{"id":16562800,"url":"https://github.com/charmve/pystegosploit","last_synced_at":"2025-07-22T00:32:50.717Z","repository":{"id":106310134,"uuid":"368056409","full_name":"Charmve/PyStegosploit","owner":"Charmve","description":"PoC - Exploit Delivery via Steganography and Polyglots, CVE-2014-0282","archived":false,"fork":false,"pushed_at":"2024-05-27T02:44:38.000Z","size":7447,"stargazers_count":51,"open_issues_count":3,"forks_count":14,"subscribers_count":4,"default_branch":"main","last_synced_at":"2025-07-14T21:25:44.354Z","etag":null,"topics":["browser-exploits","charmve","cve","decoder","encoded-images","exp","exploits","html-png-polyglot","jpeg","jpg","jpg-html-polyglot","poc","steganography","stego","xss-vulnerability"],"latest_commit_sha":null,"homepage":"https://www.youtube.com/watch?v=O9vSSQIZPlI","language":"HTML","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Charmve.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2021-05-17T04:39:32.000Z","updated_at":"2025-05-05T17:31:15.000Z","dependencies_parsed_at":null,"dependency_job_id":"fcfba112-3dca-441d-adb6-f14eb3488e72","html_url":"https://github.com/Charmve/PyStegosploit","commit_stats":{"total_commits":8,"total_committers":2,"mean_commits":4.0,"dds":0.25,"last_synced_commit":"1abcb97bcca1d8c7ef825a6ad39172dde47b63f4"},"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/Charmve/PyStegosploit","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Charmve%2FPyStegosploit","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Charmve%2FPyStegosploit/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Charmve%2FPyStegosploit/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Charmve%2FPyStegosploit/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Charmve","download_url":"https://codeload.github.com/Charmve/PyStegosploit/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Charmve%2FPyStegosploit/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":266404941,"owners_count":23923492,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-07-21T11:47:31.412Z","response_time":64,"last_error":null,"robots_txt_status":null,"robots_txt_updated_at":null,"robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["browser-exploits","charmve","cve","decoder","encoded-images","exp","exploits","html-png-polyglot","jpeg","jpg","jpg-html-polyglot","poc","steganography","stego","xss-vulnerability"],"created_at":"2024-10-11T20:37:12.313Z","updated_at":"2025-07-22T00:32:50.642Z","avatar_url":"https://github.com/Charmve.png","language":"HTML","funding_links":[],"categories":[],"sub_categories":[],"readme":"# PyStegosploit - Exploit Delivery via Steganography and Polyglots\n\n[[video1](https://www.youtube.com/watch?v=O9vSSQIZPlI)] | [[video2](https://www.youtube.com/watch?v=fAyuOhB4uvo)] | [[page](https://stegosploit.info/#22-steganographically-encoding-the-exploit-code)]\n\nby Charmve - yidazhang1 [at] gmail[dot]com, [@Charmve](https://github.com/Charmve)  [@therealsaumil](https://twitter.com/therealsaumil)  [@amichael](https://github.com/amichael7)\n\nMay 2021\n\n![stego_imajs.png](stego/static/img/stego_imajs.png)\n\nStegosploit creates a new way to encode \"drive-by\" browser exploits and deliver them through image files. These payloads are undetectable using current means. This paper discusses two broad underlying techniques used for image based exploit delivery - Steganography and Polyglots. Drive-by browser exploits are steganographically encoded into JPG and PNG images. The resultant image file is fused with HTML and Javascript decoder code, turning it into an HTML+Image polyglot. The polyglot looks and feels like an image, but is decoded and triggered in a victim's browser when loaded.