7Blessings

Automate Firewall Evasion Tests

What?

My own implementation of some of the amazing work by Steffen Ulrich. Full work here

How to use?

For each test, try and download Eicar.

The first is a simple/honest download with no trickery to use as a baseline for your environment.

Each following test uses a different technique.

NOTE: As with the other tests, you can do this over HTTP, HTTPs, HTTPs (self signed), HTTPs (expired) for different results

Why use it?

A proper web proxy acts as a termination point for the TCP flow, this allows it to properly inspect, and decide what to do.

Some technologies which do not implement the same level of observation do not achieve the same level of inspection/filtering/protection.

These tests try to sneak Eicar into your network. Did your web filtering device stop them?

Test 0 - Baseline

Download

Test 2 - Deflate

HTTP compression as Deflate, not GZip

Download

<?php
header("Content-Encoding: deflate");
header('Content-type: text/plain');
header('Content-Disposition: attachment; filename="7blessings.co.uk_eicar_noxii_2.txt"');
$eicar = file_get_contents('../eicar.txt');
echo gzdeflate($eicar, 9);
?>

Test 3 - Chunked Transfer

Payload in a Chunked Transfer

Download

<?php
header("Content-Encoding: none");
header('Content-type: text/plain');
header('Content-Disposition: attachment; filename="7blessings.co.uk_eicar_noxii_3.txt"');

$eicar = file_get_contents('../eicar.txt');
$sub_length=50;

ob_end_flush();
ob_implicit_flush();

if (ob_get_level())
ob_end_clean();

for ($x = 0; $x <= strlen($eicar); $x+=$sub_length) {
echo substr($eicar, $x, $sub_length);
}

?>

Test 4 - Double Encoding

Payload inflated twice

Download

<?php
header("Content-Encoding: deflate", false);
header("Content-Encoding: deflate", false);
header('Content-type: text/plain');
header('Content-Disposition: attachment; filename="7blessings.co.uk_eicar_noxii_4.txt"');
$eicar = file_get_contents('../eicar.txt');

echo gzdeflate(gzdeflate($eicar, 1),1);
?>

Test 5 - GZip Compressions

GZip file has CRC check removed from the end.

Download

<?php
header('Content-Disposition: attachment; filename="7blessings.co.uk_eicar_noxii_5.txt.gz"');

$filename = "./eicar.txt.gz";
$handle = fopen($filename, "rb");
$contents = fread( $handle, filesize($filename) ) ;
fclose($handle);

$contents2 = substr(bin2hex($contents), 0, -8);
pack( "H*", $contents2 );
echo hex2bin($contents2);

?>

Test 6 - White Space

Payload has a line return ("\r") in the middle.

Download

<?php
header("Content-Encoding: none");
header('Content-type: text/plain');
header('Content-Disposition: attachment; filename="7blessings.co.uk_eicar_noxii_6.txt"');

$eicar = file_get_contents('../eicar.txt');

echo substr($eicar, 0, 50);
echo "\r";
echo substr($eicar, 51, 100);

?>

Test 7 - Lucky Numbers

Unexpected HTTP return codes

Download

<?php
header("HTTP/1.0 100 I'm A Teapot");

header("Content-Encoding: none");
header('Content-type: text/plain');
header('Content-Disposition: attachment; filename="7blessings.co.uk_eicar_noxii_7.txt"');

$eicar = file_get_contents('../eicar.txt');

echo $eicar;

?>