Custom Image Payload Embedder Module

This No-Click Payload for Metasploit embeds a payload (e.g., Meterpreter shell) into a .jpeg, .jpg, .webp, .png, or .gif image and generates a malicious HTML file. When the image is viewed in a web browser, the HTML file is automatically loaded, triggering the execution of the embedded payload and potentially compromising the system.

The Breakdown:

• No User Interaction: The payload is executed without any action required from the victim, except for viewing the image in a browser.
• HTML File as Trigger: The HTML file acts as the trigger mechanism for the payload. It's automatically loaded when the image is viewed, making the attack seamless.
• Potential Impact: Every image online is now a potential "payload".

Take note that all my code was created with the help of LLM's or "AI". All of my code is a suggestion. Anything can be modified or made to execute better. Skill and imagination are all that limits us.

• Inspiration for this project was obtained by how Canary Tokens operate.

Happy Hacking

---

Features

• Steganography: Hides the payload within an image file.
• Encryption: Encrypts the payload using XOR encryption with a random key.
• Polymorphism: Applies techniques to obfuscate the payload and evade antivirus detection.
• Malicious HTML Generation: Creates an HTML file that extracts and executes the embedded payload.
• Metasploit Integration: Designed to work seamlessly with the Metasploit framework for handler setup and post-exploitation.

Requirements

• Ruby programming language (version 2.7 or higher)
• Metasploit framework: Follow the installation instructions for your operating system from the Official Metasploit website.

Installation

1. Clone the repository:

   git clone https://github.com/webmaster-exit-1/Custom-Image-Payload-Embedder.git

2. Navigate to the project directory:

   cd embedded-image-payload

3. Install dependencies:

   bundle install

**NOTE: How you execute this payload should be simple.

There are many ways to obfuscate an html webpage (even a malicious page) that passes all saftey and https requirements.

Use your imagination.

Usage Example

1. Customize (Optional):
   * Modify module.rb to adjust settings like image path and output path.
   * Customize payload generation or obfuscation techniques in payload.rb if needed.
   
2. Generate Payload and HTML:
   * Execute your Metasploit module (replace <your_module_filename.rb> with the actual filename):
   

ruby <your_module_filename.rb>

3. Set Up Metasploit Handler:
   * Open a new terminal and start msfconsole.
   * Use the exploit/multi/handler module.
   * Configure the handler to match the payload used in your module.
   * Set LHOST (your IP) and LPORT.
   * Start the handler with run.
   
4. Deliver and Execute:
   * Make a website hosting your html file.
   * Get victim to view image on website.
   

Example

# In your Metasploit module file (e.g., module.rb)
# ... your module code ...

def exploit
  # ... your exploit logic ...

  # Example payload configuration (adjust as needed)
  payload_data = generate_payload_exe
  key = generate_random_key(16)
  encrypted_payload = xor_encrypt(payload_data, key)
  polymorphic_payload = generate_polymorphic_payload(encrypted_payload)
  final_payload = heuristic_technique(polymorphic_payload)

  # ... rest of your exploit logic ...
end

Disclaimer

This project is for educational and research purposes only. Using it for malicious activities is illegal and unethical. The authors are not responsible for any misuse or damage caused by this project. Use it responsibly and ethically.