• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Messing with binary formats (live)
 

Messing with binary formats (live)

on

  • 277 views

Live version of my slide deck.

Live version of my slide deck.
Full version http://www.slideshare.net/ange4771/messing-with-binary-formats

Statistics

Views

Total Views
277
Views on SlideShare
277
Embed Views
0

Actions

Likes
1
Downloads
4
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Messing with binary formats (live) Messing with binary formats (live) Presentation Transcript

    • Messing with binary formats Ange Albertini 2013/09/13 London, England
    • reverse engineering & visual documentations http:// corkami .com
    • MZ ?
    • Structure 1. start ○ PE Signature ■ %PDF + fake obj start ■ HTML comment start 2. next ○ PE (next) ○ HTML ○ PDF (next) 3. bottom ○ ZIP
    • %PDF***** 1 0 obj << /Size 2 /W[[]1/] /Root 1 0 R /Pages<< /Kids[<< /Contents<<>> stream BT{99 Tf{Td(Inlined PDF)' endstream >>] >> >> stream * endstream startxref%*******
    • %PDF-1.1 1 0 obj << % /Type /Catalog ... >> endobj 2 0 obj << /Type /Pages ... >> endobj 3 0 obj << /Type /Page /Resources << /Font << /F1 << /Type /Font /Subtype /Type1 ... >> >> >> >> endobj 4 0 obj << /Length 47>> stream ... xref 01 0000000000 65535 f 0000000010 00000 n ...
    • DEMO
    • 10.1.4 10.1.5
    • Weaknesses ● evasion ○ filters → exfiltration ○ same origin policy ○ detection ■ ex: clean PE but malicious PDF/HTML/... ■ exhaust checks ■ pretend to be corrupt ● DoS
    • Conclusion
    • Conclusion ● type confusion is bad ○ succinct docs too ○ lazy softwares as well ● go beyond the specs ○ Adobe: good ● suggestions ○ more extensions checks ○ isolate downloaded files ○ enforce magic signature at offset 0
    • thank YOU ! Questions ?
    • http:// reverseengineering .stackexchange.com @angealbertini ✉ ange@corkami.com
    • Bonus