... Can you post a log file of when you have the latest rules enabled and when you're going to that page? Also, if possible, can you post your filter? |
|||
|
|
|
Jan. 02, 2006, 09:49 PM
Post: #20
|
|||
|
|||
|
> I think adding this in the above filter would also fix the problem
It does, thank you. Seems soo much simpler that way, 'O wise one.  - Kevin |
|||
|
|
|
Jan. 02, 2006, 10:17 PM
Post: #21
|
|||
|
|||
|
Kye-U , this is the Proxo log when loading your website in Opera using your WMF filters in Sidke's config :
Quote:New Message Log Window.... In IE I get this : _____________________________________________ Quote:*** Log Reset *** No problems with your filter with in IE |
|||
|
|
|
Jan. 02, 2006, 10:25 PM
Post: #22
|
|||
|
|||
|
THAT's A LOT A STUFF ! Sorry
|
|||
|
|
|
Jan. 02, 2006, 10:48 PM
Post: #23
|
|||
|
|||
|
Edited out your cookie data and made it look prettier
 What do you see again when you have my rules enabled and when using Opera? I sense it is something to do with these filters: Match 725: Top All Mark: Start 4.07.11 (multi) [sd] (d.r) Match 725: Top All Mark: End 3.12.08 [sd] (d.r) Try adding (^$TYPE(oth)) into the URL Match of both these filters, and try again
|
|||
|
|
|
Jan. 03, 2006, 12:26 AM
Post: #24
|
|||
|
|||
|
I've created a filter to help prevent other filters from matching non-standard filters.
Follow these steps: 1. Download the attached config file, extract it to where you installed Proxomitron, and load it in Proxomitron. 2. Go to your Proxomitron folder, and rename the *.cfg file (default.cfg, etc) to *.txt. (Feel free to make a backup at this point, by copying it to another folder). 3. In Proxomitron's main window, press CTRL + F. 4. Go to your Proxomitron folder and select your config file: *.txt and open it. 5. Your browser should open, and the filter should run through the filters and update everything automatically 6. Highlight everything on the page and copy it. 7. Open the *.txt file in Notepad (or a text-editor), select all and paste the updated configuration file. 8. Save it and rename the *.txt file back to *.cfg. 9. Load your updated configuration file up, and test it out
|
|||
|
|
|
Jan. 03, 2006, 01:43 AM
Post: #25
|
|||
|
|||
|
adding "(^$IHDR(Content-Type: *image/jpeg*)) to the "Top All Mark: Start " filter fixes my problems in Opera . Now , if only I knew what the heck I was doing ! I am concerned about messing up Sidke's configuration , but so far so good . Thanks again guys . BTW , welcome to the community , Antaeogo .
|
|||
|
|
|
Jan. 03, 2006, 03:32 AM
(This post was last modified: Jan. 03, 2006 03:43 AM by z12.)
Post: #26
|
|||
|
|||
|
Hi Kye-U
It seems that I was wrong about the wmf exploit not working if the code wasn't 0x0626. I just tried a new test wmf from here http://isc.sans.org/diary.php?date=2006-01-02 on a XP Pro SP2 machine that did not have Ilfak Guilfanov's unofficial patch, and the exploit worked (calculator opened & explorer shut down) when I moved the cursor over the file name in windows explorer. BTW, It's using 26 00 09 00. Not the first time I've been wrong, and it certainly won't be the last. So keep up the good work. By the way, thats an interesting filter you got there. A filter to modify proxo's filters. Very clever. Mike |
|||
|
|
|
Jan. 03, 2006, 03:42 AM
Post: #27
|
|||
|
|||
|
Thanks z12
Now there isn't anything wrong with my filters; there's something wrong with all of the other filters (well, a majority). Seems like we need to set a new standard when writing filters, to insert (^$TYPE(oth)) instead of leaving the URL Match blank. My filter should do this quickly and efficiently (I considered all scenarios, such as, if you had $TYPE(oth) already there, it won't match, and if you had no URL Match entry, it would create one and insert (^$TYPE(oth)), and other scenarios).
|
|||
|
|
|
Jan. 03, 2006, 03:46 AM
(This post was last modified: Jan. 03, 2006 03:52 AM by Antaeogo.)
Post: #28
|
|||
|
|||
|
Other interesting stuff.
While downloading some quicktime .mov clips, the WMF exploit filter was tripped (received the alert, download killed) well after they started to download. http://www.sg1archive.com/ It's the first news article, 'new stargate commercials...', the quicktime movies on the Video #2 and Video #4 links. On the #2 clip, it downloads 680+kb before I get the alert. direct link to quicktime .mov file On the #4 clip, it downloads 210+kb before the alert. direct link to quicktime .mov file Whether or not this can be prevented by modifying the filter, I don't know - that's your specialty. But it's no big deal, this is what bypass is for. Just thought i'd share
|
|||
|
|
|
Jan. 03, 2006, 03:51 AM
Post: #29
|
|||
|
|||
|
Ah, a false positive! I've been waiting for one
Seems like I could make the first flag more specific (which is the WMF File Header).I shall work on it and release a new version ASAP! |
|||
|
|
|
Jan. 03, 2006, 04:06 AM
Post: #30
|
|||
|
|||
|
Code: [Patterns]Now matches the Windows Version header and the Number of Parameters, which is always 0. The Windows Version header would always be 0x0300 it seems, according to http://www.geocad.ru/new/site/Formats/Gr...f/wmf.txt: Quote:mtVersion Specifies the Windows version number. The version number for Windows version 3.0 and later is 0x300. Tested it out on the two clips, and it seems to have solved the FP
|
|||
|
|
|
« Next Oldest | Next Newest »
|