NUL Demos

This pages demonstrates techniques to evade Antivirus Software and Intrusion Detection Systems using NUL characters embedded in HTML pages. See our article Null Problemo

For each category there are several versions of the demo:

Original: a demo without NUL characters
single NUL: inserted one NUL character
multiple NUL: every other char is NUL (only in the relevant part)
UTF-16: file converted to UTF-16, sent with correct Content-Type: text/html; charset=utf-16
UTF-32: file converted to UTF-32, sent with wrong Content-Type: text/html; charset=iso-8859-1
4097: inserted multiple blocks with 4097 NULs

Note: The demos are designed to do no harm to your system (although we do not guarantee for this). However, the exploit demos can and in fact should trigger Antivirus software and Intrusion Detection/Prevention Systems.

JavaScript

This demo opens a JavaScript alert box:

<script>alert("Hello world");</script>

All versions of this demo work with Internet Explorer. The behaviour of other Browsers depends on language settings.

Exploit for ADODB hole (MS03-048)

Note: This demo exploit tries to create and execute the file C:\browsercheck.exe. It works with an unpatched Internet Explorer in all listed variants. If your AV-solution or IDS/IPS shows an alert on the Original it should do the same with all of the other versions. If it doesn't, please report this behaviour to red@heisec.de and include product name, version and patch level. Thanks.

Exploit for mhtml hole (MS04-013)

Note: This demo exploit tries to create the file C:\browsercheck.exe. It works with an unpatched Internet Explorer in all listed variants. If your AV-solution or IDS/IPS shows an alert on the Original it should do the same with all of the other versions. If it doesn't, please report this behaviour to red@heisec.de and include product name, version and patch level. Thanks.