noobie3 Posted October 5, 2008 Share Posted October 5, 2008 I wanted to launch a .vbs or .bat file in a jpg file. Meaning when i click on the jpg i see the picture and at the same time the .vbs or .bat file launches. thx Quote Link to comment Share on other sites More sharing options...
Mat Posted October 6, 2008 Share Posted October 6, 2008 I wanted to launch a .vbs or .bat file in a jpg file. Meaning when i click on the jpg i see the picture and at the same time the .vbs or .bat file launches. thx Short answer: Not possible. Longer answer: The OS is responsible for deciding what to do with a file you open. So if the OS is configured to open JPG files with mspaint, then that's what will happen when you double click the jpg. Now, if the file in question is built in a way that will cause mspaint to crash and cause a buffer overrun instance then it may be possible to execute some arbitrary code. Getting this to work is very difficult and it would be patched out of the code in short order. Hacks that generate increased usage are great, hacks that basically break the way a computer is supposed to work are not. Is there any possible 'good' use for having unknown code execute when opening an image file? Quote Link to comment Share on other sites More sharing options...
digip Posted October 6, 2008 Share Posted October 6, 2008 Jpgs used to have a flaw that would allow them to execute code, but has long been fixed... http://antivirus.about.com/od/securitytips/a/jpgflaw.htm Metasploit uses a few flaws in PNG and WMF's to embedd them in a webpage and then Internet Explorer being served the image and not rendering it properly if it contains scriptable code instead of image data. Most browsers check the mime type or file type before allowing it to load or run, but older unpatched IE5/6 browsers don't check it and also some windows versions have a GDI flaw(If not fully patched or up to date) that allows various image formats to exploit the system, like PNG and WMF files. Probably not going to happen short of something like a Metasploit type of attack. Google would be your best bet to finding a solution, if there is one. You could try saving a VBS script as a JPG and then trying to load it in a web page, but not sure if this will run. I know it works with PHP on some unpatched versions of Apache and PHP, where it can run the actual PHP code, even if it ends in jpg as the extension, if you name it somehting like image.php.jpg, it executes as PHP. Quote Link to comment Share on other sites More sharing options...
sablefoxx Posted October 6, 2008 Share Posted October 6, 2008 Rename the file to reallyhottpic.jpeg.bat (note: this only works if victim is a dumbass) Quote Link to comment Share on other sites More sharing options...
noobie3 Posted October 6, 2008 Author Share Posted October 6, 2008 ok thx Quote Link to comment Share on other sites More sharing options...
RogueHart Posted October 8, 2008 Share Posted October 8, 2008 i remember something harrison said on sploitcast a while back about a vulnerability in windows that would allow an image loaded on a webpage to setup a backdoor in your computer. Quote Link to comment Share on other sites More sharing options...
shido Posted October 8, 2008 Share Posted October 8, 2008 let me guess the gifar sparked your interest in making this right?? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.