Monday, October 7, 2013

OhNo - The Evil Image Builder & Meta Manipulator

Today I would like to share a little something I made for fun. I previously made a posting on how to bypass general client side checks for uploading shells through open or administrative panels here, well my buddy decided to one up me with a even better posting which you can read here: http://hackers2devnull.blogspot.co.uk/2013/05/how-to-shell-server-via-image-upload.html. In his write-up he talks about embedding PHP code within image tags to bypass weak server side checks which might be only using getimagesize() to verify it is a real image. In cases where this is beatable and there is no or minimal filename re-writing you can get creative as he outlines in his posting to get a shell. This method can also be very highly effective in exploiting include() type vulnerabilities with evil avatars as well! Anyways, he demonstrated things using a tool on Windows so I did some quick looking to see if I could replicate the functionalityt in Ruby, turns out you can :)

Mini_Exiftool to the rescue! As they describe it on their Github page "This library is a wrapper for the Exiftool command-line application (http://www.sno.phy.queensu.ca/~phil/exiftool/) written by Phil Harvey. You will get the full power of Exiftool to Ruby: Reading and writing of EXIF-data, IPTC-data and XMP-data." If you don't know anything about metatags, EXIF data or what I've been talking about then go check out the Exiftool site to read a bit more about it and how it works as it will help you understand whats going on under the hood.

For quick summary and the lazy, this tool can be used to read and dump the meta tags and meta values off of the files as well as remove and re-write the tag values in many cases. What all is in there? All kinds of random data can be found in the meta data, from manufacturer information from the device which took the picture or recording, to latitude and longitude of where a photo was taken, to who originally authored a document and when, contact info and emails even. There is a great amazing wealth of information available sometimes if you just look!

In our case we will be taking advantage of all that spare space as r0ng demonstrated to store (evil) PHP code in image files. I made a simple tool to leveraging the Mini_Exiftool gem to automate the process and make it a bit easier for the average user and because i felt like also making a small GUI for things (more fun with Tk bindings). You can find most of the Mini-Exiftool functionality covered in their tutorial, so I won't go over too much as I mostly just linked small functions shown there to fit the command line options parsed by optparse, not too much magic here. You can set options as arguments and run how you like or run in a GUI mode and do it all from there.

Help Menu:

Dump All Tags and associated Tag Values for file:

Write to Tag (it will try to create if it doesn't exist):


Dump after to confirm file write:


If you set the value to nothing and write it will remove the tag (& value):

Dump after to confirm:


I also created a nuke (-n) option which simply automates the above null write process to remove the tag. The Exiftool CLI and even the gem have more functionality to adjust timestamps and more subtle details, i kept it simple for now so mostly just string values for tags which are writable and hold string values. As a general rule of thumb the 'Comment' tag is almost always writable and/or can be created and written to. Perhaps in the future I will try to further extend to allow such functionality but for now it does what it needs to, embed PHP Shell code in images ;)

Embedding r0ng Shell from CLI:


Hex Dump to Confirm:

Bypass Uploader restrictions or new .htaccess (AddType application/x-httpd-php .png) as described in previous write-ups and then execute your shell in Browser:


I added a -u option which will help quickly build all possible upload filenames. I know i often tend to forget one or two when I do it 100% manually so this just helps me build a folder so I can then run through them all in hopes one will sneak past weak filters and checks.

Launch in GUI mode:


Embedding Sneaky Shell from GUI:


I only tested it with image files as that was my main target but i do believe you should be able to also use the general viewing, deleting and writing with any file Exiftool would support (i.e. PDF, Word, Excel, etc). The CeWL password list generator tool is another Ruby project which leverages Meta data to help profile corporate targets for password auditing purposes, read more about that project here. Please let me know how things work for you and how else this might be useful to you so I can try to improve as time allows.

DOWNLOAD: Zip File w/Gemfile, Both Source Files, and a few Sample Images: DOWNLOAD
 
Getting things working:
Ruby TK Bindings Needed for GUI Support:
COMMAND: apt-get install tk libtk-ruby

If require 'tkextlib/tile' throws in `require': TkPackage can't find package tile (RuntimeError)
COMMANDS: teacup install tile

ExifTool CLI Installation: http://www.sno.phy.queensu.ca/~phil/exiftool/install.html
  • Download file, run commands:
  • cd <your download directory>
  • gzip -dc Image-ExifTool-#.##.tar.gz | tar -xf -
  • cd Image-ExifTool-#.##/
  • perl Makefile.PL
  • make test
  • sudo make install
Once pre-requisites above are met:
COMMANDS:
  • wget http://uppit.com/l2r0chwr6q4t/OhNo.zip
  • unzip OhNo.zip
  • cd OhNo/
  • bundle install
  • ./ohno -h

Source Code for Full All in One, also outlined below (CLI & GUI): SOURCE

Source Code for Standalone CLI Version (NO GUI): SOURCE

Raw All in One Code:

Hope this is helpful to someone out there....

Until next time, Enjoy!

11 comments:

  1. This comment has been removed by the author.

    ReplyDelete
    Replies
    1. This comment has been removed by the author.

      Delete
    2. This comment has been removed by the author.

      Delete
  2. The package was downloaded from github
    Any ideas on this error ?
    root@kali:/opt/ohNo# ls
    GemFile Image-ExifTool-9.62 images ohno ohno-c README.md
    root@kali:/opt/ohNo# bundle install
    Could not locate Gemfile
    root@kali:/opt/ohNo#
    i tried other directory names as well

    ReplyDelete
  3. Not sure, but I will try to setup a VM this weekend and do some testing on the latest release and will post back if I find anything to explain your issue.

    ReplyDelete
  4. Link not found http://uppit.com/l2r0chwr6q4t/OhNo.zip. Can you provide alternative link? Thanks in advance

    ReplyDelete
  5. Link not found can you provide a new one : http://uppit.com/l2r0chwr6q4t/OhNo.zip

    ReplyDelete
  6. http://uppit.com/l2r0chwr6q4t/OhNo.zip not found would you please provide me the file in jagobandhusome@gmail.com or any other link?

    ReplyDelete