1. Overview of Image
File Hacking
Python provides very powerful features
to handle files. Python can open a binary file and can change or append
information to it. If you add a script for various types of image files used on
the Web, you can create a hacking tool that has powerful features. Let's create
a simple program to insert a JavaScript handling cookies into a bitmap (BMP)
file.
Figure 5-1 Overview of Image File Hacking
First, let's create the “hello.bmp” image.
You can view HEX values by opening the image with an editor. The first two
bytes are magic numbers used to identify a bit map file. “0x4D 0x42” are the
ASCII code points for each “B” and “M”, and the following 4 bytes indicate the
size of the BMP file.
Figure 5-2 BMP File Structure
2. Image File Hacking
First,
let's create a script and insert it into the bitmap file. The browser has the
ability to create and save a cookie. A cookie is small file with information
that is recorded on the PC for a web browser. Browser store cookies in their
own memory space and file format, and a programmer will often use cookies to
store login information and session information for the user. If a hacker
obtains a cookie, it can be used in various methods of attack. The following
script creates a cookie, saves information into it, and prints a message in the
alert window.
name = 'id';
value = 'HongGilDong';
var todayDate = new Date();
todayDate.setHours(todayDate.getDate() + 7);
document.cookie = name + "=" + escape( value )
+ "; path=/;
expires=" +
todayDate.toGMTString() + "";
alert(document.cookie)
|
Cookies
are stored as a pair of (name, value). Here name ='id' and value ='HongGilDong'
are stored in the cookie. The Cookie has a valid time since here, the effective
time is set to 7 days. Finally, a display script is added to the alert window
that the cookies have been set.
Now,
let's create a program to insert a script into a bitmap file.
fname = "hello.bmp"
pfile = open(fname, "r+b") #(1)
buff = pfile.read()
buff.replace(b'\x2A\x2F',b'\x00\x00') #(2)
pfile.close()
pfile = open(fname, "w+b") #(3)
pfile.write(buff)
pfile.seek(2,0) #(4)
pfile.write(b'\x2F\x2A') #(5)
pfile.close()
pfile = open(fname, "a+b") #(6)
pfile.write(b'\xFF\x2A\x2F\x3D\x31\x3B') #(7)
pfile.write(open ('hello.js','rb').read())
pfile.close()
|
This
is a simple example that opens a binary file and adds a script.
(1)
Opening a Binary File (read mode): open the hello.bmp file. “r+b” indicates
the read-only mode of binary files. The results are stored in the variable
“buff”.
(2)
Removing Error: The “*” and “/” characters are replaced with a space
because they can generate an error when the script is executed. When you run
print “\ x2A \ x2F”, you can see an ASCII code.
(3)
Opening a Binary File (write mode): open the hello.bmp file. “w+b”
indicates the write-only mode of the binary files. It records the stored
content in the variable “buff” into the hello.bmp file.
(4) Moving the Location of the Files: The “seek(2,0)” function moves
the cursor reading the files from the starting point by two bytes.
(5) Inserting Comment: Insert “/*” which indicates the
start of a comment behind the magic
number. The magic number is a number used to identify a bit map file. Even if
some damage has occurred in the remaining data, the browser can read the bitmap
file if only the magic number has been properly recognized.
(6) Opening a Binary File (append mode): open the hello.bmp file. “a+b”
indicates an append-only mode. What is recorded from now on will be added to
the existing hello.bmp file.
(7) Inserting Comment: Insert “*/”, which indicates the end of the
comment. The bitmap image part is commented out when the script runs.
The
program is run, and the bitmap file size slightly increases due to the
additional script. The quality of the image seen by the human eye is the same.
If you open the bitmap file in an editor, you can verify that the file has been
changed as follows.
Figure 5-3 the Result of ImageHacking.py
Let's
create a simple HTML page to open the bitmap file in which the script was
planted. The first line consists of the code that displays the hello.bmp image
on the screen, and the second line is the code that runs the script that has
been added into hello.bmp
<img src="hello.bmp"/> <!-- Image Output -->
<script src="hello.bmp"></script> <!-- Run the script -->
|
Figure 5-4 the Result of hello.html
“hello.js”
is created here, and it simply saves a cookie and prints its value to the alert
window. Let's assume the following situation. A hacker inserts a script to
transfer the cookie information from the bitmap file to other sites. People
download a bitmap file that the hacker put on a bulletin board and run it
inadvertently. At that moment, the user's Cookie information is transferred to
a site intended by the hacker. A hacker can therefore use this technique to
implement an XSS attack.
No comments:
Post a Comment