Messing with binary formats (live)

391 views

Published on

Live version of my slide deck.
Full version http://www.slideshare.net/ange4771/messing-with-binary-formats

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
391
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
8
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Messing with binary formats (live)

  1. 1. Messing with binary formats Ange Albertini 2013/09/13 London, England
  2. 2. reverse engineering & visual documentations http:// corkami .com
  3. 3. MZ ?
  4. 4. Structure 1. start ○ PE Signature ■ %PDF + fake obj start ■ HTML comment start 2. next ○ PE (next) ○ HTML ○ PDF (next) 3. bottom ○ ZIP
  5. 5. %PDF***** 1 0 obj << /Size 2 /W[[]1/] /Root 1 0 R /Pages<< /Kids[<< /Contents<<>> stream BT{99 Tf{Td(Inlined PDF)' endstream >>] >> >> stream * endstream startxref%*******
  6. 6. %PDF-1.1 1 0 obj << % /Type /Catalog ... >> endobj 2 0 obj << /Type /Pages ... >> endobj 3 0 obj << /Type /Page /Resources << /Font << /F1 << /Type /Font /Subtype /Type1 ... >> >> >> >> endobj 4 0 obj << /Length 47>> stream ... xref 01 0000000000 65535 f 0000000010 00000 n ...
  7. 7. DEMO
  8. 8. 10.1.4 10.1.5
  9. 9. Weaknesses ● evasion ○ filters → exfiltration ○ same origin policy ○ detection ■ ex: clean PE but malicious PDF/HTML/... ■ exhaust checks ■ pretend to be corrupt ● DoS
  10. 10. Conclusion
  11. 11. Conclusion ● type confusion is bad ○ succinct docs too ○ lazy softwares as well ● go beyond the specs ○ Adobe: good ● suggestions ○ more extensions checks ○ isolate downloaded files ○ enforce magic signature at offset 0
  12. 12. thank YOU ! Questions ?
  13. 13. http:// reverseengineering .stackexchange.com @angealbertini ✉ ange@corkami.com
  14. 14. Bonus

×