Embedding Null Code
Contributor(s): Till Maas, ADubhlaoich
The Embedding NULL Bytes/characters technique exploits applications that don’t properly handle postfix NULL terminators. This technique can be used to perform other attacks such as directory browsing, path traversal, SQL injection, execution of arbitrary code, and others. It can be found in lots of vulnerable applications and there are lots of exploits available to abuse systems.
This technique includes several variations to represent the postfix NULL terminator:
PATH[alternate representation of NULL character]
The following example shows the use of this technique to modify a URL and access arbitrary files on a filesystem due a PHP script vulnerability.
$whatever = addslashes($_REQUEST['whatever']);
include("/path/to/program/" . $whatever . "/header.htm");
By manipulating the URL using postfix NULL bytes, one can access the UNIX password file:
Adobe PDF ActiveX Attack
Another attacks consists of exploitating buffer overflow in ActiveX components (pdf.ocx) to allow remote code execution.
The attack occurs when a link is requested as follows:
GET /some_dir/file.pdf.pdf%00[long string] HTTP/1.1
This exploit can be used against a web server that truncates the request at
the null byte
%00, such as Microsoft IIS and Netscape Enterprise web servers.
Though the requested URI is truncated when locating the file, the full string
is still passed to the Adobe ActiveX component. It then triggers a buffer
RTLHeapFree(), allowing an attacker to overwrite arbitrary
It can be performed by adding malicious content to the end of any embedded link that references a Microsoft IIS or Netscape Enterprise web server.