adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c3f5bd3de2d1affa01e2f6c2066c6bb0fc6413bc
metasploit-gs/api/Msf/Exploit/Format/PhpPayloadPng.html
T
jenkins-metasploit c3f5bd3de2 Reboot gh-pages
2026-05-08 17:08:43 +00:00

421 lines
21 KiB
HTML
Raw Blame History

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>
Module: Msf::Exploit::Format::PhpPayloadPng
&mdash; Documentation by YARD 0.9.37
</title>
<link rel="stylesheet" href="../../../css/style.css" type="text/css" />
<link rel="stylesheet" href="../../../css/common.css" type="text/css" />
<script type="text/javascript">
pathId = "Msf::Exploit::Format::PhpPayloadPng";
relpath = '../../../';
</script>
<script type="text/javascript" charset="utf-8" src="../../../js/jquery.js"></script>
<script type="text/javascript" charset="utf-8" src="../../../js/app.js"></script>
</head>
<body>
<div class="nav_wrap">
<iframe id="nav" src="../../../class_list.html?1"></iframe>
<div id="resizer"></div>
</div>
<div id="main" tabindex="-1">
<div id="header">
<div id="menu">
<a href="../../../_index.html">Index (P)</a> &raquo;
<span class='title'><span class='object_link'><a href="../../../Msf.html" title="Msf (module)">Msf</a></span></span> &raquo; <span class='title'><span class='object_link'><a href="../../Exploit.html" title="Msf::Exploit (class)">Exploit</a></span></span> &raquo; <span class='title'><span class='object_link'><a href="../Format.html" title="Msf::Exploit::Format (module)">Format</a></span></span>
&raquo;
<span class="title">PhpPayloadPng</span>
</div>
<div id="search">
<a class="full_list_link" id="class_list_link"
href="../../../class_list.html">
<svg width="24" height="24">
<rect x="0" y="4" width="24" height="4" rx="1" ry="1"></rect>
<rect x="0" y="12" width="24" height="4" rx="1" ry="1"></rect>
<rect x="0" y="20" width="24" height="4" rx="1" ry="1"></rect>
</svg>
</a>
</div>
<div class="clear"></div>
</div>
<div id="content"><h1>Module: Msf::Exploit::Format::PhpPayloadPng
</h1>
<div class="box_info">
<dl>
<dt>Defined in:</dt>
<dd>lib/msf/core/exploit/format/php_payload_png.rb</dd>
</dl>
</div>
<h2>Overview</h2><div class="docstring">
<div class="discussion">
<p>This mixin module provides methods to inject persistent PHP payloads into a PNG file. It is based on the article of Quentin Roland from SynActiv. <a href="https://www.synacktiv.com/en/publications/persistent-php-payloads-in-pngs-how-to-inject-php-code-in-an-image-and-keep-it-there.html">www.synacktiv.com/en/publications/persistent-php-payloads-in-pngs-how-to-inject-php-code-in-an-image-and-keep-it-there.html</a> The mixin depends on the GEM library ChunkyPNG that provides the basic PNG image processing functionality.</p>
<p>There are five methods of code injection described in the article: 1: Inject PHP payload into the PNG comment field 2: Inject PHP payload at the end of the PNG file, the so called raw insertion 3: Inject PHP payload in the PLTE chunk of the PNG file 4: Inject PHP payload in the IDAT chunk of the PNG file 5: Inject PHP payload in a random tEXT chunk of the PNG file</p>
<p>Method 1 and 2 will not survive any image compression configured and applied by a PHP web application Method 3 will survive image compression, but no image resizing configured and applied by a PHP web application Method 4 will survive all compression and resizing but payload is fixed and restricted. Method 5 will survive Imagick resizing</p>
<p>In the module below, we will offer only three (3) methods e.g, Raw, PLTE and tEXt for which we will combine method 1 and 5 TODO: IDAT chunk payload injection has most potential but is not flexible and is fixed for payloads that can be injected.</p>
