Shellcode in a jpg/png

Question

If it's possible to write shellcode in a jpg file, why aren't all the webapps where you can upload an image infected?

In a client computer, is it necessary exploit the jpg viewer in order to run the shellcode?

Abbas Javan Jafari · Accepted Answer · 2016-04-12T08:54:33.673

6

Simply put, there are various methods to masquerade a shellcode as a jpg file, but the file still needs to be executed. Whether you can do this depends on a variety of factors such as server and OS configuration. If you can somehow include the uploaded shell in the execution path (locally or remotely) and if specific security mechanisms are not in place, then yes, it's possible to execute the "jpg" file.

So even if you can upload a masqueraded jpg, it does not necessarily mean you can execute the embedded shellcode. What's more, there are methods to detect the validity of a jpg file (though even they can be bypassed with more advanced masquerading methods)

NOTE: The shellcode is merely the payload for the attack, and will only work if an exploitable vulnerability exists in the viewer and it is somehow possible to execute the jpg file.

edited Apr 12 '16 at 08:54

answered Apr 11 '16 at 17:37

Abbas Javan Jafari

1,916
13
31

But it's only necessary execute the jpg or you need to exploit a vulnerability in the jpg viewer? – Peter11 Apr 11 '16 at 17:46
1

@Peter11 the exploit in the file targets a vulnerability in the viewer. The shellcode is merely the payload of the attack. – schroeder Apr 11 '16 at 17:49
@Peter11 - see my answer for clarification to your question. – Neil Smithline Apr 11 '16 at 17:55
just as @schroeder mentioned, the shellcode is merely the payload for the attack and will only work if an exploitable vulnerability exists in the viewer – Abbas Javan Jafari Apr 12 '16 at 08:50

score 3 · Answer 2 · answered Apr 11 '16 at 17:54

3

There are two ways that code in an image file could be executed:

Zero-day vulnerability: Vulnerabilities such as stack buffer overflows can lead to code being executed during the processing of files, including image files. These vulnerabilities are fixed as soon as they are publicly known, but they are not unknown.
Direct execution: There are various ways to trick a system into executing an image file as if it is a binary. (See example.)

answered Apr 11 '16 at 17:54

Neil Smithline

14,621
4
38
55

I think this is a stupid question but I'm going to question it to you for my clarification. In an .exe file a vulnerability is not necessary because binary runs, truth? – Peter11 Apr 11 '16 at 18:05
Yes. An executable is always run. The only time an exploit is required is if you are looking to execute a [privilege escalation](https://en.wikipedia.org/wiki/Privilege_escalation). For example, you're on Linux and not running as root, or Windows and looking to bypass User Account Control. – Neil Smithline Apr 11 '16 at 18:08

Shellcode in a jpg/png

2 Answers2