Stegosploit is simple fun!!

If you are not familiar with the word STEGOSPLOIT then you must definitely look at the following links

  • The actual talk
  • Followed by huge popularity. Just google the word!
  • Then criticism
  • Then, I stopped following the topic at this stage.

Slides of the talk are available here

My Thoughts

  • Would love to have a tool that supports all image types. Other than that, embedding html in image metadata is common.
  • Non tech people who didn't think of what is happening in the background started giving out blunt statements like PICTURES ARE NO MORE SAFE. And every other noob went crazy.

What counts?

The mention of lcamtuf in the slides made me google his JPG+HTML polyglot. After going through the slides of Mr.Shah, I decided to write a simple PoC with the exact steps taken from his slides. So, my innocent plan was to

  • Hide an exploit payload in the image pixels.
  • Create a HTML+PNG polyglot so the image itself can be used as a loader.
  • Then use HTML5 canvas to reconstruct the actual payload in the browser.

For anyone who read those slides all this would seem normal & yes it is!!

Script

{% gist tunnelshade/757de16b6ac6f5f337fd %}

How it works??

  • First it takes the payload file and converts the content into a bit string.
  • This bit string is hidden inside LSB bit of R, G & B pixel values of the input PNG file. This is done using Pillow.
  • Then the HTML requried to decode this payload is added to the same PNG file to create a HTML+PNG polyglot.
  • For the final PNG to deliver the payload, it should be served with content type text/html.
  • Then when image is loaded, the browser execute the HTML in it leading to reconstruction and running of exploit.

Selling points

  • Common users are aware of malicious websites but not malicious images yet ;)
  • As an end user, what difference do you see?

Innocent cat

  • Look again :P

Innocent cat becomes evil

Difficulties

  • Who servers images with html content type? Unless you want to pwn users!
  • ML trained detectors can catch these images, but you can always improvise ;)

PS: The script only works on some PNGs for now

Sample Console Output

.-[tunnelshade@MacBook-Pro.local:~/workspace/misc/poly]
'->$ python2 convert.py -i cat.png -p payload.html -o cute_kitty.png
[*] Opening payload and converting to bit string
[*] Hiding data in LSB
[*] Saving intermediate PNG
[*] Opening intermediate png for adding loader
[*] Writing PNG header
[*] Writing IHDR chunk
[*] Minifying loader html
[*] Writing iTXt chunk containing loader
[*] Writing the remaining data

Sample Polyglot with alert() payload

Innocent cat becomes evil

Serving the Polyglot

The image has to be served with a text/html content type. If not, the browser parser will ignore the html part and just render the image. Below is a sample python script which when run in the same directory as of the image, will serve the png with html content type.

#!/usr/bin/python

import SimpleHTTPServer
import SocketServer

PORT = 8000

Handler = SimpleHTTPServer.SimpleHTTPRequestHandler
Handler.extensions_map.update({
    '.png': 'text/html',
});

httpd = SocketServer.TCPServer(("", PORT), Handler)

try:
    print "Serving at http://127.0.0.1:%d" % (PORT)
    httpd.serve_forever()
except KeyboardInterrupt:
    httpd.socket.close()
2015-06-08 :: {python} :: #tools