<pre class="code ruby"><code class="ruby">No processing PHP-GD compression PHP-GD resizing Imagick resizing
</code></pre>
<p>Raw insertion yes no no no PLTE chunk yes yes no no TODO: IDAT chunk yes yes yes yes tEXt chunk yes no no yes</p>
</div>
</div>
<div class="tags">
</div>
<h2>
Instance Method Summary
<small><a href="#" class="summary_toggle">collapse</a></small>
</h2>
<ul class="summary">
<li class="public ">
<span class="summary_signature">
<a href="#inject_php_payload_png-instance_method" title="#inject_php_payload_png (instance method)">#<strong>inject_php_payload_png</strong>(payload, injection_method: &#39;PLTE&#39;) &#x21d2; String<sup>?</sup> </a>
</span>
<span class="summary_desc"><div class='inline'>
<p>PNG binary string if injection is successful, otherwise nil if there was an error.</p>
</div></span>
</li>
</ul>
<div id="instance_method_details" class="method_details_list">
<h2>Instance Method Details</h2>
<div class="method_details first">
<h3 class="signature first" id="inject_php_payload_png-instance_method">
#<strong>inject_php_payload_png</strong>(payload, injection_method: &#39;PLTE&#39;) &#x21d2; <tt>String</tt><sup>?</sup>
</h3><div class="docstring">
<div class="discussion">
<p>Returns PNG binary string if injection is successful, otherwise nil if there was an error.</p>
</div>
</div>
<div class="tags">
<p class="tag_title">Parameters:</p>
<ul class="param">
<li>
<span class='name'>payload</span>
<span class='type'>(<tt>String</tt>)</span>
&mdash;
<div class='inline'>
<p>Payload to be inserted into the generated PNG.</p>
</div>
</li>
<li>
<span class='name'>injection_method</span>
<span class='type'>(<tt>String</tt>)</span>
<em class="default">(defaults to: <tt>&#39;PLTE&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>A string accepting only standard values 'RAW', 'PLTE', or 'TEXT'. Defaults to 'PLTE'.</p>
</div>
</li>
</ul>
<p class="tag_title">Returns:</p>
<ul class="return">
<li>
<span class='type'>(<tt>String</tt>, <tt>nil</tt>)</span>
&mdash;
<div class='inline'>
<p>PNG binary string if injection is successful, otherwise nil if there was an error.</p>
</div>
</li>
</ul>
</div><table class="source_code">
<tr>
<td>
<pre class="lines">
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'lib/msf/core/exploit/format/php_payload_png.rb', line 34</span>
<span class='kw'>def</span> <span class='id identifier rubyid_inject_php_payload_png'>inject_php_payload_png</span><span class='lparen'>(</span><span class='id identifier rubyid_payload'>payload</span><span class='comma'>,</span> <span class='label'>injection_method:</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>PLTE</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span>
<span class='kw'>if</span> <span class='id identifier rubyid_payload'>payload</span><span class='period'>.</span><span class='id identifier rubyid_empty?'>empty?</span>
<span class='id identifier rubyid_print_error'>print_error</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>PNG payload creation failed. No PHP payload provided.</span><span class='tstring_end'>&#39;</span></span><span class='rparen'>)</span>
<span class='kw'>return</span> <span class='kw'>nil</span>
<span class='kw'>end</span>
<span class='comment'># Execute provided injection method
</span> <span class='kw'>case</span> <span class='id identifier rubyid_injection_method'>injection_method</span>
<span class='kw'>when</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>RAW</span><span class='tstring_end'>&#39;</span></span>
<span class='comment'># Inject payload at the end of PNG (raw code injection)
</span>
<span class='comment'># Use an image size of 1 pixel by 1 pixel to
</span> <span class='comment'># create the smallest possible PNG image.
