Hacking the World with HTML

In my previous article Exploring the MS-DOS Stub I stated that after experimenting, the Windows loader only cares about the e_magic and the e_lfanew members from the _IMAGE_DOS_HEADER. Because the rest of the members of the DOS header is used by MS-DOS to execute the stub program. Check it out if you have not.

If you take a PE file and null out the MS-DOS header and the MS-DOS stub program leaving out the e_magic and the e_lfanew values, the PE will still work fine as the rest is not needed by the Windows PE loader. The e_lfanew address at offset 0x3c is important as it points to the beginning of the _IMAGE_NT_HEADERS structure which is the actual start of the PE file.

Since those values are not important we can insert an HTML comment from offset 0x2 which is the e_cblp value and begin an HTML comment and end the comment at the end of the PE and append our HTML/PHP/ASP/JSP file contents.

I wrote a simple program in C to automate this task. You can provide your PE file and the HTML/PHP/ASP/JSP file to inject and it will generate an HTML file. You can rename the file into the extension you desire.

https://github.com/OsandaMalith/PE2HTML

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
#include <sys/types.h>
#include <sys/stat.h>
#ifdef _WIN32
#include <io.h>
#endif

#define MAX 500
#define e_cblp 0x2
#define STUB 0x40

/*
Author: Osanda Malith Jayathissa (@OsandaMalith)
Write-up: https://osandamalith.com/2020/07/19/hacking-the-world-with-html/
Disclaimer: Author takes no responsibility for any damage you cause.
Use this for educational purposes only.
Copyright (c) 2020 Osanda Malith Jayathissa
https://creativecommons.org/licenses/by-sa/3.0/
*/

void inject(char *, char *);
void dump(void *, int);
void 
banner() {
	fflush(stdin);
	const static char *banner =
		"\t        _-_.\n"
		"\t     _-',^. `-_.\n"
		"\t ._-' ,'   `.   `-_ \n"
		"\t!`-_._________`-':::\n"
		"\t!   /\\        /\\::::\n"
		"\t;  /  \\      /..\\::: PE 2 HTML Injector\n"
		"\t! /    \\    /....\\:: Coded by Osanda Malith Jayathissa (@OsandaMalith)\n"
		"\t!/      \\  /......\\: https://osandamalith.com\n"
		"\t;--.___. \\/_.__.--;; \n"
		"\t '-_    `:!;;;;;;;'\n"
		"\t    `-_, :!;;;''\n"
		"\t        `-!'  \n";
	for (banner; *banner; ++banner) fprintf(stdout, "%c", *banner);
}

int
main(int argc, char *argv[]) {
	size_t i;
	char *fileName, *payload;

	banner();
	if (argc != 5) {
		printf("\n[-] Usage: %s -i <PE> -p <HTML/PHP/ASP File> \n", argv[0]);
		puts("[*] The output will be in .html, You may rename it to the format you desire.");
		return 1;
	}

	for (i = 1; i < argc; i++) {
		if (!strcmp(argv[i], "-i")) fileName = argv[i + 1];
		if (!strcmp(argv[i], "-p")) payload = argv[i + 1];
	}

	inject(payload, fileName);
	return 0;
}

void inject(char *payload, char *fname) {
	int src, dst, sz;
	char myCurrentChar, newFilename[MAX], check[1],
	*hex = (char *)calloc(0x80, sizeof(char)),
	*comment = "\x3c\x21\x2d\x2d",
	*comment_end = "\x2d\x2d\x3e";

	strncpy(newFilename, fname, MAX);
	newFilename[strlen(fname) - 3] = '\0';
	strcat(newFilename, "html");

#ifdef _WIN32
	src = _open(fname, O_RDONLY | O_BINARY, 0);
	dst = _open(newFilename, O_CREAT | O_TRUNC | O_WRONLY | O_BINARY, S_IREAD | S_IWRITE);

#elif __unix__
	src = open(fname, O_RDONLY, 0);
	dst = open(newFilename, O_CREAT | O_TRUNC | O_WRONLY, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
#endif

	check[sz = read(src, check, 2)] = '\0';
	if (strcmp(check, "MZ")) {
		fprintf(stderr, "[!] Enter a valid PE file"); 
		close(src);
		exit(-1);
	}
	
	lseek(src, 0, SEEK_SET);
	while (read(src, &myCurrentChar, 1)) write(dst, &myCurrentChar, 1);

	lseek(dst, e_cblp, SEEK_SET);

	printf("[*] Commenting the MS-DOS e_cblp at offset 0x%x\n\n", e_cblp);
	write(dst, comment, strlen(comment));

	close(src);
	close(dst);

#ifdef _WIN32
	dst = _open(newFilename, O_RDONLY | O_BINARY, 0);
#elif __unix__
	dst = open(newFilename, O_RDONLY, 0);
#endif

	hex[sz = read(dst, hex, 0x80)] = '\0';
	dump(hex, sz);

	free(hex);
	close(dst);

#ifdef _WIN32
	src = _open(payload, O_RDONLY | O_BINARY, 0);
	dst = _open(newFilename, O_WRONLY | O_APPEND | O_BINARY, 0);

