codezen.fr code hacking, zen coding

17Mar/13Off

ForbidenBits CTF 2013 – Web 600 IMAFREAK Write-up

This is a quick post to give my solution for the IMAFREAK challenge.

What you need to succeed:
- A JPEG file with EXIF CameraModel tag sets to ".php" so that the file is created with filename secretstoreddata/.php
- Same JPEG file with the *RAW* Red plane containing a PHP shell

As you have understood, controlling the RAW output for a color plane is quite of hard as you can't really predict how the JPEG compression model will react to your input values.

So at first, I wrote a bruteforcer that would fuzz the RGB values of input pixels until it matched what I wanted but it was really slow. I ended up manually tuning many of those values for the perfect result (=spend many hours starring in an hex editor)

So here is the beast:

red-cmd-46

Zoomed:

zoom-red-46

I swear I will make a tshirt out of this one.

Lets check that the CameralTag tag contains ".php":

$ exiftool red-cmd-46.jpg
ExifTool Version Number         : 8.15
File Name                       : red-cmd-46.jpg
Directory                       : .
File Size                       : 921 bytes
File Modification Date/Time     : 2013:03:16 21:59:41+00:00
File Permissions                : rw-r--r--
File Type                       : JPEG
MIME Type                       : image/jpeg
JFIF Version                    : 1.01
Exif Byte Order                 : Big-endian (Motorola, MM)
Camera Model Name               : .php
X Resolution                    : 1
Y Resolution                    : 1
Resolution Unit                 : None
Y Cb Cr Positioning             : Centered
Comment                         : CREATOR: gd-jpeg v1.0 (using IJG JPEG v62), quality = 100000000.
Image Width                     : 32
Image Height