5. NETSQUARENETSQUARE
Stegosploit Design Goals
• Only VALID images on
network and disk.
• Exploit code hidden in pixels.
• Self contained decoder code.
• Exploit automatically decoded
and triggered upon loading...
• ...all with just ONE IMAGE,
• in STYLE!
22. NETSQUARE
HTML5 CANVAS to the rescue!
• In-browser decoding of
steganographically encoded images.
• Read image pixel data using JS.
• Rebuild JS exploit code from pixel data,
in memory.
• Simple array and bit manipulation
operations.
29. NETSQUARE
IMAJS-JPG Recipe
SOI FF D8
APP0 length J F I F 0
versn Xres
DQT
SOF0
DHT
FF E0
U Yres H V
FF DB quantization tables
DQT FF DB quantization tables
FF C0 start of frame
FF C4 Huffman tables
30. NETSQUARE
IMAJS-JPG Recipe
SOI FF D8
APP0 length J F I F 0
versn Xres
FF E0
U Yres H V
... more random data ...
<html random random random random...
and other HTML stuff goes here...
random ><head random> decoder script
<script type=text/undefined> ...
DQT
SOF0
DHT
FF DB quantization tables
DQT FF DB quantization tables
FF C0 start of frame
FF C4 Huffman tables
31. NETSQUARE
IMAJS-PNG Recipe
Inspiration: http://daeken.com/superpacking-js-demos
PNG Header 89 50 4E 47 0D 0A 1A 0A
IHDR IHDRlength chunk data CRC
tEXtlength _00<html random random ...
CRC
random><head random> decoder script
and other HTML stuff goes here...
<script type=text/undefined>...
extra tEXt chunk
IDATlength pixel data CRCIDAT chunk
IDATlength pixel data CRCIDAT chunk
IDATlength pixel data CRCIDAT chunk
IEND0 CRCIEND chunk
34. NETSQUARE
Exploit code
encoded in image.
EVIL
GET /lolcat.png
200 OK
Expires: 6 months
I'M IN UR BASE
Decoder script references image
from cache.
SAFE
GET /lolcat.png
Load from cache
....KILLING UR DOODZ
DEC 2015 APR 2016
< PAYLOADS GO
back in time
40. NETSQUARE
Browsers and W3C - Wake Up!
BROWSERS
• Don't be afraid to "BREAK THE WEB".
• Reject content that does not conform to
strict standards/specs.
W3C
• STRICT parsing rules – like COMPILERS.
• Browser compliance and user-
awareness is YOUR responsibility.