SyScan15 Saumil Shah - STEGOSPLOIT - HACKING

SyScan15 Saumil Shah - STEGOSPLOIT - HACKING

Hacking
With
Pictures
Saumil Shah
SyScan 2015
net-square
About Me
Saumil Shah
CEO, Net-Square
@therealsaumil
saumilshah
hacker, trainer, speaker,
author, photographer
educating, entertaining and
exasperating audiences
since 1999
net-square
Hiding In Plain Sight
net-square
Images are
INNOCENT!
net-square
•  Steganography
•  GIFAR
concatenation
•  PHP/ASP webshells
appending tags
<?php..?> <%..%>
A bit of History
net-square
•  XSS in EXIF data
Attack
Payload
SAFE
decoder
DANGEROUS
Pixel Data
Dangerous Content Is ...Dangerous
net-square
G
r e
e t
net-square
i
n
g s
P
r
o
f
e
s s
o
r
F
a l
k e
n
I'm an evil Javascript
I'm an innocent image
net-square
function packv(n)
{var s=new
Number(n).toStri
ng(16);while(s.l
ength<8)s="0"+s;
scape("%u"+s.sub
return(une
string(4,8)+"%u"
+s.substring(0,4
addressof=new
)))}var
Array();addresso
f["ropnop"]=0x6d
81bdf0;addressof
_esp_ret"]=0x6d8
["xchg_eax
1bdef;addressof[
"pop_eax_ret"]=0
addressof["pop_e
x6d906744;
cx_ret"]=0x6d81c
d57;addressof["m
x_ret"]=0x6d9797
ov_peax_ec
20;addressof["mo
v_
eax_pecx_ret"]=0
0;addressof["mov
x6d8d7be
_pecx_eax_ret"]=
0x6d8eee01;addre
eax_ret"]=0x6d83
ssof["inc_
8f54;addressof["
add_eax_4_ret"]=
;addressof["call
0x00000000
_peax_ret"]=0x6d
8a
ec31;addressof["
24_ret"]=0x00000
add_esp_
000;addressof["p
opad_ret"]=0x6d8
essof["call_peax
2a8a1;addr
"]=0x6d802597;fu
nction
call_ntallocatev
irtualmemory(bas
eptr,size,callnu
ropnop=packv(add
m){var
ressof["ropnop"]
);var
pop_eax_ret=pack
v(addressof["pop
_eax_ret"]);var
pop_ecx_ret=pack
v(addressof["pop
_ecx_ret"]);var
mov_peax_ecx_ret
=packv(addressof
["mov_peax_ecx_r
mov_eax_pecx_ret
et"]);var
=packv(addressof
["mov_eax_pecx_r
mov_pecx_eax_ret
et"]);var
=packv(addressof
["mov_pecx_eax_r
call_peax_ret=pa
et"]);var
ckv(addressof["c
all_peax_ret"]);
add_esp_24_ret=p
va
r
ackv(addressof["
add_esp_24_ret"]
popad_ret=packv(
);var
addressof["popad
_ret"]);var retv
al=""!
<CANVAS>
net-square
Avoid the EVIL eval()
var a = eval(str);
a = (new Function(str))();
net-square
Hat tip: Dr. Mario Heiderich @0x6D6172696F
Theory Becomes Practice - 2014
net-square
Hiding In Plain Sight
I SEE PIXELS
IMAJS
net-square
I SEE CODE
IMAJS – The Concept
<img> sees pixels
<script> sees code
#YourPointOfView
Image
net-square
Javascript
Holy
Sh**
Bipolar
Content!
Cross Container Scripting - XCS
<img src="itsatrap.gif">
<script src="itsatrap.gif">
</script>
net-square
IMAJS-GIF Browser Support
Height
Width
Browser/Viewer
Image
Renders?
Javascript
Executes?
2f 2a
00 00
Firefox
yes
yes
2f 2a
00 00
Safari
yes
yes
2f 2a
00 00
IE
no
yes
2f 2a
00 00
Chrome
yes
yes
2f 2a
00 00
Opera
?
?