</span> <span class='id identifier rubyid_image_width'>image_width</span> <span class='op'>=</span> <span class='int'>1</span>
<span class='id identifier rubyid_image_height'>image_height</span> <span class='op'>=</span> <span class='int'>1</span>
<span class='id identifier rubyid_png'>png</span> <span class='op'>=</span> <span class='const'>ChunkyPNG</span><span class='op'>::</span><span class='const'>Image</span><span class='period'>.</span><span class='id identifier rubyid_new'>new</span><span class='lparen'>(</span><span class='id identifier rubyid_image_width'>image_width</span><span class='comma'>,</span> <span class='id identifier rubyid_image_height'>image_height</span><span class='comma'>,</span> <span class='const'>ChunkyPNG</span><span class='op'>::</span><span class='const'>Color</span><span class='op'>::</span><span class='const'>BLACK</span><span class='rparen'>)</span>
<span class='comment'># add payload at the end of PNG
</span> <span class='id identifier rubyid_png_malicious'>png_malicious</span> <span class='op'>=</span> <span class='id identifier rubyid_png'>png</span><span class='period'>.</span><span class='id identifier rubyid_to_s'>to_s</span> <span class='op'>+</span> <span class='id identifier rubyid_payload'>payload</span><span class='period'>.</span><span class='id identifier rubyid_to_s'>to_s</span>
<span class='kw'>return</span> <span class='id identifier rubyid_png_malicious'>png_malicious</span>
<span class='kw'>when</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>PLTE</span><span class='tstring_end'>&#39;</span></span>
<span class='comment'># Inject payload in the PLTE chunk, which holds 1 to 256 palette entries as noted
</span> <span class='comment'># at http://www.libpng.org/pub/png/spec/1.2/PNG-Chunks.html. Each
</span> <span class='comment'># entry will be a 3 byte long number of the form:
</span> <span class='comment'># Red: 1 byte (0 = black, 255 = red)
</span> <span class='comment'># Green: 1 byte (0 = black, 255 = green)
</span> <span class='comment'># Blue: 1 byte (0 = black, 255 = blue)
</span>
<span class='comment'># payload should have a length with modulo of 3 to fit the 3 bytes RGB palette.
</span> <span class='comment'># Section 4.1.2 PLTE Palette of http://www.libpng.org/pub/png/spec/1.2/PNG-Chunks.html
</span> <span class='comment'># notes that PLTE chunks that are not divisible by 3 are considered a violation
</span> <span class='comment'># of the PNG protocol.
</span> <span class='id identifier rubyid_payload'>payload</span> <span class='op'>+=</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'> </span><span class='tstring_end'>&#39;</span></span> <span class='kw'>while</span> <span class='lparen'>(</span><span class='id identifier rubyid_payload'>payload</span><span class='period'>.</span><span class='id identifier rubyid_length'>length</span> <span class='op'>%</span> <span class='int'>3</span><span class='rparen'>)</span> <span class='op'>!=</span> <span class='int'>0</span>
<span class='comment'># check if payload is not bigger then 768 (3x256) bytes to fit in the PLTE chunk
</span> <span class='kw'>if</span> <span class='id identifier rubyid_payload'>payload</span><span class='period'>.</span><span class='id identifier rubyid_length'>length</span> <span class='op'>&gt;</span> <span class='int'>768</span>
<span class='id identifier rubyid_print_error'>print_error</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>PNG payload creation failed. Padded payload size (</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_payload'>payload</span><span class='period'>.</span><span class='id identifier rubyid_length'>length</span><span class='embexpr_end'>}</span><span class='tstring_content'>) is larger than 768 bytes.</span><span class='tstring_end'>&quot;</span></span><span class='rparen'>)</span>
<span class='kw'>return</span> <span class='kw'>nil</span>
<span class='kw'>end</span>
<span class='comment'># create base PNG with a right sized PLTE chunk to store the payload
</span> <span class='id identifier rubyid_image_width'>image_width</span> <span class='op'>=</span> <span class='id identifier rubyid_payload'>payload</span><span class='period'>.</span><span class='id identifier rubyid_length'>length</span> <span class='op'>/</span> <span class='int'>3</span>
<span class='id identifier rubyid_image_height'>image_height</span> <span class='op'>=</span> <span class='id identifier rubyid_payload'>payload</span><span class='period'>.</span><span class='id identifier rubyid_length'>length</span> <span class='op'>/</span> <span class='int'>3</span>
