DeepSec Talk 2016: Inside Stegosploit – Saumil Shah

Stegosploit creates a new way to encode “drive-by” browser exploits and delivers them through image files. Using current means these payloads are undetectable. In his talk Saumil Shah discusses two broad underlying techniques used for image based exploit delivery – Steganography and Polyglots. Drive-by browser exploits are steganographically encoded into JPG and PNG images. The resultant image file is fused with HTML and Javascript decoder code, turning it into an HTML+Image polyglot. The polyglot looks and feels like an image, but is decoded and triggered in a victim’s browser when loaded.

This talk focusses more on the inner mechanisms of Stegosploit, implementation details and how certain browser specific obstacles were overcome.

The Stegosploit Toolkit contains the tools necessary to test image based exploit delivery. A case study of a Use-After-Free memory corruption exploit (CVE-2014-0282) shall be presented demonstrating the Stegosploit technique.

We interviewed Saumil Shah and asked him about his experience and motivation for giving this talk and what to expect from his presentation.

Please tell us the top 5 facts about your talk.

1. “A good exploit is one that is delivered in style”
— Saumil Shah

Stegosploit was created to demonstrate exploit delivery in style, based on the following five goals:

  • No data to be transmitted over the network except JPG or PNG files.
  • The image displayed in the browser should have no visible aberration or distortion.
  • No exploit code should be present as strings within the image file.
  • The image should decode the exploit code upon being loaded in the browser without any external user interaction.
  • Only one image shall be used for this exploit.

2. Stegosploit creates drive-by browser exploit payloads that are steganographically encoded into JPG and PNG images. The resultant image file is fused with HTML and Javascript decoder code, turning it into an HTML+Image polyglot. The polyglot looks and feels like an image, but is decoded and triggered in a victim’s browser when loaded.

3. Sophisticated exploit delivery techniques are probably closer to being reality than previously estimated.

4. Data containers, e.g. images, previously presumed passive and non-offensive can now be used in practical attack scenarios.

5. This talk explores the inner workings and implementations of Stegosploit and the hurdles faced in making it all work together.

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

The success of a good exploit depends upon two factors – freshness and evasion. 0-day attacks work simply because there is no mitigation against them. 1-day attacks tend to get detected while in transit or at the target endpoint. A lot of work has been done in discovering new exploits and new attack techniques, but very little in exploit delivery.

As a photographer, I have had a long history of detailed image analysis, exploring image metadata and watermarking techniques to detect image plagiarism.

With my knowledge of the inner structure of images, file formats and metadata, I began experimenting with exploit delivery techniques via images. Images are always presumed passive an innocent. And they look good too! Is it possible to deliver an exploit using images and images alone?

My motivation for image based exploit delivery is simple – to study the effectiveness of image based exploit delivery for complex drive-by exploits, explore ramifications on exploit detection and evolve new mitigation techniques to combat future threats. However, my main motivation still remains delivering exploits in style, and combining them with my photography!

Why do you think this is an important topic?

“Protocol-spanning, syntax-based generalised exploit methodologies are the new black.”

I first started working on image based exploit delivery in 2010. My aim was to represent exploit code as a series of grayscale pixels. I presented this technique, dubbed “255 Shades Of Gray” in my talk at Deepsec 2012.

In 2014, Sucuri reported a browser exploit campaign that used the same “255 Shades Of Gray” exploit delivery technique employing code very similar to what I had demonstrated in 2012. Theory became practice.

I am not the only guy who has been thinking of innovative exploit delivery techniques. Others would have thought of this too, and probably been using it. However, I am the only guy talking about exploit delivery using steganography and polyglots. As an industry, have we even looked for these type of attacks?

A Stegosploit style attack would render any string or pattern based detection mechanism useless. It is time the defense strategy changes from being reactive to proactive, and actively goes about looking for the next generation of attack techniques.

Is there something you want everybody to know – Some good advice for our readers maybe?

Stegosploit exploits some fundamental weaknesses in the core philosophy of web browsers. Let me provide an example by means of an analogy. At the core, a browser is like a compiler or a code interpreter. It parses markup and renders the markup in its DOM. Markup can also contain active code. However, if we compare browsers and compilers, the behaviour is very different. Compilers are very strict about syntax. If a single semicolon is omitted, a C compiler will throw several errors and refuse to compile the code. It is clearly the developer’s problem and until the developer fixes the code syntax, the compiler will not generate any executable binary. Browsers are very lax when it comes to syntax. Browsers will readily parse broken markup.

Until browsers get strict about enforcing proper markup standards, attack techniques such as Stegosploit will continue to succeed.

A prediction for the future – What do you think will be the next innovations or future downfalls when it comes to particularly your field of expertise / the topic of your talk?

Stegosploit is a wake up call to browser vendors. It is time that browsers enforce strict standards and not be afraid to “break the web”. It is also just a matter of time that steganography and polyglot based exploit delivery become mainstream. The defense community needs to start thinking about innovative ways of detecting and defending against these attacks, rather than rely on the usual reactive method, namely “Rules, Signatures and Updates”.

saumil_shahSaumil Shah is the founder and CEO of Net-Square, providing cutting edge information security services to clients around the globe. Saumil is an internationally recognized speaker and instructor, having regularly presented at conferences like BlackHat, RSA, CanSecWest, 44CON,, Hack-In-The-Box, NoSuchCon, REcon and others. Saumil has been the co-developer of the wildly successful “Exploit Laboratory” courses that he teaches all over the world. He has also authored two books titled “Web Hacking: Attacks and Defense” and “The Anti-Virus Book”.

Saumil graduated with an M.S. in Computer Science from Purdue University, USA and a B.E. in Computer Engineering from Gujarat University. He spends his leisure time breaking software, flying kites, traveling around the world and taking pictures.

Tags: , , , ,

Comments are closed.