If you think that's cool, look at Daeken's Magister: http://demoseen.com/windowpane/magister.png.html

A PNG that's interpreted as HTML and loads itself as compressed JavaScript!

Here's the same thing done with a compiled executable using the padding bits in an ELF file.

http://cs.unm.edu/~eschulte/data/webpage.html

download webpage.html and it should run on any 64-bit linux machine as an executable printing out the same text shown on the web page. Here's the C file used to compile the original executable, nothing exciting...

http://cs.unm.edu/~eschulte/data/webpage.c

Only 3594 errors! http://validator.w3.org/check?uri=http%3A%2F%2Flcamtuf.cored...

You can also use this trick to launch cross-site script attacks against sites that allow you to upload images.

Step 1: upload the "image" to the site. Let the site do whatever it does to ensure it has received a valid image. Nine validators out of ten will happily accept the file; the case that is likeliest to shoot you down is if the site modifies the image by cropping, resizing, or watermarking it.

Step 2: point your victim back to the uploaded "image" as though it's actually a page, and presto!, it's a page -- a page with malicious javascript in it.

Step 3: profit!

I've always wondered how the site snag.gy does something similar. Take this link, for example (you'll have to disable AdBlock if you want to see the ad): http://i.snag.gy/0obAy.jpg (ignore the image itself; it was one of the first to pop up in my history)

The source is just the image, and you can embed the image, but there's an ad under the image. Also, right click -> view image or copy image location point to the same URL.

Perhaps I don't know enough about how this works, but couldn't you use this to inject runnable javascript in to a page? If this is possible it's pretty scary as it would allow you to upload a hidden payload in to an otherwise innocent looking image.

On slightly tangential lines, it's possible to manipulate D's compiler to output object code that renders as a graphic: http://h3.gd/ctrace/

I guess the HTML renderer skips the JPEG information and the image renderer skips the HTML information. Smart!

Can someone explain what is going on here?

>Pretty radical, eh? Send money to: lcamtuf@coredump.cx

Would have been smarter to put a bitcoin address :)

There's a practical side to that trick. I have altered a posterous template to make my posterous a working JSONP response. http://zbyszek.posterous.com

I call such things "chameleon files"

JS and PHP is also possible http://tantek.pbworks.com/w/page/19402872/CassisProject

JS and HTML http://project.mahemoff.com/josh/ (also demonstrated by Tantek Çelik earlier on in a project that eentually led him to Cassis.)

Hello everyone, i appreciate the great solution that this is but i have a similar problem that could be solved by this solution but has not been solved.

My problem is that i want to publish a series of JPEG images as a Kindle book, but i can't, since the reader slices some of my images and puts padding around them. I would prefer that the images render like the cover page, in full screen, but this is impossible to achieve despite saving the images in 600 * 800 like the cover page.

How can i use this great wisdom to create an .epub file that then becomes a Kindle book.

PS; The scans are a business book that is made up entirely of mindmaps, which are like spatial roadmaps on paper. The book has been written to teach newbies in business the most important things and all the trade-offs involved in this important things.

I think that that sort of thing would do very well on the Kindle platform but i am unable to do it.

When I saw this, the first thing I immediately thought was: why don't webcomic authors use this to fix the problem of people linking directly to their images instead of the pages their images are on? This could revolutionize how webcomics and social aggregators interact.

Looks more like a chipmunk to me.

My browsers, Chrome 19.0.1084.56 and Firefox 13.0.1, on Linux, both render it as a bunch of garbage characters. This does not appear to be valid HTML to them.

However I can download the file, rename it to .jpg, and view the image just fine.

This trick does not work correctly in IE9, due to the unclosed comment tag.

This looks pretty scary on Windows Phone 7. Anybody else getting chunks of video memory all over the page? (HTC Arrive).

> No server-side hacks involved

Well, the JPEG file doesn't have the correct mime-type. Chrome warns, "Resource interpreted as Image but transferred with MIME type text/html" in the console. Apparently in the context of an <img src=""> URL it figures it out though.

I don’t have GraphicsMagick installed on this machine, else I would try this:

    $ gm convert http://lcamtuf.coredump.cx/squirrel/ -comment '' x.jpg

    $ gm identify -format '%c' http://lcamtuf.coredump.cx/squirrel/

Apparently OP uses some JPEG feature to create custom header (EXIF?). It allows to embed HTML close to the start of the file. HTML ends with <!--, which saves HTML parser from choking on actual image data that comes afterwards.

Reminds me of this story (JPEG and ZIP as one file):

http://www.reddit.com/comments/arc79/reddit_i_got_the_best_p...

He should do it with his 404 page, too:

http://lcamtuf.coredump.cx/squirrel/404.html

:)

Any practical use for this or just for fun?

This is awesome. It's been a long time since I was blown away by an HTML hack but this blew me away. Yes!

This is what Dropbox needs to do to get everyone to stop complaining about dropping the public folder.

Using firefox, right click on the image in that page and select "View Image"

It's stuff like this that makes me smile at humanity.

How does it work?

trick summary:

enter in you jpeg comment field: "<html>...your page...</html><!--"

then the "image" will look like:

   @^PJFIF^@^A^A^A^A,^A,^@^@000^Cr<html>...your page...</html><!-- rest of garbage

   \n
   \n
   \n
   <html>...your page...</html>

Can someone downvote me? I've put in some trolls, and apparently people are just silent about it. I think I tapped into some deep human insecurities, but I'm not really sure. I don't go to Hacker News much--I'd actually rather go to tmz most of the time if given the choice while the code is compiling.

Could executable javascript be included in that?

Any practical use for this or just for fun?

Diamonds all in my grill; nigga::.

lol "send money" for discovering an idea that is at least 15 years old? gtfo.

This is just more evidence that we should strive to do everything in a browser. Or an app that functions like one. It is more secure. Details should not be exposed to the user.

Remember there is no file system. In fact, there are no files.

We hid them so they do not exist. Out of sight, out of mind.

There's no such thing as binary. That only existed when you were younger. Now it no longer exists. The numbers are gone. They do not exist.

What's really important is how good fonts look. The javascript, the CSS, the browser!

No user cares about content like text, audio and video, they care about window dressing: html and browsers. They care about what you can do with javascript. What can you do? Show me some tricks.

Content alone is not enough. Who wants to read a story or download a video clip? You have to present it; you must entertain and you must persuade, by trickery if necessary. It's not the content, silly. It's the webpage. No javascript, no dice. Don't just deliver the content, entertain me for a few minutes first. Tell me about something else.

No one cares about TV programming. They care about the TV's setup screens and onscreen channel guide. They want these menus to come to life. They want their TV's to become "intelligent".

A webpage without javascript is like a lifeless onscreen TV channel guide that does not track what you watch and report it to marketers, or make automatic suggestions on what you should watch, or display animations while you sit and wait for seconds while the TV's software is "Loading..." in response to your last button push. Boring.

Users want books, newspapers, radios and TV's that have "artificial intelligence". They want others to know what they are reading and watching and they want advertisers to address them by name. Let's get with it. Bring us the future.