Hackers of India

Stegosploit - Exploit Delivery with Steganography and Polyglots

By  Saumil Shah  on 12 Nov 2015 @ Blackhat

This talk covers technique(s) listed below
STEGOSPLOIT

Presentation Material

Abstract

“A good exploit is one that is delivered with style.”

Stegosploit creates a new way to encode “drive-by” browser exploits and deliver them through image files. These payloads are undetectable using current means. This talk discusses two broad underlying techniques used for image based exploit delivery - Steganography and Polyglots. Drive-by browser exploits are steganographically encoded into JPG and PNG images. The resultant image file is fused with HTML and Javascript decoder code, turning it into an HTML+Image polyglot. The polyglot looks and feels like an image, but is decoded and triggered in a victim’s browser when loaded. The Stegosploit Toolkit v0.3, to be released with improvements upon existing v0.2, contains the tools necessary to test image based exploit delivery.

AI Generated Summarymay contain errors

Here is a summarized version of the content:

The speaker, an expert in clever JavaScript exploits, begins by thanking friends and mentioning their inspiration. They then move on to answer questions from the audience.

One audience member asks if the speaker has conducted a study on image hosting sites that re-encode images or not. The speaker replies that they haven’t done a complete survey but have successfully exploited image hosting services using Amazon S3 as a backend.

Another audience member asks how the speaker knows when encoding JPEGs that the pixels will eventually converge. The speaker responds that they don’t have a mathematical proof, but use trial and error to determine convergence based on exponential decline of error.

A third audience member asks if the exploit can work for an image embedded in an HTML page. The speaker replies that it cannot, as the browser’s image decoder libraries are used directly, and a PNG or JPEG exploit would be needed instead.

Finally, an audience member asks how browsers interpret JavaScript code in the presence of extensions like NoScript. The speaker explains that with NoScript, JavaScript is only allowed from domains that are explicitly permitted by the user. They also mention that inline JavaScript can be disabled using Content Security Policy, but it can still be packaged separately and referenced as a script source.

The talk concludes with the speaker thanking the audience and inviting them to approach them outside for further discussion.