Internet Explorer - NUL Demos
Internet Explorer ignores NUL characters -- i.e. ascii characters with the value 0x00 -- most security software does not. You can embed NUL characters at any place in an HTML document, even inside of tags. IE parses the file, as if they were not there. This pages illustrates this with different demos. To check, how your Antivirus or Content Security solution handles NUL characters there are several versions of the demo:
- Original: a demo without NUL characters
- single NUL: inserted one NUL character
- multiple NUL: every other char is NUL (only in the relevant part)
- UTF-16: file converted to UTF-16, sent with wrong Content-Type: text/html; charset=iso-8859-1
- UTF-32: file converted to UTF-32, sent with wrong Content-Type: text/html; charset=iso-8859-1
- 4097: inserted multiple blocks with 4097 NULs
Note: All the demos have been verified to work with Internet Explorer, exploits were tested with vulnerable versions of IE. The demos are designed to do no harm to your system (although we do not guarantee for this). However, the exploit demos can and in fact should trigger Antivirus software and Intrusion Detection/Prevention Systems.
JavaScript
This demo opens a JavaScript alert box:
<script>alert("Hello world");</script>
Exploit for ADODB hole (MS03-048)
Note: This demo exploit tries to create and execute the file C:\browsercheck.exe. It works with an unpatched Internet Explorer in all listed variants. If your AV-solution or IDS/IPS shows an alert on the Original it should do the same with all of the other versions.
Exploit for mhtml hole (MS04-013)
Note: This demo exploit tries to create the file C:\browsercheck.exe. It works with an unpatched Internet Explorer in all listed variants. If your AV-solution or IDS/IPS shows an alert on the Original it should do the same with all of the other versions.