hktalent
commented
5 years ago @Sonya2010 @bcoles use DKMC - Dont kill my cat - Malicious payload evasion tool https://github.com/Mr-Un1k0d3r/DKMC
Closed Sonya2010 closed 5 years ago
hktalent
commented
5 years ago @Sonya2010 @bcoles use DKMC - Dont kill my cat - Malicious payload evasion tool https://github.com/Mr-Un1k0d3r/DKMC
Sonya2010
commented
5 years ago But Dkmc only receives the raw shellcode which is embedded into the image file there is no option in the DKMC menu for injecting the exe or hta file extension
Sonya2010
commented
5 years ago Dear All, I still couldn't figure out how to embed the and execute (when image file is viewed).hta or .exe file into jpg file or any image format,DKMC accepts the shellcode but not the exe file, there is a module in DKMC which converts exe to shellcode but doesn't work what else can I do to achieve my goal. Your helps will be appreciated.
bcoles
commented
5 years ago Your goal is unclear.
Creating an image that will execute code when opened in a program requires a vulnerability in the program.
You may wish to take a look at the fileformat modules.
Sonya2010
commented
5 years ago Creating an image that will execute code when opened in a program requires a vulnerability in the program.
Then I really mis-interpret something, I thought that any RAT created with msfvenom or any other framework, can be embedded into image file and end-user can be lured to click on image file which will result in execution of malicious RAT, so why it requires to have an exploit on viewing program ,say it default Windows Image/Photo Viewer?
In any case the image will contain the RAT when user clicks on image to view the content, then it will view the image and execute RAT actually, as well ? IS it correct?
bcoles
commented
5 years ago Then I really mis-interpret something
Yes.
In any case the image will contain the RAT when user clicks on image to view the content, then it will view the image and execute RAT actually, as well ? IS it correct?
It depends on which program is used to open the file.
Image viewing programs are designed to read a file, determine which image format is in use (png, svg, jpg, etc), parse the file data using an appropriate parser for the image format, then render the resulting image.
Image viewing programs are not designed to execute code; however, sometimes code execution can be achieved, usually through a design flaw or vulnerability within the program.
It's possible to create a valid image, which will be parsed and rendered by an image viewing program, but would be parsed and interpreted differently by another program.
Traditionally, this technique has been used to target web servers by uploading what appears to be a valid image file which also contains executable content.
Consider the following image:
Save the above image, and open it in a hex editor or text editor, and observe the PHP code:
<?php echo 'hello'; ?>Opening the file in an image viewing program will cause the program to render the image and ignore the PHP code. However, if the file was loaded by the PHP interpreter, the image data would be ignored and the PHP code would be executed instead.
On desktop systems, the program used to open a file is usually determined by the file extension (ie, .png). As such, an image file containing executable code would usually be opened and rendered by an image viewing program and the code would not execute.
Web browsers are a whole other mess, largely due to content sniffing.
You may also wish to learn more about polygots.
Sonya2010
commented
5 years ago Based on your elaboration, there is not a phenomenon like embeding a .hta and .exe into image file and execute unless there is not vulnerability in the image viewing program. As long as you own the EIP and if shellcode fits into memory then you can execute anything from vulnerable program, if its vulnerable, many videos and articles in internet are misleading in that reagard. These things have made me believe that you can always embed the exe into jpeg, the guys who have posted @hktalent DKMC and hktools is misleading also.
I really wonder what really DKMC is actually doing when hiding the executables into images, this should be image view program specific image but nowhere is stated.
bcoles
commented
5 years ago You misunderstand
Sonya2010
commented
5 years ago You misunderstand
Really, how on earth? What exactly the whole concept?
Image viewing programs are not designed to execute code; however, sometimes code execution can be achieved, usually through a design flaw or vulnerability within the program.
It should be clear from that what you said.
bcoles
commented
5 years ago What exactly the whole concept?
Yes.
The issue tracker is for issues with Metasploit, not for support. Closing.
Try the Metasploit Slack channel, or Metasploit IRC channel, or Google.
Dear All, I have msf5-dev version installed on kali-li ux 2018 rolling, I would like to know if there is any module related to embedding a evasion module created *.hta file into jpg image or PDF ? Your guidance will be appreciated. Regards.