#elif __unix__   
	src = open(payload, O_RDONLY, 0);
	dst = open(newFilename, O_WRONLY | O_APPEND, 0);
#endif

	puts("\n[*] Appending the Payload");
	write(dst, comment_end, strlen(comment_end));
	while (read(src, &myCurrentChar, 1)) write(dst, &myCurrentChar, 1);

	close(src);
	close(dst);

	printf("[+] Successfully written to %s\n", newFilename);
}

void dump(void *addr, int len) {
	size_t i;
	unsigned char buff[0x80];
	unsigned char *pc = (unsigned char*)addr;

	for (i = 0; i < len; i++) {
		if (!(i % 16)) {
			if (i) printf("  %s\n", buff);
			printf("  0x%04X: ", i);
		}
		printf(" %02X", pc[i]);
		buff[i % 16] = (pc[i] < 0x20) || (pc[i] > 0x7e) ? '.' : pc[i];
		buff[(i % 16) + 1] = '\0';
	}
	while ((i % 16)) {
		printf("   ");
		i++;
	}
	printf("  %s\n", buff);
}
/*EOF*/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

#include <stdio.h>

#include <stdlib.h>

#include <string.h>

#include <fcntl.h>

#include <sys/types.h>

#include <sys/stat.h>

#ifdef _WIN32

#include <io.h>

#endif

#define MAX 500

#define e_cblp 0x2

#define STUB 0x40

Author: Osanda Malith Jayathissa (@OsandaMalith)

Write-up: https://osandamalith.com/2020/07/19/hacking-the-world-with-html/

Disclaimer: Author takes no responsibility for any damage you cause.

Use this for educational purposes only.

https://creativecommons.org/licenses/by-sa/3.0/

void inject(char *, char *);

void dump(void *, int);

void

banner() {

fflush(stdin);

const static char *banner =

"\t _-_.\n"

"\t _-',^. `-_.\n"

"\t ._-' ,' `. `-_ \n"

"\t!`-_._________`-':::\n"

"\t! /\\ /\\::::\n"

"\t; / \\ /..\\::: PE 2 HTML Injector\n"

"\t! / \\ /....\\:: Coded by Osanda Malith Jayathissa (@OsandaMalith)\n"

"\t!/ \\ /......\\: https://osandamalith.com\n"

"\t;--.___. \\/_.__.--;; \n"

"\t '-_ `:!;;;;;;;'\n"

"\t `-_, :!;;;''\n"

"\t `-!' \n";

for (banner; *banner; ++banner) fprintf(stdout, "%c", *banner);

}

int

main(int argc, char *argv[]) {

size_t i;

char *fileName, *payload;

banner();

if (argc != 5) {

printf("\n[-] Usage: %s -i <PE> -p <HTML/PHP/ASP File> \n", argv[0]);

puts("[*] The output will be in .html, You may rename it to the format you desire.");

return 1;

}

for (i = 1; i < argc; i++) {

if (!strcmp(argv[i], "-i")) fileName = argv[i + 1];

if (!strcmp(argv[i], "-p")) payload = argv[i + 1];

}

inject(payload, fileName);

return 0;

}

void inject(char *payload, char *fname) {

int src, dst, sz;

char myCurrentChar, newFilename[MAX], check[1],

*hex = (char *)calloc(0x80, sizeof(char)),

*comment = "\x3c\x21\x2d\x2d",

*comment_end = "\x2d\x2d\x3e";

strncpy(newFilename, fname, MAX);

newFilename[strlen(fname) - 3] = '\0';

strcat(newFilename, "html");

#ifdef _WIN32

src = _open(fname, O_RDONLY | O_BINARY, 0);

dst = _open(newFilename, O_CREAT | O_TRUNC | O_WRONLY | O_BINARY, S_IREAD | S_IWRITE);

#elif __unix__

src = open(fname, O_RDONLY, 0);

#endif

check[sz = read(src, check, 2)] = '\0';

if (strcmp(check, "MZ")) {

fprintf(stderr, "[!] Enter a valid PE file");

close(src);

exit(-1);

}

lseek(src, 0, SEEK_SET);

while (read(src, &myCurrentChar, 1)) write(dst, &myCurrentChar, 1);

lseek(dst, e_cblp, SEEK_SET);

printf("[*] Commenting the MS-DOS e_cblp at offset 0x%x\n\n", e_cblp);

write(dst, comment, strlen(comment));

close(src);

close(dst);

#ifdef _WIN32

dst = _open(newFilename, O_RDONLY | O_BINARY, 0);

#elif __unix__

dst = open(newFilename, O_RDONLY, 0);

#endif

hex[sz = read(dst, hex, 0x80)] = '\0';

dump(hex, sz);

free(hex);

close(dst);

#ifdef _WIN32

src = _open(payload, O_RDONLY | O_BINARY, 0);

dst = _open(newFilename, O_WRONLY | O_APPEND | O_BINARY, 0);

#elif __unix__

src = open(payload, O_RDONLY, 0);

dst = open(newFilename, O_WRONLY | O_APPEND, 0);

