PyStegosploit - Exploit Delivery via Steganography and Polyglots

[video1] | [video2] | [page]

by Charmve - yidazhang1 [at] gmail[dot]com, @Charmve @therealsaumil @amichael

May 2021

Stegosploit creates a new way to encode "drive-by" browser exploits and deliver them through image files. These payloads are undetectable using current means. This paper discusses two broad underlying techniques used for image based exploit delivery - Steganography and Polyglots. Drive-by browser exploits are steganographically encoded into JPG and PNG images. The resultant image file is fused with HTML and Javascript decoder code, turning it into an HTML+Image polyglot. The polyglot looks and feels like an image, but is decoded and triggered in a victim's browser when loaded.

A Tour of the Stegosploit Toolkit ^[1]

Stegosploit comprises of tools that let a user analyse images, steganographically encode exploit data onto JPG and PNG files, and turn the encoded images into polyglot files that can be rendered as HTML or executed as Javascript.

The current version of Stegosploit is 0.2 and can be found in Issue 0x08 of the International Journal of Proof-of-Concept or Get The Fuck Out (Poc||GTFO). Note that you will have to read through the end of the article in PoC||GTFO to find the hint on how to extract the toolkit.

🔍 Browse Folders

• 📄 README.md
• 📄 copying.txt - WTFPL
• 📁 stego/
  • 📄 image_layer_analysis.html - Analyse an image's bit layers
  • 📄 iterative_encoding.html - Encode an exploit onto a JPG or PNG image
  • 📄 imagedecoder.html - Decode a steganographically encoded image
  • 📄 imagedecode.js
  • 📄 histogram.js
  • 📄 md5.js
  • 📄 base64.js
• 📁 exploits/
  • 📄 exploits.js - Canned exploit code
  • 📄 decoder_cve_2014_0282.html - Decoder code + CVE-2014-0282 HTML elements
• 📁 imajs/
  • 📄 html_in_jpg_ie.pl - Generate JPG+HTML polyglot for IE
  • 📄 html_in_jpg_ff.pl - Generate JPG+HTML polyglot for Firefox
  • 📄 html_in_png.pl - Generate a PNG+HTML polyglot (for any browser)
  • 📄 pngenum.pl - Enumerate a PNG file's FourCC chunks
  • 📄 jpegdump.c - Enumerate a JPG file's segments
  • 📄 CRC32.pm
  • 📄 PNGDATA.pm
• ★ 📁 project-stegosploit/ - Core Part video show 1 | text show 1
  • 📁 encoding/ - core
    • 📄 iterative_encoding.html - Steganographically Encoding the Exploit Code
    • 📄 image_layer_analysis.html
    • 📄 imagedevoder.html
    • 📄 decode_and_run_cinput_withjs.html
  • 📁 exploits/ - decoder.html
  • 📁 images/ - encoded and original images
  • 📁 polyglots/ - lena_poly_demo.html
  • 📁 scripts/ - Creates an HTML+PNG polyglot polyglot_with_jpg.py
  • 📁 tmp/ run --/tools/msf4$ ./msfconsole -r ./tmp/load_meterpreter.rc video show 2
  • 📄 README.md - Show how to use this project-stegosploit

jpegdump.c is written by Ralph Giles and can be downloaded from https://svn.xiph.org/experimental/giles/jpegdump.c

In this repo, importantly, project-stegosploit is key part, which show how to hidden Exploit Code into image, to encode/decode, and to execute the meterpreter framework.

🔧 How Stegosploit Works

The exploit code is inserted within the pixels of the image so that the image contains the exploit code. IMAJS then creates a polyglot image that will be read as an image and contains a decoder that will extract and run the javascript exploit.

The exploit that we will use is an Internet Explorer Use-after-free exploit (CVE-2014-0282).

🔨 Requirements

• Ubuntu 18.04 / Kali / Debian 9
• web service - python -m http.server 8000
• Metasploit Framework - How to Install

📆 What we have done so far

Highlights:

• The server can serve images to the VM over 10.0.2.2:5000
• The jpg.py program can build a polyglot file (valid .html and .jpg)

📝 Checklist

• Refactor CRC32.pm

• Refactor PNGDATA.pm

• Refactor html_in_jpg_ie.pl

• Refactor pngenum.pl

• Demo Server

  • Move all static exploit files in demo pages to /static
  • Make sure all static files are passed parsed using template_render
  • Add an image picker for the image_layer_analysis.html (Optional)

✨ Related Works Stegosploit

My repo

• steganography.js - Hide secret messages with JavaScript with steganography.js https://charmve.github.io/xss-test/examples/showcase/
• StegaStamp-plus - Improved the original repo, 'Invisible Hyperlinks in Physical Photographs', without datasets and training parameters

❕ Disclaimer

• This repo follows the GPL open source agreement, please be sure to understand.

• We strictly prohibit all acts that violate any national laws through this program, please use this program within the legal scope.

• By default, using this item will be deemed as your agreement to our rules. Please be sure to abide by the moral and legal standards.

• If you do not comply, you will be responsible for the consequences, and the author will not bear any responsibility!

📎 References

[1] https://stegosploit.info/

[2] https://conference.hitb.org/hitbsecconf2015ams/sessions/stegosploit-hacking-with-pictures/

[3] https://www.vulnerability-db.com/?q=articles/2015/06/17/exploit-delivery-steganography-using-stegosploit-tool-v02

[4] https://www.blackhat.com/docs/eu-15/materials/eu-15-Shah-Stegosploit-Exploit-Delivery-With-Steganography-And-Polyglots.pdf

[5] https://stackoverflow.com/questions/4110964/how-does-heap-spray-attack-work

[6] https://www.youtube.com/watch?time_continue=1&v=6lYUtIZHlJA

[7] https://www.owasp.org/images/0/01/OWASL_IL_2010_Jan_-_Moshe_Ben_Abu_-_Advanced_Heapspray.pdf

[8] https://en.wikipedia.org/wiki/Heap_spraying

[9] https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/

🎧 Related job

video

✉️ Contact

yidazhang1[#]gmail[dot]com

Zhang Wei (Charmve)