<span class='id identifier rubyid_png'>png</span> <span class='op'>=</span> <span class='const'>ChunkyPNG</span><span class='op'>::</span><span class='const'>Image</span><span class='period'>.</span><span class='id identifier rubyid_new'>new</span><span class='lparen'>(</span><span class='id identifier rubyid_image_width'>image_width</span><span class='comma'>,</span> <span class='id identifier rubyid_image_height'>image_height</span><span class='comma'>,</span> <span class='const'>ChunkyPNG</span><span class='op'>::</span><span class='const'>Color</span><span class='op'>::</span><span class='const'>BLACK</span><span class='rparen'>)</span>
<span class='comment'># create palette entries (max. 256) to host the payload
</span> <span class='lparen'>(</span><span class='int'>0</span><span class='op'>..</span><span class='lparen'>(</span><span class='lparen'>(</span><span class='id identifier rubyid_payload'>payload</span><span class='period'>.</span><span class='id identifier rubyid_length'>length</span> <span class='op'>/</span> <span class='int'>3</span><span class='rparen'>)</span> <span class='op'>-</span> <span class='int'>1</span><span class='rparen'>)</span><span class='rparen'>)</span><span class='period'>.</span><span class='id identifier rubyid_each'>each</span> <span class='kw'>do</span> <span class='op'>|</span><span class='id identifier rubyid_i'>i</span><span class='op'>|</span>
<span class='id identifier rubyid_png'>png</span><span class='lbracket'>[</span><span class='id identifier rubyid_i'>i</span><span class='comma'>,</span> <span class='int'>1</span><span class='rbracket'>]</span> <span class='op'>=</span> <span class='const'>ChunkyPNG</span><span class='op'>::</span><span class='const'>Color</span><span class='period'>.</span><span class='id identifier rubyid_rgb'>rgb</span><span class='lparen'>(</span><span class='id identifier rubyid_i'>i</span><span class='comma'>,</span> <span class='int'>1</span><span class='comma'>,</span> <span class='int'>1</span><span class='rparen'>)</span>
<span class='kw'>end</span>
<span class='comment'># cycle thru the chunks, find the PLTE chunk and write the payload
</span> <span class='id identifier rubyid_png_malicious'>png_malicious</span> <span class='op'>=</span> <span class='const'>ChunkyPNG</span><span class='op'>::</span><span class='const'>Datastream</span><span class='period'>.</span><span class='id identifier rubyid_from_blob'>from_blob</span><span class='lparen'>(</span><span class='id identifier rubyid_png'>png</span><span class='period'>.</span><span class='id identifier rubyid_to_blob'>to_blob</span><span class='rparen'>)</span>
<span class='id identifier rubyid_png_malicious'>png_malicious</span><span class='period'>.</span><span class='id identifier rubyid_each_chunk'>each_chunk</span> <span class='kw'>do</span> <span class='op'>|</span><span class='id identifier rubyid_chunk'>chunk</span><span class='op'>|</span>
<span class='kw'>if</span> <span class='id identifier rubyid_chunk'>chunk</span><span class='period'>.</span><span class='id identifier rubyid_type'>type</span> <span class='op'>==</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>PLTE</span><span class='tstring_end'>&#39;</span></span>
<span class='id identifier rubyid_chunk'>chunk</span><span class='period'>.</span><span class='id identifier rubyid_content'>content</span> <span class='op'>=</span> <span class='id identifier rubyid_payload'>payload</span><span class='period'>.</span><span class='id identifier rubyid_to_s'>to_s</span>
<span class='kw'>break</span>
<span class='kw'>end</span>
<span class='kw'>end</span>
<span class='kw'>return</span> <span class='id identifier rubyid_png_malicious'>png_malicious</span><span class='period'>.</span><span class='id identifier rubyid_to_s'>to_s</span>
<span class='kw'>when</span> <span class='tstring'><span class='tstring_beg'>&#39;</span><span class='tstring_content'>TEXT</span><span class='tstring_end'>&#39;</span></span>
<span class='comment'># Inject payload in a new tEXt chunk generated with a random keyword
</span> <span class='comment'># tEXt chunks are used to store textual data that the recorder
</span> <span class='comment'># wishes to record within the image as noted at http://www.libpng.org/pub/png/spec/1.2/PNG-Chunks.html
</span> <span class='comment'># section 4.3.2.1 tEXt Textual data
</span>
<span class='comment'># Use an image size of 1 pixel by 1 pixel to
</span> <span class='comment'># create the smallest possible PNG image.