2f 2a
00 00
Preview.app
yes
-
2f 2a
00 00
XP Image Viewer
no
-
2f 2a
00 00
Win 7 Preview
yes
-
net-square
IMAJS-BMP Browser Support
Height
Width
Browser/Viewer
Image
Renders?
Javascript
Executes?
2f 2a
00 00
Firefox
yes
yes
2f 2a
00 00
Safari
yes
yes
2f 2a
00 00
IE
yes
yes
2f 2a
00 00
Chrome
yes
yes
2f 2a
00 00
Opera
yes
yes
2f 2a
00 00
Preview.app
yes
-
2f 2a
00 00
XP Image Viewer
yes
-
2f 2a
00 00
Win 7 Preview
yes
-
net-square
Popular Image Formats
IMAJS
BMP
GIF
PNG
JPG
Easy
Easy
Hard
Hard
Alpha
<CANVAS>
Colours
Extra Data
net-square
?
RGB
Paletted
(00 in header)
(Lossy)
Yes
No
Yes
Yes
RGB
RGB
EXIF
All new IMAJS-JPG!
I
JPG
JPG +JS +HTML +CSS
net-square
Hat tip: Michael Zalewski @lcamtuf
The Secret Sauce
shhh..
don't tell
anyone
net-square
The Secret Sauce
Regular JPEG Header
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 01 2C
Start marker
length
"J F I F \0"
01 2C 00 00 FF E2 ...
next section...
Modified JPEG Header
FF D8 FF E0 2F 2A 4A 46 49 46 00 01 01 01 01 2C
Start marker
length
"J F I F \0"
01 2C 00 00 41 41 41 41 41...12074..41 41 41 FF E2 ...
whole lot of extra space!
net-square
next section...
The Secret Sauce
Modified JPEG Header
FF D8 FF E0 2F 2A 4A 46 49 46 00 01 01 01 01 2C
Start marker
length
"J F I F \0"
01 2C 00 00 41 41 41 41 41...12074..41 41 41 FF E2 ...
whole lot of extra space!
next section...
See the difference?
FF D8 FF E0
/*
Start marker
comment!
4A 46 49 46 00 01 01 01 01 2C
01 2C 00 00 */='';alert(Date());/*...41 41 41 FF E2 ...
Javascript goes here
net-square
next section...
net-square
HTML5 for Exploit Dev
•  jscript9.dll introduced many changes.
–  No %u0000 in strings.
–  No 0x00000000 in strings.
• 
• 
• 
• 
Kills conventional Heap Sprays.
<CANVAS> to the rescue!
IE9 and above "support" HTML5.
<!DOCTYPE html>
net-square
CANVAS for Exploit Dev
•  Heap Sprays through Pixel Arrays!
•  No character restrictions.
–  All pixels treated equally!
•  And a bonus... ALPHA CHANNELS.
net-square
Stegosploit!
net-square
MS14-035 CInput Use-After-Free
IMAJS
net-square
stego
PWN!
< PAYLOADS GO
back in time
net-square
< ATTACK TIMELINE
I'M IN UR BASE
GET /lolcat.png
200 OK
....KILLING UR DOODZ
GET /decoder.jpg
200 OK
GET /lolcat.png
304 Not Modified
JS Exploit code
encoded in PNG.
EVIL
Decoder script references PNG
from cache.
SAFE
OCT 2014
FEB 2015
net-square
Conclusions - Offensive
•  Lot of possibilities!
•  Weird containers, weird encoding, weird
obfuscation.
•  Image attacks emerging "in the wild".
•  Not limited to just browsers.
net-square
Conclusions - Defensive
•  DFIR nightmare.
–  how far back does your window of
inspection go?
•  Can't rely on extensions, file headers,
MIME types or magic numbers.
•  Wake up call to browser-wallahs.
net-square
Greets!
Michael Zalewski
@lcamtuf
Ange Albertini
@corkami
@zer0mem
Mario Heiderich
@0x6D6172696F
Thomas Lim
@thomas_coseinc
@SyScan crew!
net-square
Photogra
phy
by
Saumil S
hah
THE
END
Saumil
Shah
@therealsaumil
saumilshah
saumil@net-square.com
net-square
See you at
#SYSCAN16
#syscanmustnotdie