messing with binary formats (live)

58
Messing with binary formats Ange Albertini 2013/09/13 London, England

Upload: ange-albertini

Post on 15-Jan-2015

165 views

Category:

Technology


1 download

DESCRIPTION

Live version of my slide deck. Full version http://www.slideshare.net/ange4771/messing-with-binary-formats

TRANSCRIPT

Page 1: Messing with binary formats (live)

Messing withbinary formats

Ange Albertini2013/09/13

London, England

Page 2: Messing with binary formats (live)

http://corkami.com

reverse engineering&

visual documentations

Page 3: Messing with binary formats (live)
Page 4: Messing with binary formats (live)
Page 5: Messing with binary formats (live)
Page 6: Messing with binary formats (live)
Page 7: Messing with binary formats (live)
Page 8: Messing with binary formats (live)
Page 9: Messing with binary formats (live)
Page 10: Messing with binary formats (live)

?MZ

Page 11: Messing with binary formats (live)
Page 12: Messing with binary formats (live)
Page 13: Messing with binary formats (live)
Page 14: Messing with binary formats (live)
Page 15: Messing with binary formats (live)
Page 16: Messing with binary formats (live)
Page 17: Messing with binary formats (live)
Page 18: Messing with binary formats (live)
Page 19: Messing with binary formats (live)
Page 20: Messing with binary formats (live)
Page 21: Messing with binary formats (live)
Page 22: Messing with binary formats (live)
Page 23: Messing with binary formats (live)
Page 24: Messing with binary formats (live)
Page 25: Messing with binary formats (live)
Page 26: Messing with binary formats (live)

Structure

1. start○ PE Signature

■ %PDF + fake obj start■ HTML comment start

2. next○ PE (next)○ HTML○ PDF (next)

3. bottom○ ZIP

Page 27: Messing with binary formats (live)
Page 28: Messing with binary formats (live)
Page 29: Messing with binary formats (live)
Page 30: Messing with binary formats (live)
Page 31: Messing with binary formats (live)
Page 32: Messing with binary formats (live)
Page 33: Messing with binary formats (live)
Page 34: Messing with binary formats (live)
Page 35: Messing with binary formats (live)
Page 36: Messing with binary formats (live)
Page 37: Messing with binary formats (live)
Page 38: Messing with binary formats (live)
Page 39: Messing with binary formats (live)

%PDF*****1 0 obj<< /Size 2 /W[[]1/] /Root 1 0 R /Pages<< /Kids[<< /Contents<<>> stream BT{99 Tf{Td(Inlined PDF)' endstream >>] >>>>stream*endstreamstartxref%*******

Page 40: Messing with binary formats (live)

%PDF-1.11 0 obj<<% /Type /Catalog

...>>endobj

2 0 obj<<

/Type /Pages...

>>endobj

3 0 obj<<

/Type /Page/Resources <<

/Font <</F1 <<

/Type /Font/Subtype

/Type1...

>>>>

>>>>endobj

4 0 obj<< /Length 47>>stream...

xref0 10000000000 65535 f0000000010 00000 n...

Page 41: Messing with binary formats (live)
Page 42: Messing with binary formats (live)

DEMO

Page 43: Messing with binary formats (live)
Page 44: Messing with binary formats (live)

10.1.4 10.1.5

Page 45: Messing with binary formats (live)
Page 46: Messing with binary formats (live)
Page 47: Messing with binary formats (live)
Page 48: Messing with binary formats (live)
Page 49: Messing with binary formats (live)
Page 50: Messing with binary formats (live)
Page 51: Messing with binary formats (live)
Page 52: Messing with binary formats (live)

Weaknesses

● evasion○ filters → exfiltration○ same origin policy○ detection

■ ex: clean PE but malicious PDF/HTML/...■ exhaust checks■ pretend to be corrupt

● DoS

Page 53: Messing with binary formats (live)

Conclusion

Page 54: Messing with binary formats (live)

Conclusion

● type confusion is bad○ succinct docs too○ lazy softwares as well

● go beyond the specs○ Adobe: good

● suggestions○ more extensions checks○ isolate downloaded files○ enforce magic signature at offset 0

Page 55: Messing with binary formats (live)

Questions ?

thank YOU !

Page 57: Messing with binary formats (live)

Bonus

Page 58: Messing with binary formats (live)