If you are not familiar with the word STEGOSPLOIT then you must definitely look at the
- The actual talk
- Followed by huge popularity. Just google the word!
- Then criticism
- Then, I stopped following the topic at this stage.
Slides of the talk are available here
- Would love to have a tool that supports all image types. Other than that, embedding html in image metadata is common.
- Non tech people who didn’t think of what is happening in the background started giving out blunt statements like PICTURES ARE NO MORE SAFE. And
every other noob went crazy.
The mention of lcamtuf in the slides made me google his JPG+HTML polyglot. After going through the slides
of Mr.Shah, I decided to write a simple PoC with the exact steps taken from his slides. So, my innocent plan was to
- Hide an exploit payload in the image pixels.
- Create a HTML+PNG polyglot so the image itself can be used as a loader.
- Then use HTML5 canvas to reconstruct the actual payload in the browser.
For anyone who read those slides all this would seem normal & yes it is!!
How it works??
- First it takes the payload file and converts the content into a bit string.
- This bit string is hidden inside LSB bit of R, G & B pixel values of the input PNG file. This is done using Pillow.
- Then the HTML requried to decode this payload is added to the same PNG file to create a HTML+PNG polyglot.
- For the final PNG to deliver the payload, it should be served with content type text/html.
- Then when image is loaded, the browser execute the HTML in it leading to reconstruction and running of exploit.
- Common users are aware of malicious websites but not malicious images yet ;)
- As an end user, what difference do you see?
- Who servers images with html content type? Unless you want to pwn users!
- ML trained detectors can catch these images, but you can always improvise ;)
PS: The script only works on some PNGs for now
Sample Console Output
'->$ python2 convert.py -i cat.png -p payload.html -o cute_kitty.png
[*] Opening payload and converting to bit string
[*] Hiding data in LSB
[*] Saving intermediate PNG
[*] Opening intermediate png for adding loader
[*] Writing PNG header
[*] Writing IHDR chunk
[*] Minifying loader html
[*] Writing iTXt chunk containing loader
[*] Writing the remaining data
Sample Polyglot with alert() payload
Serving the Polyglot
The image has to be served with a text/html content type. If not, the browser parser will
ignore the html part and just render the image. Below is a sample python script which when run in the
same directory as of the image, will serve the png with html content type.
PORT = 8000
Handler = SimpleHTTPServer.SimpleHTTPRequestHandler
httpd = SocketServer.TCPServer(("", PORT), Handler)
print "Serving at http://127.0.0.1:%d" % (PORT)