Month: July 2020
Protected: thm-rpmetasploit-nl
Protected: thm-forensics-nl
Protected: thm-activedirectorybasics-nl
Protected: htb-openkeys-private
Protected: thm-retro-nl
Protected: htb-cybernetics-private
htb-buff-nl
HackTheBox – Buff
Author : Puckiestyle
Protected: htb-hardware challenges
hacking-the-world-with-html
In my previous article Exploring the MS-DOS header I stated that after experimenting, the Windows loader only cares about the e_magic
and the e_lfanew
members from the _IMAGE_DOS_HEADER
. Because the rest of the members of the DOS header is used by MS-DOS to execute the stub program. Check it out if you have not.
If you take a PE file and null out the MS-DOS header and the MS-DOS stub program leaving out the e_magic
and the e_lfanew
values, the PE will still work fine as the rest is not needed by the Windows PE loader. The e_lfanew
address at offset 0x3c
is important as it points to the beginning of the _IMAGE_NT_HEADERS
structure which is the actual start of the PE file.
Since those values are not important we can insert an HTML comment from offset 0x2 which is the e_cblp
value and begin an HTML comment and end the comment at the end of the PE and append our HTML/PHP/ASP/JSP file contents.
I wrote a simple program in C to automate this task. You can provide your PE file and the HTML/PHP/ASP/JSP file to inject and it will generate an HTML file. You can rename the file into the extension you desire.
https://github.com/OsandaMalith/PE2HTML
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
|
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
#include <sys/types.h>
#include <sys/stat.h>
#ifdef _WIN32
#include <io.h>
#endif
#define MAX 500
#define e_cblp 0x2
#define STUB 0x40
/*
Author: Osanda Malith Jayathissa (@OsandaMalith)
Disclaimer: Author takes no responsibility for any damage you cause.
Use this for educational purposes only.
Copyright (c) 2020 Osanda Malith Jayathissa
*/
void inject(char *, char *);
void dump(void *, int);
void
banner() {
fflush(stdin);
const static char *banner =
“\t _-_.\n”
“\t _-‘,^. `-_.\n”
“\t ._-‘ ,’ `. `-_ \n”
“\t!`-_._________`-‘:::\n”
“\t! /\\ /\\::::\n”
“\t; / \\ /..\\::: PE 2 HTML Injector\n”
“\t! / \\ /….\\:: Coded by Osanda Malith Jayathissa (@OsandaMalith)\n”
“\t!/ \\ /……\\: https://osandamalith.com\n”
“\t;–.___. \\/_.__.–;; \n”
“\t ‘-_ `:!;;;;;;;’\n”
“\t `-_, :!;;;”\n”
“\t `-!’ \n”;
for (banner; *banner; ++banner) fprintf(stdout, “%c”, *banner);
}
int
main(int argc, char *argv[]) {
size_t i;
char *fileName, *payload;
banner();
if (argc != 5) {
printf(“\n[-] Usage: %s -i <PE> -p <HTML/PHP/ASP File> \n”, argv[0]);
puts(“[*] The output will be in .html, You may rename it to the format you desire.”);
return 1;
}
for (i = 1; i < argc; i++) {
if (!strcmp(argv[i], “-i”)) fileName = argv[i + 1];
if (!strcmp(argv[i], “-p”)) payload = argv[i + 1];
}
inject(payload, fileName);
return 0;
}
void inject(char *payload, char *fname) {
int src, dst, sz;
char myCurrentChar, newFilename[MAX], check[1],
*hex = (char *)calloc(0x80, sizeof(char)),
*comment = “\x3c\x21\x2d\x2d”,
*comment_end = “\x2d\x2d\x3e”;
strncpy(newFilename, fname, MAX);
newFilename[strlen(fname) – 3] = ‘\0’;
strcat(newFilename, “html”);
#ifdef _WIN32
src = _open(fname, O_RDONLY | O_BINARY, 0);
dst = _open(newFilename, O_CREAT | O_TRUNC | O_WRONLY | O_BINARY, S_IREAD | S_IWRITE);
#elif __unix__
src = open(fname, O_RDONLY, 0);
dst = open(newFilename, O_CREAT | O_TRUNC | O_WRONLY, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
#endif
check[sz = read(src, check, 2)] = ‘\0’;
if (strcmp(check, “MZ”)) {
fprintf(stderr, “[!] Enter a valid PE file”);
close(src);
exit(–1);
}
lseek(src, 0, SEEK_SET);
while (read(src, &myCurrentChar, 1)) write(dst, &myCurrentChar, 1);
lseek(dst, e_cblp, SEEK_SET);
printf(“[*] Commenting the MS-DOS e_cblp at offset 0x%x\n\n”, e_cblp);
write(dst, comment, strlen(comment));
close(src);
close(dst);
#ifdef _WIN32
dst = _open(newFilename, O_RDONLY | O_BINARY, 0);
#elif __unix__
dst = _open(newFilename, O_RDONLY, 0);
#endif
hex[sz = read(dst, hex, 0x80)] = ‘\0’;
dump(hex, sz);
free(hex);
close(dst);
#ifdef _WIN32
src = _open(payload, O_RDONLY | O_BINARY, 0);
dst = _open(newFilename, O_WRONLY | O_APPEND | O_BINARY, 0);
#elif __unix__
src = open(payload, O_RDONLY, 0);
dst = open(newFilename, O_WRONLY | O_APPEND, 0);
#endif
puts(“\n[*] Appending the Payload”);
write(dst, comment_end, strlen(comment_end));
while (read(src, &myCurrentChar, 1)) write(dst, &myCurrentChar, 1);
close(src);
close(dst);
printf(“[+] Successfully written to %s\n”, newFilename);
}
void dump(void *addr, int len) {
size_t i;
unsigned char buff[0x80];
unsigned char *pc = (unsigned char*)addr;
for (i = 0; i < len; i++) {
if (!(i % 16)) {
if (i) printf(” %s\n”, buff);
printf(” 0x%04X: “, i);
}
printf(” %02X”, pc[i]);
buff[i % 16] = (pc[i] < 0x20) || (pc[i] > 0x7e) ? ‘.’ : pc[i];
buff[(i % 16) + 1] = ‘\0’;
}
while ((i % 16)) {
printf(” “);
i++;
}
printf(” %s\n”, buff);
}
/*EOF*/
|
Another thing to note is that in Windows, cmd.exe and rundll32 will treat any file with any extension as a valid PE as long as it begins with the IMAGE_DOS_SIGNATURE
.
By abusing these Windows features (bugs) we can execute our HTML files as executables as well as run in the web browser displaying HTML/PHP/ASP/JSP content.
You can run the newly created PE file with HTML extension or with any extension using cmd.
cmd /c file.html
Process explorer output would look like this.
Rundll32 does not validate any extensions, therefore you can execute any DLL with any extension.
By combining these features (bugs) an attacker can achieve social engineering. This won’t bypass any AV or any EDR. But will surely confuse the analyzer. Might be a handy trick to use at the last stage once your payload is undetectable.
A checksum check can be used to prevent attackers from modifying the MS-DOS header. But a skilled reverse engineer may find the checksum routine and patch it to bypass the anti-reversing technique.
The author takes no responsibility for any damage you cause. This is strictly written for educational purposes.