\n\n\n## A Tour of the Stegosploit Toolkit \u003csup\u003e[1]\u003c/sup\u003e\n\n\u003cp\u003eStegosploit comprises of tools that let a user analyse images, steganographically encode exploit data onto JPG and PNG files, and turn the encoded images into polyglot files that can be rendered as HTML or executed as Javascript.\u003c/p\u003e\n\n\u003cp\u003eThe current version of Stegosploit is 0.2 and can be found in \u003ca href=\"https://www.alchemistowl.org/pocorgtfo/pocorgtfo08.pdf\"\u003eIssue 0x08 of the International Journal of Proof-of-Concept or Get The Fuck Out (Poc||GTFO)\u003c/a\u003e. Note that you will have to read through the end of the article in PoC||GTFO to find the hint on how to extract the toolkit.\u003c/p\u003e\n\n### 🔍 Browse Folders\n- 📄 \u003ccode\u003eREADME.md\u003c/code\u003e\n- 📄 \u003ccode\u003ecopying.txt\u003c/code\u003e - WTFPL\n- 📁 \u003ccode\u003estego/\u003c/code\u003e\n  - 📄 \u003ccode\u003eimage_layer_analysis.html\u003c/code\u003e - Analyse an image's bit layers\n  - 📄 \u003ccode\u003eiterative_encoding.html\u003c/code\u003e - Encode an exploit onto a JPG or PNG image\n  - 📄 \u003ccode\u003eimagedecoder.html\u003c/code\u003e - Decode a steganographically encoded image\n  - 📄 \u003ccode\u003eimagedecode.js\u003c/code\u003e\n  - 📄 \u003ccode\u003ehistogram.js\u003c/code\u003e\n  - 📄 \u003ccode\u003emd5.js\u003c/code\u003e\n  - 📄 \u003ccode\u003ebase64.js\u003c/code\u003e\n- 📁 \u003ccode\u003eexploits/\u003c/code\u003e\n  - 📄 \u003ccode\u003eexploits.js\u003c/code\u003e - Canned exploit code\n  - 📄 \u003ccode\u003edecoder_cve_2014_0282.html\u003c/code\u003e - Decoder code + CVE-2014-0282 HTML elements\n- 📁 \u003ccode\u003eimajs/\u003c/code\u003e\n  - 📄 \u003ccode\u003ehtml_in_jpg_ie.pl\u003c/code\u003e - Generate JPG+HTML polyglot for IE\n  - 📄 \u003ccode\u003ehtml_in_jpg_ff.pl\u003c/code\u003e - Generate JPG+HTML polyglot for Firefox\n  - 📄 \u003ccode\u003ehtml_in_png.pl\u003c/code\u003e - Generate a PNG+HTML polyglot (for any browser)\n  - 📄 \u003ccode\u003epngenum.pl\u003c/code\u003e - Enumerate a PNG file's FourCC chunks\n  - 📄 \u003ccode\u003ejpegdump.c\u003c/code\u003e - Enumerate a JPG file's segments\n  - 📄 \u003ccode\u003eCRC32.pm\u003c/code\u003e\n  - 📄 \u003ccode\u003ePNGDATA.pm\u003c/code\u003e\n- ★ 📁 \u003ccode\u003eproject-stegosploit/\u003c/code\u003e - Core Part [\u003ci\u003e\u003cu\u003evideo show 1\u003c/u\u003e\u003c/i\u003e](https://www.youtube.com/watch?v=O9vSSQIZPlI) | [\u003ci\u003e\u003cu\u003etext show 1\u003c/u\u003e\u003c/i\u003e](https://stegosploit.info/#22-steganographically-encoding-the-exploit-code)\n  - 📁 \u003ccode\u003eencoding/\u003c/code\u003e - core \n    - 📄 \u003ccode\u003eiterative_encoding.html\u003c/code\u003e - Steganographically Encoding the Exploit Code\n    - 📄 \u003ccode\u003eimage_layer_analysis.html\u003c/code\u003e\n    - 📄 \u003ccode\u003eimagedevoder.html\u003c/code\u003e\n    - 📄 \u003ccode\u003edecode_and_run_cinput_withjs.html\u003c/code\u003e\n  - 📁 \u003ccode\u003eexploits/\u003c/code\u003e - decoder.html\n  - 📁 \u003ccode\u003eimages/\u003c/code\u003e - encoded and original images\n  - 📁 \u003ccode\u003epolyglots/\u003c/code\u003e - lena_poly_demo.html\n  - 📁 \u003ccode\u003escripts/\u003c/code\u003e - Creates an HTML+PNG polyglot ``polyglot_with_jpg.py`` \n  - 📁 \u003ccode\u003etmp/\u003c/code\u003e run ``--/tools/msf4$ ./msfconsole -r ./tmp/load_meterpreter.rc`` [\u003ci\u003e\u003cu\u003evideo show 2\u003c/u\u003e\u003c/i\u003e](https://www.youtube.com/watch?v=fAyuOhB4uvo)\n  - 📄 \u003ccode\u003eREADME.md\u003c/code\u003e - Show how to use this project-stegosploit\n\n\u003cp\u003e\u003ccode\u003ejpegdump.c\u003c/code\u003e is written by Ralph Giles and can be downloaded from \u003ca href=\"https://svn.xiph.org/experimental/giles/jpegdump.c\"\u003ehttps://svn.xiph.org/experimental/giles/jpegdump.c\u003c/a\u003e\u003c/p\u003e\n\nIn this repo, importantly, ``project-stegosploit`` is key part, which show how to hidden \u003ci\u003eExploit Code\u003c/i\u003e into image, to encode/decode, and to execute the \u003ci\u003emeterpreter framework\u003c/i\u003e. \n\n## 🔧 How Stegosploit Works\n\nThe exploit code is inserted within the pixels of the image so that the image contains the exploit code.  