Hackers of India

Stegosploit - Hacking with Pictures

By  Saumil Shah  on 27 Mar 2015 @ Syscan

This talk covers technique(s) listed below
STEGOSPLOIT

Presentation Material

Presentation

Hacking With Pictures SyScan 2015 from Saumil Shah

Video


 

Abstract

STEGOSPLOIT – HACKING WITH PICTURES

ABSTRACT

“A good exploit is one that is delivered in style”. My work over the past couple of years involves exploring new and innovative means of exploit delivery. My research involves using perfectly valid images (JPG, GIF, BMP, etc) to not only deliver exploits but also trigger them.

Stegosploit is the result of malicious exploit code hidden within pixels of the image carrying it. The image however, is a multi format container, which also contains the code required to decode the steganographically encoded pixels to execute the exploit. A single file can be rendered as a perfectly valid HTML file, executed as a perfectly valid Javascript file, and displayed as a perfectly valid image, all at the same time.

Exploit delivery therefore happens through transmission of pure images. No known means of malware detection have been able to successfully identify these images.

AI Generated Summarymay contain errors

Here is a summary of the content:

The speaker demonstrates a novel exploit technique that encodes malicious JavaScript code as pixels within an image file. This “polyglot” file appears to be a legitimate JPEG image but contains hidden exploit code that can be decoded and executed by a victim’s browser. The speaker showcases how this technique can be used to deliver exploits stealthily, with style, and even time-shifted, allowing payloads to be delivered in the past.

The demonstration involves loading an image that triggers a JavaScript decoder, which then executes the encoded exploit code. The entire process is designed to appear as normal image requests over the wire, making it difficult for defenders to detect.

The speaker notes that this technique has been seen in the wild and poses significant challenges for incident response and logging, as it’s unclear what data was transmitted over the wire. They also highlight the limitations of relying on file extensions, headers, and magic numbers to identify malicious files.

Finally, the speaker answers a question about using animated GIFs for multi-stage exploits, but notes that the animation aspect is only relevant when displaying the GIF, and encoded JavaScript code remains a single static blob within the file.