Matteo Carli wrote me today to discuss some RFI and JS stuff. We’ve been talking a lot about what uploaded images can do lately, but embedded JS is an interesting one for a few reasons. If you needed a drop for a payload, for instance. Here’s part of his email (edited slightly for formatting):
So i created a simple php test like this:
<?php include 'myimage.gif'; ?>
and the result is like this. Image like this can be saved on hosting site (like imageshack) for using it into RFI attack.
*special binary char
I’ve created a special GIF image.
To maintain GIF header as original i’ve added “=1″ so JS engine not consider header chars as not defined variable. For escape special char i’ve used long comment “/*” and “*/”. This image is a valid GIF and valid JS that can be used as script source like: <script src=myimage.gif>
I thinks it’s useful for evading filter and hosting malicius JS code into wide, well know image hosting site.
The =1 thing is pretty clever and indeed simple things like that can stop a lot of errors from happening (IE is often more strict about that than Firefox but your mileage may vary). Anyway, interesting trick. Nice work by Matteo!