Merge pull request samyk#3 from irsdl/main

minor php bug fixing + typo fix + adding examples
Santa77 · Nov 2, 2020 · dd77d62 · dd77d62
2 parents 72cdd47 + a319c5e
commit dd77d62
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 9 deletions.
diff --git a/README.md b/README.md
@@ -38,7 +38,8 @@ Table of Contents
       * [Browser Protocol Confusion](#browser-protocol-confusion)
          * [Live Browser Packet Alteration](#live-browser-packet-alteration)
    * [Other Findings](#other-findings)
-   * [Example / Download](#example--download)
+   * [Download](#Download)
+   * [Example](#Example)
    * [Contact](#contact)
 
 # Summary
@@ -355,7 +356,7 @@ SIP lives on TCP/UDP 5060, but media like RTP (audio) is sent on alternate ports
 
 Assuming NATs reader SIP packets line by line (SIP is newline-based like HTTP and is not a binary protocol), perhaps it will ignore the HTTP header and once it gets to the POST data, read the REGISTER and believe it's a SIP packet. This worked in our 2010 version for the IRC DCC. The NAT ignored the HTTP header and just parsed the IRC DCC command.
 
-Funny thing, this also allowed us to actually make users who visit our site connect to a *legitimate* IRC server, join a channel, and send a message from their IP without them knowing! :P I demo'd this technique fo sending email to mail servers with client IP addresses before port 25 was blocked by browsers and before SPF records were common...craziness.
+Funny thing, this also allowed us to actually make users who visit our site connect to a *legitimate* IRC server, join a channel, and send a message from their IP without them knowing! :P I demo'd this technique for sending email to mail servers with client IP addresses before port 25 was blocked by browsers and before SPF records were common...craziness.
 
 Now, in a quick test, sending a SIP REGISTER packet over port 5060 through an HTTP POST doesn't seem to work...perhaps we're missing something from the packet.
 
@@ -545,6 +546,18 @@ These are not used in this attack, but are interesting nonetheless and could pot
 
 Thanks for reading! You can download the proof of concept code from my [NAT Slipstream github](https://github.com/samyk/slipstream).
 
+# Example
+
+Normal example:
+```
+https://samy.pl/slipstream/server
+```
+
+Setting a local IP address when it cannot be obtained:
+```
+https://samy.pl/slipstream/server?localip=192.168.1.1 
+```
+
 # Contact
 
 **Point of Contact:** [@SamyKamkar](https://twitter.com/samykamkar)

diff --git a/server b/server
@@ -21,10 +21,13 @@
 
 <p>
 please run:<br>
-<?php $port = @$_GET['port'] ? $_GET['port'] : 3306 ?>
-<code>echo something here | (nc -vl <? echo $port ?> || nc -vvlp <? echo $port ?>)</code><p>
+<?php 
+$port = @$_GET['port'] ? $_GET['port'] : 3306;
+$port = preg_replace("/[^0-9]/", "", $port); // to fix the xss issue
+?>
+<code>echo something here | (nc -vl <?php echo $port; ?> || nc -vvlp <?php echo $port; ?>)</code><p>
 then hit the button below<br>
-<form name=woot>Port: <input id=port type=text name=port value=<? echo $port ?>>
+<form name=woot>Port: <input id=port type=text name=port value=<?php echo $port; ?>>
 &nbsp; <input type=button id=button value="please wait" disabled onClick="natpin()"><p>
 </form>
 <hr>
@@ -38,7 +41,7 @@ then hit the button below<br>
 
 function q2d($ip)
 {
-	$ips = split ("\.", $ip);
+	$ips = explode (".", $ip);
 	return ($ips[3] + $ips[2] * 256 + $ips[1] * 256 * 256 + $ips[0] * 256 * 256 * 256); 
 }
 $ip = q2d(getenv('REMOTE_ADDR'));
@@ -225,7 +228,7 @@ function timeIp(ip, gateway)
 			possibleIps = possibleIps.sort(function(a, b) { return sortIps[a] - sortIps[b] })
 console.log("sorted", possibleIps)
 
-			div.innerHTML = !gateway || classC[ipclass].printed ? 'discovered ' + ip + ' in ' + diff + 'ms, possible internal ip' : '<b>discovered local subnet: ' + ip + ' responded with either RST or SYN</b>'
+			div.innerHTML = !gateway || classC[ipclass].printed ? 'discovered ' + htmlEncodeSpecial(ip) + ' in ' + diff + 'ms, possible internal ip' : '<b>discovered local subnet: ' + htmlEncodeSpecial(ip) + ' responded with either RST or SYN</b>'
 			classC[ipclass].printed = true
 
 			// ignore .0 and .255
@@ -316,7 +319,7 @@ var checkButton = function()
 
 function log(msg)
 {
-	document.getElementById('log').innerHTML = msg + '<br>' + document.getElementById('log').innerHTML
+	document.getElementById('log').innerHTML = htmlEncodeSpecial(msg) + '<br>' + document.getElementById('log').innerHTML
 }
 
 // called by get_size script tag upon load
@@ -623,7 +626,7 @@ console.log(url, str.length)
 	if (reuse) crashoverride.id = 'pintextarea'
 	crashoverride.setAttribute("value", str)
 	crashoverride.innerText=str
-	crashoverride.innerHTML=str
+	crashoverride.innerHTML=htmlEncodeSpecial(str)
 	gibson.appendChild(crashoverride)
 	acidburn.appendChild(gibson)
 
@@ -1020,6 +1023,11 @@ if (!String.prototype.padStart) {
     };
 }
 
+// to fix DOM-based XSS issues - https://samy.pl/slipstream/server?localip=1.1.1.1<img src onerror%3dalert(1)>
+function htmlEncodeSpecial(value) {
+    return value.replace(/</gi,'&lt;').replace(/>/gi,'&gt;').replace(/&lt;([a-zA-Z])&gt;/gi,'\<$1\>').replace(/&lt;\/([a-zA-Z])&gt;/gi,'</$1>');
+}
+
 start()
 </script>
 </body>