Post Reply 
Kill 0-Day IE Exploits
Mar. 27, 2006, 10:42 PM
Post: #1
Kill 0-Day IE Exploits
Due to the increased threat in regards to 2 0-Day IE Exploits, I've decided to take some time from schoolwork and work on two filters to address these two issues, while not being overkill:

Code:
[Patterns]
Name = "IE: Kill Excessive JS Event Handlers [hpguru] {Kye-U}"
Active = TRUE
Multi = TRUE
URL = "($TYPE(htm)|$TYPE(js))"
Limit = 512
Match = "(\son[a-z]+{3,16}=$AVQ(*))++{20,*}"
Replace = "\k$ALERT(Excessive JS Event Handlers have been detected and killed on:\n\n\u\n\nThe page will not be displayed properly.)"

Name = "IE: Detect createTextRange() Function [Kye-U]"
Active = TRUE
URL = "($TYPE(htm)|$TYPE(js))"
Limit = 17
Match = ".createTextRange\("
        "$CONFIRM(The function "createTextRange()" has been detected on:\n\n\u\n\nWould you like this function to be removed?)"
Replace = ".Shonenscape\("

Feel free to comment on these two filters as I look for more exploits to knock down in my next KBSP release!

Test JS Event Handler here:

http://testing.onlytherightanswers.com/iedie.html

Test "createTextRange" filter here:

http://testing.onlytherightanswers.com/TextRange.html
Visit this user's website
Add Thank You Quote this message in a reply
Mar. 28, 2006, 07:30 AM
Post: #2
 
Quote:Test JS Event Handler here:

http://testing.onlytherightanswers.com/iedie.html
My antivirus was triggered by that one.
Add Thank You Quote this message in a reply
Post Reply 


Forum Jump: