If you are not familiar with the word STEGOSPLOIT then you must definitely look at the following links
Slides of the talk are available here
The mention of lcamtuf in the slides made me google his JPG+HTML polyglot. After going through the slides of Mr.Shah, I decided to write a simple PoC with the exact steps taken from his slides. So, my innocent plan was to
For anyone who read those slides all this would seem normal & yes it is!!
{% gist tunnelshade/757de16b6ac6f5f337fd %}
PS: The script only works on some PNGs for now
.-[tunnelshade@MacBook-Pro.local:~/workspace/misc/poly]
'->$ python2 convert.py -i cat.png -p payload.html -o cute_kitty.png
[*] Opening payload and converting to bit string
[*] Hiding data in LSB
[*] Saving intermediate PNG
[*] Opening intermediate png for adding loader
[*] Writing PNG header
[*] Writing IHDR chunk
[*] Minifying loader html
[*] Writing iTXt chunk containing loader
[*] Writing the remaining data
The image has to be served with a text/html content type. If not, the browser parser will ignore the html part and just render the image. Below is a sample python script which when run in the same directory as of the image, will serve the png with html content type.
#!/usr/bin/python
import SimpleHTTPServer
import SocketServer
PORT = 8000
Handler = SimpleHTTPServer.SimpleHTTPRequestHandler
Handler.extensions_map.update({
'.png': 'text/html',
});
httpd = SocketServer.TCPServer(("", PORT), Handler)
try:
print "Serving at http://127.0.0.1:%d" % (PORT)
httpd.serve_forever()
except KeyboardInterrupt:
httpd.socket.close()