Discussion:
Problems while sending a string as tcp payload
Sushrut Mair
2014-06-10 05:14:29 UTC
Permalink
Hi,

I am trying to send out an EICAR string via scapy. It gets sent out but it
seems like scapy maybe
modifying the string. Here is my code:

.
.
.
actualdata="X5O!P%@AP
[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*"
ip=IP(src=ipsrc,dst=ipdst)
tcp=TCP(sport=srcp,dport=dstp,flags="PA",seq=last_packets_seqnum,ack=last_packets_acknum)
raw=Raw(actualdata.encode('utf-8','strict'))
data=ip/tcp/raw
print ls(data) ---> #1
print actualdata ---> #2
ACK=sr1(data)
.
.
.


#1 prints out he packet and the payload string. the string is printed out
as,
"'X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*'".
Note the extra
'\'. I have tried to escape the \ and tried other recommended stuff but to
no avail.

#2 prints out the correct string as provided in actualdata.

The only difference between both, afaik, are that ls(data) is controlled by
scapy while actualdata is a
python string.

Can anyone help me with the same? The issue is that while the destination
receives the string, it is
unable to detect it as an eicar string.

Rgds,
Sushrut.
Ilias Pallikarakis
2014-06-11 07:53:57 UTC
Permalink
Hi,
I am not familiar with ls() the way you use it in your script. It seems to
me the problem
might not be in the data but on the way you present them("\") is presented
by ("\\" just
because it is a special character). Have you tried checking the result of
data.show2() ?
This would show exactly what is going to be sent by scapy (after checksums
and other
fields are automatically calculated), or try to capture the packet on the
other end to confirm
malformation. I apologize if my response is too trivial but it just seems
unlikely scapy adding
just one / in a raw message.

Hope I helped,

Ilias Pallikarakis
Post by Sushrut Mair
Hi,
I am trying to send out an EICAR string via scapy. It gets sent out but it
seems like scapy maybe
.
.
.
[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*"
ip=IP(src=ipsrc,dst=ipdst)
tcp=TCP(sport=srcp,dport=dstp,flags="PA",seq=last_packets_seqnum,ack=last_packets_acknum)
raw=Raw(actualdata.encode('utf-8','strict'))
data=ip/tcp/raw
print ls(data) ---> #1
print actualdata ---> #2
ACK=sr1(data)
.
.
.
#1 prints out he packet and the payload string. the string is printed out
as,
Note the extra
'\'. I have tried to escape the \ and tried other recommended stuff but to
no avail.
#2 prints out the correct string as provided in actualdata.
The only difference between both, afaik, are that ls(data) is controlled
by scapy while actualdata is a
python string.
Can anyone help me with the same? The issue is that while the destination
receives the string, it is
unable to detect it as an eicar string.
Rgds,
Sushrut.
Sushrut Mair
2014-06-11 08:02:57 UTC
Permalink
Yup - I think you are right. It just seems to be the representation. I was
mislead by that and the fact that I did not see expected behavior at the
destination.

Thanks!
Sushrut.


On Wed, Jun 11, 2014 at 1:23 PM, Ilias Pallikarakis <
Post by Ilias Pallikarakis
Hi,
I am not familiar with ls() the way you use it in your script. It seems to
me the problem
might not be in the data but on the way you present them("\") is presented
by ("\\" just
because it is a special character). Have you tried checking the result of
data.show2() ?
This would show exactly what is going to be sent by scapy (after
checksums and other
fields are automatically calculated), or try to capture the packet on the
other end to confirm
malformation. I apologize if my response is too trivial but it just seems
unlikely scapy adding
just one / in a raw message.
Hope I helped,
Ilias Pallikarakis
Post by Sushrut Mair
Hi,
I am trying to send out an EICAR string via scapy. It gets sent out but
it seems like scapy maybe
.
.
.
[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*"
ip=IP(src=ipsrc,dst=ipdst)
tcp=TCP(sport=srcp,dport=dstp,flags="PA",seq=last_packets_seqnum,ack=last_packets_acknum)
raw=Raw(actualdata.encode('utf-8','strict'))
data=ip/tcp/raw
print ls(data) ---> #1
print actualdata ---> #2
ACK=sr1(data)
.
.
.
#1 prints out he packet and the payload string. the string is printed out
as,
Note the extra
'\'. I have tried to escape the \ and tried other recommended stuff but
to no avail.
#2 prints out the correct string as provided in actualdata.
The only difference between both, afaik, are that ls(data) is controlled
by scapy while actualdata is a
python string.
Can anyone help me with the same? The issue is that while the destination
receives the string, it is
unable to detect it as an eicar string.
Rgds,
Sushrut.
Loading...