Incorrect capitalisation of "null" for GET request

Question

Incorrect capitalisation of "null" for GET request

Closed this issue 10 years ago · 3 comments

GoogleCodeExporter commented 10 years ago

What steps will reproduce the problem?

Using steps in: 
https://media.blackhat.com/bh-us-10/whitepapers/Heffner/BlackHat-USA-2010-Heffne
r-How-to-Hack-Millions-of-Routers-wp.pdf

1. Prepare example scenario
2. Sign up domain with registrar 
3. Configure domain NS records to point to attacker
4. Connect to http://attacker.com/init/
5. Rebind responds with it's own IP
6. HTTP GET to /init
7. Rebind Sets Location header to random sub domain of attacker.com (eg 
hfrcc.attacker.com)
8. Victim queries DNS to connect to hfrcc.attacker.com/exec
9. Rebind responds with Attacker IP and Victim IP
10. Victim does HTTP GET to /exec, connecting to Attacker IP
11. Rebind responds with javascript code to setup callbacks etc, brings up 
iptables firewall to REJECT traffic
12. javascript connects to hfrcc.attacker.com/, connects to rebind first 
(thanks to DNS Pinning)
13. rebind connection fails (thanks to iptables in step 11)
14. Victim successfully connects to next IP address (Victims Modems IP)
15. Calls to hfrcc.attacker.com now will connect just to the victims modem
16. Victim connects to rebind callback port for a /poll request
17. Rebind responds with JavaScript callback request() <- this is the message 
that is causing issues

What is the expected output? What do you see instead?

Step 17 responds with the standard HTTP Headers, with the additional javascript:

##############################
request('4','/',NULL,'Host: victimIP%%User-Agent: <snip>');
##############################

This calls the request function already setup during step 11, the NULL value is 
indicating there is no POST data to send. Unfortunately Internet Explorer 8 
interprets this NULL as a variable, IE8 expects a null string to be written in 
lower case. For example:

##############################
request('4','/',null,'Host: victimIP%%User-Agent: <snip>');
##############################

What version of the product are you using? On what operating system?

Internet Explorer 8.0.6001.18928, with Windows Vista.

Please provide any additional information below.

I've created a small patch file I was able to apply to resolve the issue for 
me. The changes are probably not in the preferred section, but it will 
hopefully be enough to demonstrate the issue. See attached patch file.

Original issue reported on code.google.com by bradstaone@gmail.com on 9 Aug 2010 at 5:09

Answer 1 · 2015-03-18T18:22:58.000Z

This is a bug in the release binaries only. The www/payload.html file contains 
the JavaScript declaration 'var NULL=null;' to prevent this error. 
Unfortunately, it appears that this line was accidentally deleted when building 
the 0.3.3 binary release. The www/payload.html file in the source tree contains 
the correct declaration. 

I will re-compile the 0.3.3 binaries and upload them ASAP.

Original comment by heffne...@gmail.com on 9 Aug 2010 at 11:55

Changed state: Accepted

Answer 2 · 2015-03-18T18:22:58.000Z

Fixed NULL bug. Also fixed previous changes to XmlHttpRequests had not been 
committed. Uploaded new version, 0.3.4.

Original comment by heffne...@gmail.com on 10 Aug 2010 at 1:23

Changed state: Fixed

Answer 3 · 2015-03-18T18:22:58.000Z

Thanks, confirming the issue has been resolved in 0.3.4

Original comment by bradstaone@gmail.com on 10 Aug 2010 at 3:06