[extreme]

Here is the code I wrote a while ago with the help of a friend.. Just to say on start that this is not an exploit.. This is just a way of hiding your IE exploit so no one can see source code of exploit etc.... There are other uses offcourse but you have to use your imagination...
FOr example.. Since you run your exploit as JPG and not HTML, or PHP file, you can link it to avatar on any forum and anyone that "sees" your avatar, gets infected, you can then send picture to someone in HTML email(it downloads automatically)... But that stuff is still in development and could use some help from bigger experts then myself...
This example will just use simple script to show your IP... But executing script is the main point of this so that is all you need...
1. Make sure your webserver has php GD installed..
2. Content of picture.JPG

<?php

    header("Content-type: image/jpeg");

    $string = $_SERVER['REMOTE_ADDR'];

    $im     = imagecreatefromjpeg("some_picture.jpg");

    $orange = imagecolorallocate($im, 220, 210, 60);

    $px     = (imagesx($im) - 7.5 * strlen($string)) / 2;

    imagestring($im, 3, $px, 9, $string, $orange);

    imagejpeg($im);

    imagedestroy($im);

?>

3. putt in same dir some picture that will be shown when you run picture.jpg and name it "some_picture.jpg"
4. In same directory of your Apache webserver, putt one .htaccess file. And content of that file will be:
AddType application/x-httpd-php .php .jpg

Now just visit host.com/picture.jpg via your web browser and voala.. You will see your IP displayed in picture.. Script executed, and you just thought you were just looking at harmless picture...

[mrBob]

wow.. this can be massive
interesting though...
thanx
gonna play with it

[mrBob]

well... played with it
i don't have enough php knowledge to let it run some script :P

[AdmiralB]

okay this is an achivement and i hope it doesn't break loose as another BIG BIG Virus that bill gates put a price tag on LOl

[boshcash]

nice one , nice idea :) , but u can also point ur avatar to pic on an HTTP server owned by you , and check the logs and who requested that pic

[AdmiralB]

theres something i dun understand though how do u ADD SUCH code content to a picture LOL

[mrBob]

AdmiralB, on Feb 1 2004, 04:09 AM, said:

theres something i dun understand though how do u ADD SUCH code content to a picture LOL

you don't... but the .htaccess file redirects the picture.jpg as .php

[Trojan^kid]

nice gone try it later :rolleyes:

[Stoney]

i was gona try this but couldnt get gd working.

[extreme]

Well, you could allways use it.. That's what GD is used for.. But try renaming your GD script from PHP to JPG without putting HTACCESS file and it won't read, and try pointing PHP to forum avatar without my modif. and it won't work either...

[karate]

very nice extreme! :)

[popo0421]

nice code. I try it.
more ....