IMAJS then creates a polyglot image that will be read as an image and contains a decoder that will extract and run the javascript exploit.\n\nThe exploit that we will use is an Internet Explorer Use-after-free exploit ([CVE-2014-0282](https://nvd.nist.gov/vuln/detail/CVE-2014-0282)).\n\n## 🔨 Requirements\n\n- Ubuntu 18.04 / Kali / Debian 9\n- web service  - ``python -m http.server 8000``\n- Metasploit Framework  - [How to Install](https://computingforgeeks.com/how-to-install-metasploit-framework-on-ubuntu-18-04-debian-9/)\n\n![msfconsole.png](stego/static/img/msfconsole.png)\n\n## 📆 What we have done so far\n\n__Highlights:__\n\n* The server can serve images to the VM over `10.0.2.2:5000`\n* The jpg.py program can build a polyglot file (valid `.html` and `.jpg`)\n\n## 📝 Checklist\n\n- [X] Refactor `CRC32.pm`\n- [X] Refactor `PNGDATA.pm`\n- [ ] Refactor `html_in_jpg_ie.pl`\n- [X] Refactor `pngenum.pl`\n\n- [ ] Demo Server\n\t- [X] Move all static exploit files in demo pages to `/static`\n\t- [ ] Make sure all static files are passed parsed using `template_render`\n\t- [ ] Add an image picker for the image_layer_analysis.html \\(Optional\\)\n\n## ✨ Related Works *Stegosploit*\n\nMy repo \n\n- [steganography.js](https://github.com/Charmve/xss-test) - Hide secret messages with JavaScript with steganography.js https://charmve.github.io/xss-test/examples/showcase/\n- [StegaStamp-plus](https://github.com/Charmve/StegaStamp-plus) - Improved the original repo, 'Invisible Hyperlinks in Physical Photographs', without datasets and training parameters\n\n## ❕ Disclaimer\n- This repo follows the GPL open source agreement, please be sure to understand.\n\n- We strictly prohibit all acts that violate any national laws through this program, please use this program within the legal scope.\n\n- By default, using this item will be deemed as your agreement to our rules. Please be sure to abide by the moral and legal standards.\n\n- If you do not comply, you will be responsible for the consequences, and the author will not bear any responsibility!\n\n\n## 📎 References\n\n[1] https://stegosploit.info/ \n\n[2] https://conference.hitb.org/hitbsecconf2015ams/sessions/stegosploit-hacking-with-pictures/\n\n[3] https://www.vulnerability-db.com/?q=articles/2015/06/17/exploit-delivery-steganography-using-stegosploit-tool-v02\n\n[4] https://www.blackhat.com/docs/eu-15/materials/eu-15-Shah-Stegosploit-Exploit-Delivery-With-Steganography-And-Polyglots.pdf\n\n[5] https://stackoverflow.com/questions/4110964/how-does-heap-spray-attack-work\n\n[6] https://www.youtube.com/watch?time_continue=1\u0026v=6lYUtIZHlJA\n\n[7] https://www.owasp.org/images/0/01/OWASL_IL_2010_Jan_-_Moshe_Ben_Abu_-_Advanced_Heapspray.pdf\n\n[8] https://en.wikipedia.org/wiki/Heap_spraying\n\n[9] https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/\n\n## 🎧 Related job\n\n[video](https://www.youtube.com/watch?v=6lYUtIZHlJA\u0026t=281s)\n\n## ✉️ Contact\n\nyidazhang1[#]gmail[dot]com\n\n\u003cbr\u003e\n\u003cdiv align=\"right\"\u003e\n  \u003ca href=\"https://github.com/Charmve\" target=\"_blank\"\u003eZhang Wei (Charmve)\u003c/a\u003e\n\u003c/div\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcharmve%2Fpystegosploit","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcharmve%2Fpystegosploit","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcharmve%2Fpystegosploit/lists"}