I like to examine creative ways of doing things. Often times I will look at a malware example and enjoy how they accomplish some of the nasty things. The latest example of this involves how a crypto mining bot and their script running on a postgres box. This was found in the impreva blog talking about the exploit. https://www.imperva.com/blog/2018/03/deep-dive-database-attacks-scarlett-johanssons-picture-used-for-crypto-mining-on-postgre-database/ This is leveraging a command called dd and then using how images are rendered/checked on upload. It can also be thought of as “Poor mans steganography.” Lets say that we want to hide a shell script or a series of commands. We can hide this at the end of an image file. Image processors will read a file top to bottom. This allows us to simply append what we want to the end of a file and then using dd copy that bit of data off the end and in to a separate file when we want to run it. Jibberish you say, lets take a look.First I borrowed a gif from NPR but I tossed it into my github so I can not throw redirects to NPR, call it courtesy. I will use curl to pull that file down and output it curl -o dumpster-fire.gif https://github.com/ridingintraffic/ridingintraffic.github.com/raw/master/dumpster-fire.gif The direct link is here This will render a nice little animated gif no big deal. The next step will be in my terminal I will do a simple shell script to print some text. https://github.com/ridingintraffic/ridingintraffic.github.com/raw/master/dumpster-fire.gif echo “echo \”hello $(whoami) welcome to the fire\””>>script.sh; chmod +x script.sh; ./script.sh``` Echo out a script directly into another file and then set that file to be executable and then run that script. A super redundant way to run a command, but hang with me. The next step is to look at our gif and establish the original size. Here is the of that file the curl command downloaded. ls -l $ ls -l dumpster-fire.gif-rw-r — r — 1 myuser staff 1690953 Mar 19 19:44 dumpster-fire.gif The number is the important bit for reassembling later. Now to combine part one and two. 1690953 curl -o dumpster-fire.gif; echo “echo \”hello $(whoami) welcome to the fire\”>>dumpster-fire.gif; https://github.com/ridingintraffic/ridingintraffic.github.com/raw/master/dumpster-fire.gif and The following puts it as a bigger file ls -l $ ls -l dumpster-fire-rw-r — r — 1 myuser staff 1691010 Mar 19 19:44 dumpster-fire.gif If we do a tail on the gif we will see binary data and then our appended text. Next, if we preview the gif it will still render and even animate because browsers are dumb and read the file top to bottom and never encounter an error. If we were to download that modified gif we can then extract the script from the end of the file and run it. This magic can be done with dd and the offset that we saved earlier. dd skip=1690953 bs=1 if=dumpster-fire.gif of=temp.sh; If we combine that with the execute stuff we can get it to run right after creation. dd skip=1690953 bs=1 if=dumpster-fire.gif of=temp.sh; chmod +x temp.sh; ./temp.sh And boom now we have stashed a script file at the end of a image file and tear them apart run some nasty stuff. Lets hide it a little bit. So that if someone were to run a tail on the image file it would at least not be in plain text. We can accomplish that simply with a base64 encode/decode. I am not going to go through everything again but instead of directly writing the echo of the script file to the image we will first pipe it through base64 on the file save and then during the reassembly segment we will run it back through the decode to get the bash script. curl -o dumpster-fire.gif; echo “file downloaded, moving onto encoding”; echo echo \”hello $(whoami) welcome to the fire\”|base64 >>dumpster-fire.gif; echo “file encoded and appended lets reassemble”; dd skip=1690953 bs=1 if=dumpster-fire.gif of=temp.sh; base64 --decode temp.sh >> hello.sh ; chmod +x hello.sh; ./hello.sh https://github.com/ridingintraffic/ridingintraffic.github.com/raw/master/dumpster-fire.gif Now the script is at least concealed a little bit, and can’t be found with strings. We can take this one step further and if we wanted to store an encrypted volume at the end of a file. We could use truecrypt to create a file container and then cat that container to the end of the image and instead of launching the script.Then simply take the encrypted container and load it in true crypt. A nice way to stash something somewhere and transport it in the clear where only you would have the keys to unlock that container. Sometimes criminals have creative ways to do things, and it doesn’t hurt to understand how they do it. The more you know, and knowing is half the battle.

Super

ssh proxying through many hosts

Solve a problem by not working on it.

what did i learn?

Too Long; Didn't Read

Boost your HackerNoon story @ $159.99! 🚀

Hide it like you stole it

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

Arduino, Meet Splunk

14 Habits Of The Growth Hacker Mindset: A Deep Dive

2001: A Hacker's Odyssey

33 Stories To Learn About Hacks

37 Stories To Learn How to Become a Hacker

5 Popular Hacker Hardware Tools in 2022

Arduino, Meet Splunk

14 Habits Of The Growth Hacker Mindset: A Deep Dive

2001: A Hacker's Odyssey

33 Stories To Learn About Hacks

37 Stories To Learn How to Become a Hacker

5 Popular Hacker Hardware Tools in 2022

Light-Mode

Classic

Newspaper

Dark-Mode

Neon Noir

Minty

HN StartUps