Using decompression to avoid filters

Wed 12th Oct 11

This post is based on a random thought I had that is probably completely impractical but would be quite cool if it worked. I was thinking of ways to get data, in this case probably payloads of some kind, exe's, php shells, that kind of thing, past filtering systems such as AV, IPS, IDS etc. Most, I hope, will decompress any compressed data before they apply their filters but do any compress the data before checking it? I doubt it.

I've been doing some work on a site which takes user data and compresses it before storing it in the document root to allow users to download it. For this site the attack would go like this.

Take a file you want to get through the filter and "decompress" it. What I'm thinking is to create a file that when compressed creates the file you actually want to transfer. An obvious problem is the headers added by the compression but in some situations this may not be a problem, for example a php script where the parser is only looking for code in the php start tags so the headers will be ignored. You can then browse to the compressed file, the parser will find the php code and pop goes your shell.

As I said, probably impractical and it would have a very limited use but thought I'd write this in case it gave anyone else any ideas, if you come up with anything let me know.