Mini_Exiftool to the rescue! As they describe it on their Github page "This library is a wrapper for the Exiftool command-line application (http://www.sno.phy.queensu.ca/~phil/exiftool/) written by Phil Harvey. You will get the full power of Exiftool to Ruby: Reading and writing of EXIF-data, IPTC-data and XMP-data." If you don't know anything about metatags, EXIF data or what I've been talking about then go check out the Exiftool site to read a bit more about it and how it works as it will help you understand whats going on under the hood.
For quick summary and the lazy, this tool can be used to read and dump the meta tags and meta values off of the files as well as remove and re-write the tag values in many cases. What all is in there? All kinds of random data can be found in the meta data, from manufacturer information from the device which took the picture or recording, to latitude and longitude of where a photo was taken, to who originally authored a document and when, contact info and emails even. There is a great amazing wealth of information available sometimes if you just look!
In our case we will be taking advantage of all that spare space as r0ng demonstrated to store (evil) PHP code in image files. I made a simple tool to leveraging the Mini_Exiftool gem to automate the process and make it a bit easier for the average user and because i felt like also making a small GUI for things (more fun with Tk bindings). You can find most of the Mini-Exiftool functionality covered in their tutorial, so I won't go over too much as I mostly just linked small functions shown there to fit the command line options parsed by optparse, not too much magic here. You can set options as arguments and run how you like or run in a GUI mode and do it all from there.
Dump All Tags and associated Tag Values for file:
Write to Tag (it will try to create if it doesn't exist):
Dump after to confirm file write:
If you set the value to nothing and write it will remove the tag (& value):
Dump after to confirm:
I also created a nuke (-n) option which simply automates the above null write process to remove the tag. The Exiftool CLI and even the gem have more functionality to adjust timestamps and more subtle details, i kept it simple for now so mostly just string values for tags which are writable and hold string values. As a general rule of thumb the 'Comment' tag is almost always writable and/or can be created and written to. Perhaps in the future I will try to further extend to allow such functionality but for now it does what it needs to, embed PHP Shell code in images ;)
Embedding r0ng Shell from CLI:
Hex Dump to Confirm:
Bypass Uploader restrictions or new .htaccess (AddType application/x-httpd-php .png) as described in previous write-ups and then execute your shell in Browser:
I added a -u option which will help quickly build all possible upload filenames. I know i often tend to forget one or two when I do it 100% manually so this just helps me build a folder so I can then run through them all in hopes one will sneak past weak filters and checks.
Launch in GUI mode:
Embedding Sneaky Shell from GUI:
I only tested it with image files as that was my main target but i do believe you should be able to also use the general viewing, deleting and writing with any file Exiftool would support (i.e. PDF, Word, Excel, etc). The CeWL password list generator tool is another Ruby project which leverages Meta data to help profile corporate targets for password auditing purposes, read more about that project here. Please let me know how things work for you and how else this might be useful to you so I can try to improve as time allows.
DOWNLOAD: Zip File w/Gemfile, Both Source Files, and a few Sample Images: DOWNLOAD
Getting things working:
Ruby TK Bindings Needed for GUI Support:
COMMAND: apt-get install tk libtk-ruby
If require 'tkextlib/tile' throws in `require': TkPackage can't find package tile (RuntimeError)
COMMANDS: teacup install tile
ExifTool CLI Installation: http://www.sno.phy.queensu.ca/~phil/exiftool/install.html
- Download file, run commands:
- cd <your download directory>
- gzip -dc Image-ExifTool-#.##.tar.gz | tar -xf -
- cd Image-ExifTool-#.##/
- perl Makefile.PL
- make test
- sudo make install
- wget http://uppit.com/l2r0chwr6q4t/OhNo.zip
- unzip OhNo.zip
- cd OhNo/
- bundle install
- ./ohno -h
Source Code for Full All in One, also outlined below (CLI & GUI): SOURCE
Source Code for Standalone CLI Version (NO GUI): SOURCE
Raw All in One Code:
Hope this is helpful to someone out there....
Until next time, Enjoy!