Presentation Material
Abstract
Stegosploit creates a new way to encode βdrive-byβ browser exploits and delivers them through image files. Using current means these payloads are undetectable. In his talk Saumil Shah discusses two broad underlying techniques used for image based exploit delivery β Steganography and Polyglots. Drive-by browser exploits are steganographically encoded into JPG and PNG images. The resultant image file is fused with HTML and Javascript decoder code, turning it into an HTML+Image polyglot. The polyglot looks and feels like an image, but is decoded and triggered in a victimβs browser when loaded.
This talk focusses more on the inner mechanisms of Stegosploit, implementation details and how certain browser specific obstacles were overcome.
The Stegosploit Toolkit contains the tools necessary to test image based exploit delivery. A case study of a Use-After-Free memory corruption exploit (CVE-2014-0282) shall be presented demonstrating the Stegosploit technique.
AI Generated Summary
Stegosploit is an exploit delivery technique that conceals browser exploit code within the pixel data of standard image files, such as JPEG and PNG. The core methodology combines primitive steganography with polyglot file construction to create a single file that is both a valid image and executable HTML/JavaScript.
The process begins by encoding the exploit’s JavaScript bitstream into the least significant bit layers of an image’s pixel grid, minimizing visual artifacts. To counter JPEG’s lossy compression, an iterative encoding method repeatedly re-encodes the data until pixel values stabilize, ensuring the hidden payload survives compression. The critical innovation is the creation of a polyglot file: the image’s metadata section is manipulated to include an HTML template containing a JavaScript decoder. When the file is loaded in a browser, the HTML parser executes the decoder script, which uses the HTML5 Canvas API to read the steganographically embedded pixels from the image, reconstruct the original exploit code, and trigger it.
A practical demonstration showed a meterpreter payload delivered via a JPEG file that auto-executed when viewed in a browser, resulting in a full system compromise. The attack evades detection because the file is a valid image on disk and network, and the decoder script is benign-looking JavaScript. The speaker argued that this technique highlights systemic failures in defensive models reliant on signatures and lax HTML parsing, advocating for stricter browser standards and W3C enforcement of compliance to close the “Nakatomi space” exploited by such polyglots. Tools for creating these attacks are publicly available.