1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

#include <stdio.h>

#include <stdlib.h>

#include <string.h>

#include <fcntl.h>

#include <sys/types.h>

#include <sys/stat.h>

#ifdef _WIN32

#include <io.h>

#endif

#define MAX 500

#define e_cblp 0x2

#define STUB 0x40

/*

Author: Osanda Malith Jayathissa (@OsandaMalith)

Write-up: https://osandamalith.com/2020/07/19/hacking-the-world-with-html/

Disclaimer: Author takes no responsibility for any damage you cause.

Use this for educational purposes only.

Copyright (c) 2020 Osanda Malith Jayathissa

https://creativecommons.org/licenses/by-sa/3.0/

*/

void inject(char *, char *);

void dump(void *, int);

void

banner() {

fflush(stdin);

const static char *banner =

"\t        _-_.\n"

"\t     _-',^. `-_.\n"

"\t ._-' ,'   `.   `-_ \n"

"\t!`-_._________`-':::\n"

"\t!   /\\        /\\::::\n"

"\t;  /  \\      /..\\::: PE 2 HTML Injector\n"

"\t! /    \\    /....\\:: Coded by Osanda Malith Jayathissa (@OsandaMalith)\n"

"\t!/      \\  /......\\: https://osandamalith.com\n"

"\t;--.___. \\/_.__.--;; \n"

"\t '-_    `:!;;;;;;;'\n"

"\t    `-_, :!;;;''\n"

"\t        `-!'  \n";

for (banner; *banner; ++banner) fprintf(stdout, "%c", *banner);

}

int

main(int argc, char *argv[]) {

size_t i;

char *fileName, *payload;

banner();

if (argc != 5) {

printf("\n[-] Usage: %s -i <PE> -p <HTML/PHP/ASP File> \n", argv[0]);

puts("[*] The output will be in .html, You may rename it to the format you desire.");

return 1;

}

for (i = 1; i < argc; i++) {

if (!strcmp(argv[i], "-i")) fileName = argv[i + 1];

if (!strcmp(argv[i], "-p")) payload = argv[i + 1];

}

inject(payload, fileName);

return 0;

}

void inject(char *payload, char *fname) {

int src, dst, sz;

char myCurrentChar, newFilename[MAX], check[1],

*hex = (char *)calloc(0x80, sizeof(char)),

*comment = "\x3c\x21\x2d\x2d",

*comment_end = "\x2d\x2d\x3e";

strncpy(newFilename, fname, MAX);

newFilename[strlen(fname) - 3] = '\0';

strcat(newFilename, "html");

#ifdef _WIN32

src = _open(fname, O_RDONLY | O_BINARY, 0);

dst = _open(newFilename, O_CREAT | O_TRUNC | O_WRONLY | O_BINARY, S_IREAD | S_IWRITE);

#elif __unix__

src = open(fname, O_RDONLY, 0);

dst = open(newFilename, O_CREAT | O_TRUNC | O_WRONLY, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);

#endif

check[sz = read(src, check, 2)] = '\0';

if (strcmp(check, "MZ")) {

fprintf(stderr, "[!] Enter a valid PE file");

close(src);

exit(-1);

}

lseek(src, 0, SEEK_SET);

while (read(src, &myCurrentChar, 1)) write(dst, &myCurrentChar, 1);

lseek(dst, e_cblp, SEEK_SET);

printf("[*] Commenting the MS-DOS e_cblp at offset 0x%x\n\n", e_cblp);

write(dst, comment, strlen(comment));

close(src);

close(dst);

#ifdef _WIN32

dst = _open(newFilename, O_RDONLY | O_BINARY, 0);

#elif __unix__

dst = open(newFilename, O_RDONLY, 0);

#endif

hex[sz = read(dst, hex, 0x80)] = '\0';

dump(hex, sz);

free(hex);

close(dst);

#ifdef _WIN32

src = _open(payload, O_RDONLY | O_BINARY, 0);

dst = _open(newFilename, O_WRONLY | O_APPEND | O_BINARY, 0);

#elif __unix__  

src = open(payload, O_RDONLY, 0);

dst = open(newFilename, O_WRONLY | O_APPEND, 0);

#endif

puts("\n[*] Appending the Payload");

write(dst, comment_end, strlen(comment_end));

while (read(src, &myCurrentChar, 1)) write(dst, &myCurrentChar, 1);

close(src);

close(dst);

printf("[+] Successfully written to %s\n", newFilename);

}

void dump(void *addr, int len) {

size_t i;

unsigned char buff[0x80];

unsigned char *pc = (unsigned char*)addr;

for (i = 0; i < len; i++) {

if (!(i % 16)) {

if (i) printf("  %s\n", buff);

printf("  0x%04X: ", i);

}

printf(" %02X", pc[i]);

buff[i % 16] = (pc[i] < 0x20) || (pc[i] > 0x7e) ? '.' : pc[i];

buff[(i % 16) + 1] = '\0';

}

while ((i % 16)) {

printf("   ");

i++;

}

printf("  %s\n", buff);

}

/*EOF*/