#endif

puts("\n[*] Appending the Payload");

write(dst, comment_end, strlen(comment_end));

while (read(src, &myCurrentChar, 1)) write(dst, &myCurrentChar, 1);

close(src);

close(dst);

printf("[+] Successfully written to %s\n", newFilename);

}

void dump(void *addr, int len) {

size_t i;

unsigned char buff[0x80];

unsigned char *pc = (unsigned char*)addr;

for (i = 0; i < len; i++) {

if (!(i % 16)) {

if (i) printf(" %s\n", buff);

printf(" 0x%04X: ", i);

}

printf(" %02X", pc[i]);

buff[i % 16] = (pc[i] < 0x20) || (pc[i] > 0x7e) ? '.' : pc[i];

buff[(i % 16) + 1] = '\0';

}

while ((i % 16)) {

printf(" ");

i++;

}

printf(" %s\n", buff);

}

/*EOF*/

Another thing to note is that in Windows, cmd.exe and rundll32 will treat any file with any extension as a valid PE as long as it begins with the IMAGE_DOS_SIGNATURE.

By abusing these Windows features (bugs) we can execute our HTML files as executables as well as run in the web browser displaying HTML/PHP/ASP/JSP content.

You can run the newly created PE file with HTML extension or with any extension using cmd.

cmd /c file.html

Process explorer output would look like this.

Rundll32 does not validate any extensions, therefore you can execute any DLL with any extension.

By combining these features (bugs) an attacker can achieve social engineering. This won’t bypass any AV or any EDR. But will surely confuse the analyzer. Might be a handy trick to use at the last stage once your payload is undetectable.

A checksum check can be used to prevent attackers from modifying the MS-DOS header. But a skilled reverse engineer may find the checksum routine and patch it to bypass the anti-reversing technique.

The author takes no responsibility for any damage you cause. This is strictly written for educational purposes.

Exploring the MS-DOS Stub

A long time ago when I got my first computer, I accidentally opened a 32-bit demo with a nice chiptune inside MS-DOS and it worked. I was surprised by how this happens. I was curious to find out how this works behind the scenes. Back in the time I was…

July 19, 2020

In "Reversing"

PE Sec Info – A Simple Tool to Manipulate ASLR and DEP Flags

Recently I was interested in exploring the PE headers and writing simple programs to manipulate different headers. There are thousands of applications and code to be found on this topic. I started by exploring this Windows structure called "LOADED_IMAGE". [c] typedef struct _LOADED_IMAGE { PSTR ModuleName; HANDLE hFile; PUCHAR MappedAddress;…

October 24, 2018

Magic Folder Hide

This is a application which I coded in last year but I have forgotten to make a blog post. Using this tool you can create a '..' folder in Windows and store your data inside it. No one can access your files using the explorer since the path is not…

March 1, 2016

In "Pentesting"

14 thoughts on “Hacking the World with HTML”

Pingback: Hacking the World with HTML | ?Blog of Osanda – Library 8: Operazione Dyn-O-Mite!
psychocod3r
July 21, 2020
So how do you get the malicious HTML file to execute? Wouldn’t the user have to open the executable in a web browser for that to happen?

- Osanda Malith Jayathissa
  July 21, 2020
  I have mentioned on how to execute the file. It will work on both the web browser and in CMD. You can also use a PE loader to execute.
  
  - dragonweb
    October 20, 2022
    
    It doesn’t work on the browser, but it works fine on the cmd,Can you make a video of how to use it ):
Manthila Mallawa
August 2, 2020
I manually nulled and added wanted html. it works fine in the browser but when I exec with cmd it gives me this error, “cannot run or start due to incompatibility with 64-bit windows” also that binary I have edited was 64bit compiled. any ideas?

- Osanda Malith Jayathissa
  August 2, 2020
  Did you try using the code I have posted?
  
  - Manthila Mallawa
    August 2, 2020
    
    Yes but it takes some time to complete, anyhow I was able successfully add my HTML code to putty PE manually with the second try :D. Great tutorial !
Pingback: Weekly IT Security News Bulletin #31 | Ptrace Security GmbH
Pingback: IT Security News Bulletin #31 | Ptrace Security GmbH
Pingback: Hacking the World with HTML – Hacking Tricks
vyansumbajo
November 10, 2020
Great!

Otto
December 7, 2021
Hello, i try this soft, but when html file not appending with payload, how solve this problem?

- Osanda Malith Jayathissa
  December 7, 2021
  Did you try manually?
  
  - Otto
    December 8, 2021
    
    no via script, adding does not start after transferring the load to html, compiled with gcc, I would be grateful if you could throw off an example of the apended html or suggest how to fix the problem.

Blog of Osanda

Security Researching and Reverse Engineering

Exploring the MS-DOS Stub

PE Sec Info – A Simple Tool to Manipulate ASLR and DEP Flags

Magic Folder Hide

14 thoughts on “Hacking the World with HTML”

Leave a ReplyCancel reply

Share this:

Exploring the MS-DOS Stub

PE Sec Info – A Simple Tool to Manipulate ASLR and DEP Flags

Magic Folder Hide

14 thoughts on “Hacking the World with HTML”

Leave a ReplyCancel reply