Skip to content

PoC - Exploit Delivery via Steganography and Polyglots, CVE-2014-0282

License

GPL-3.0, WTFPL licenses found

Licenses found

GPL-3.0
LICENSE
WTFPL
copying.txt
Notifications You must be signed in to change notification settings

lami1414/PyStegosploit

 
 

Repository files navigation

PyStegosploit - Exploit Delivery via Steganography and Polyglots

by Charmve - yidazhang1 [at] gmail[dot]com, @Charmve @therealsaumil @amichael

May 2021

stego_imajs.png

Stegosploit creates a new way to encode "drive-by" browser exploits and deliver them through image files. These payloads are undetectable using current means. This paper discusses two broad underlying techniques used for image based exploit delivery - Steganography and Polyglots. Drive-by browser exploits are steganographically encoded into JPG and PNG images. The resultant image file is fused with HTML and Javascript decoder code, turning it into an HTML+Image polyglot. The polyglot looks and feels like an image, but is decoded and triggered in a victim's browser when loaded.

A Tour of the Stegosploit Toolkit [1]

Stegosploit comprises of tools that let a user analyse images, steganographically encode exploit data onto JPG and PNG files, and turn the encoded images into polyglot files that can be rendered as HTML or executed as Javascript.

The current version of Stegosploit is 0.2 and can be found in Issue 0x08 of the International Journal of Proof-of-Concept or Get The Fuck Out (Poc||GTFO). Note that you will have to read through the end of the article in PoC||GTFO to find the hint on how to extract the toolkit.

🔍 Browse Folders

  • 📄 README.md
  • 📄 copying.txt - WTFPL
  • 📁 stego/
    • 📄 image_layer_analysis.html - Analyse an image's bit layers
    • 📄 iterative_encoding.html - Encode an exploit onto a JPG or PNG image
    • 📄 imagedecoder.html - Decode a steganographically encoded image
    • 📄 imagedecode.js
    • 📄 histogram.js
    • 📄 md5.js
    • 📄 base64.js
  • 📁 exploits/
    • 📄 exploits.js - Canned exploit code
    • 📄 decoder_cve_2014_0282.html - Decoder code + CVE-2014-0282 HTML elements
  • 📁 imajs/
    • 📄 html_in_jpg_ie.pl - Generate JPG+HTML polyglot for IE
    • 📄 html_in_jpg_ff.pl - Generate JPG+HTML polyglot for Firefox
    • 📄 html_in_png.pl - Generate a PNG+HTML polyglot (for any browser)
    • 📄 pngenum.pl - Enumerate a PNG file's FourCC chunks
    • 📄 jpegdump.c - Enumerate a JPG file's segments
    • 📄 CRC32.pm
    • 📄 PNGDATA.pm
  • ★ 📁 project-stegosploit/ - Core Part video show 1 | text show 1
    • 📁 encoding/ - core
      • 📄 iterative_encoding.html - Steganographically Encoding the Exploit Code
      • 📄 image_layer_analysis.html
      • 📄 imagedevoder.html
      • 📄 decode_and_run_cinput_withjs.html
    • 📁 exploits/ - decoder.html
    • 📁 images/ - encoded and original images
    • 📁 polyglots/ - lena_poly_demo.html
    • 📁 scripts/ - Creates an HTML+PNG polyglot polyglot_with_jpg.py
    • 📁 tmp/ run --/tools/msf4$ ./msfconsole -r ./tmp/load_meterpreter.rc video show 2
    • 📄 README.md - Show how to use this project-stegosploit

jpegdump.c is written by Ralph Giles and can be downloaded from https://svn.xiph.org/experimental/giles/jpegdump.c

In this repo, importantly, project-stegosploit is key part, which show how to hidden Exploit Code into image, to encode/decode, and to execute the meterpreter framework.

🔧 How Stegosploit Works

The exploit code is inserted within the pixels of the image so that the image contains the exploit code. IMAJS then creates a polyglot image that will be read as an image and contains a decoder that will extract and run the javascript exploit.

The exploit that we will use is an Internet Explorer Use-after-free exploit (CVE-2014-0282).

🔨 Requirements

  • Ubuntu 18.04 / Kali / Debian 9
  • web service - python -m http.server 8000
  • Metasploit Framework - How to Install

msfconsole.png

📆 What we have done so far

Highlights:

  • The server can serve images to the VM over 10.0.2.2:5000
  • The jpg.py program can build a polyglot file (valid .html and .jpg)

📝 Checklist

  • Refactor CRC32.pm

  • Refactor PNGDATA.pm

  • Refactor html_in_jpg_ie.pl

  • Refactor pngenum.pl

  • Demo Server

    • Move all static exploit files in demo pages to /static
    • Make sure all static files are passed parsed using template_render
    • Add an image picker for the image_layer_analysis.html (Optional)

✨ Related Works Stegosploit

My repo

❕ Disclaimer

  • This repo follows the GPL open source agreement, please be sure to understand.

  • We strictly prohibit all acts that violate any national laws through this program, please use this program within the legal scope.

  • By default, using this item will be deemed as your agreement to our rules. Please be sure to abide by the moral and legal standards.

  • If you do not comply, you will be responsible for the consequences, and the author will not bear any responsibility!

📎 References

[1] https://stegosploit.info/

[2] https://conference.hitb.org/hitbsecconf2015ams/sessions/stegosploit-hacking-with-pictures/

[3] https://www.vulnerability-db.com/?q=articles/2015/06/17/exploit-delivery-steganography-using-stegosploit-tool-v02

[4] https://www.blackhat.com/docs/eu-15/materials/eu-15-Shah-Stegosploit-Exploit-Delivery-With-Steganography-And-Polyglots.pdf

[5] https://stackoverflow.com/questions/4110964/how-does-heap-spray-attack-work

[6] https://www.youtube.com/watch?time_continue=1&v=6lYUtIZHlJA

[7] https://www.owasp.org/images/0/01/OWASL_IL_2010_Jan_-_Moshe_Ben_Abu_-_Advanced_Heapspray.pdf

[8] https://en.wikipedia.org/wiki/Heap_spraying

[9] https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/

✉️ Contact

yidazhang1[#]gmail[dot]com


About

PoC - Exploit Delivery via Steganography and Polyglots, CVE-2014-0282

Resources

License

GPL-3.0, WTFPL licenses found

Licenses found

GPL-3.0
LICENSE
WTFPL
copying.txt

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • HTML 36.5%
  • JavaScript 19.6%
  • C 16.6%
  • Python 13.9%
  • Perl 12.4%
  • Shell 1.0%