</span> <span class='id identifier rubyid_image_width'>image_width</span> <span class='op'>=</span> <span class='int'>1</span>
<span class='id identifier rubyid_image_height'>image_height</span> <span class='op'>=</span> <span class='int'>1</span>
<span class='id identifier rubyid_png'>png</span> <span class='op'>=</span> <span class='const'>ChunkyPNG</span><span class='op'>::</span><span class='const'>Image</span><span class='period'>.</span><span class='id identifier rubyid_new'>new</span><span class='lparen'>(</span><span class='id identifier rubyid_image_width'>image_width</span><span class='comma'>,</span> <span class='id identifier rubyid_image_height'>image_height</span><span class='comma'>,</span> <span class='const'>ChunkyPNG</span><span class='op'>::</span><span class='const'>Color</span><span class='op'>::</span><span class='const'>BLACK</span><span class='rparen'>)</span>
<span class='comment'># store payload in a tEXt chunk with a randomized keyword
</span> <span class='id identifier rubyid_random_keyword'>random_keyword</span> <span class='op'>=</span> <span class='const'><span class='object_link'><a href="../../../Rex.html" title="Rex (module)">Rex</a></span></span><span class='op'>::</span><span class='const'>Text</span><span class='period'>.</span><span class='id identifier rubyid_rand_text_alpha'>rand_text_alpha</span><span class='lparen'>(</span><span class='int'>4</span><span class='op'>..</span><span class='int'>16</span><span class='rparen'>)</span>
<span class='id identifier rubyid_png'>png</span><span class='period'>.</span><span class='id identifier rubyid_metadata'>metadata</span><span class='lbracket'>[</span><span class='id identifier rubyid_random_keyword'>random_keyword</span><span class='rbracket'>]</span> <span class='op'>=</span> <span class='id identifier rubyid_payload'>payload</span><span class='period'>.</span><span class='id identifier rubyid_to_s'>to_s</span>
<span class='kw'>return</span> <span class='id identifier rubyid_png'>png</span><span class='period'>.</span><span class='id identifier rubyid_to_s'>to_s</span>
<span class='kw'>else</span>
<span class='id identifier rubyid_print_error'>print_error</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>PNG payload creation failed. No valid injection method </span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_injection_method'>injection_method</span><span class='embexpr_end'>}</span><span class='tstring_content'> provided [RAW, PLTE, TEXT].</span><span class='tstring_end'>&quot;</span></span><span class='rparen'>)</span>
<span class='kw'>return</span> <span class='kw'>nil</span>
<span class='kw'>end</span>
<span class='kw'>end</span></pre>
</td>
</tr>
</table>
</div>
</div>
</div>
<div id="footer">
Generated on Fri May 8 17:02:13 2026 by
<a href="https://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
0.9.37 (ruby-3.1.5).
</div>
</div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink