The Un-Official Proxomitron Forum
Internal LAN ip being leaked - Printable Version

+- The Un-Official Proxomitron Forum (https://www.prxbx.com/forums)
+-- Forum: Forum Related (/forumdisplay.php?fid=37)
+--- Forum: General Security (/forumdisplay.php?fid=21)
+--- Thread: Internal LAN ip being leaked (/showthread.php?tid=310)

- no13 - Nov. 23, 2004 04:32 PM

my LAN IP being leaked over at http://www.auditmypc.com home page
my config is this...
[PC]---LAN port--->[ADSL modem-*-Router]--->Internet
WHY oh WHY can anyone read my LAN ip? Is it because of Stateful Packet inspection (which my router employs - with NAT + firewall- and I believe its mentioned on this site that SPI interferes and releases IP)
the site says they don't use a script to accomplish internal ip grabbing....
I found these elements "lurking" during the page loading, and indeed once it had fully loaded...
This page--> http://whatsmyip.auditmypc.com/
elements:
http://whatsmyip.auditmypc.com/auditmypc.class
http://whatsmyip.auditmypc.com/adt.asp --->embedded as iFrame
http://whatsmyip.auditmypc.com/audit.asp?a=lan_ip_was_here

Can proxo help here? Is it a browser thing? I'm a [beatdown] konfoosed user now...

- Kye-U - Nov. 23, 2004 09:08 PM

The script to get your internal LAN IP is (encoded in Unicode Hex, but I've converted it to ASCII):

Code:
<script type="text/javascript">document.write('<iframe src="/adt.asp" width="200" height="80" marginwidth="1" marginheight="1" align="top" scrolling="no" frameborder="0"></iframe>')</script>

adt.asp contains:

Code:
<script type="text/javascript">document.write('<applet width="1" height="1" code="auditmypc.class">
</applet>')</script>

In conclusion, this site used encrypted Script tags to load the Class file. I've written the following filter:

Code:
[Patterns]
Name = "Javascript: Remove ".class""
Active = TRUE
URL = "($TYPE(htm)|$TYPE(js)|$TYPE(oth))"
Bounds = "$NEST(<script,</script>)"
Limit = 2048
Match = "*(%63%6f%64%65%3d%22*%22"
"|\\u0(0|)63\\u0(0|)6f\\u0(0|)64\\u0(0|)65\\u0(0|)3d\\u0(0|)22*\\u0(0|)22"
"|code=$AV(*.class))*"

This will not remove any normal [Applets], but will remove the "code="*.class"" NESTED inside a Javascript tag, encrypted or not. Isn't it suspicious to have an applet encrypted in a Javascript? Wink

- no13 - Nov. 24, 2004 06:30 AM

its not working to block tha site over here... dunno why.

- Siamesecat - Nov. 24, 2004 07:16 AM

Code:
Match = "*(%63%6f%64%65%3d%22*%22"
       "|\\u0(0|)63\\u0(0|)6f\\u0(0|)64\\u0(0|)65\\u0(0|)3d\\u0(0|)22*\\u0(0|)22"
       "|code=$AV(*.class))*"
In that match, why would the code be "\u0" or "\u00", followed by the ASCII code for the letter of the word "code"? What does the \u00 do?

- Kye-U - Nov. 24, 2004 08:56 PM

It's Unicode encoded.

If decrypted, \u0063 is %63 in hex, which is "c", the three lines are identical to:

code="*.class"

It's not working no13? Siamesecat, does it seem to work? Smile!

- mozerd - Nov. 24, 2004 10:00 PM

Kye-U Wrote:In conclusion, this site used encrypted Script tags to load the Class file. I've written the following filter:
Kye-U, thank you very much -- works just great!

BTW, its important to clear the cache otherwise it will seem as if the filter is not working. Once the cache has been cleared subsequent calls get properly trapped.

Very nice work Kye-U.

- Kye-U - Nov. 24, 2004 10:15 PM

Thanks Mozerd Eyes Closed Smile

I think that this is a very "specific" filter, and I plan to revise it and post a more general filter Wink

- no13 - Nov. 25, 2004 12:50 PM

Its working after I destroyed the cookies and cache (needed Kerio to help out with cookies)