Date post: | 15-Jan-2015 |
Category: |
Technology |
Upload: | ange-albertini |
View: | 163 times |
Download: | 1 times |
Messing withbinary formats
Ange Albertini2013/09/13
London, England
http://corkami.com
reverse engineering&
visual documentations
?MZ
Structure
1. start○ PE Signature
■ %PDF + fake obj start■ HTML comment start
2. next○ PE (next)○ HTML○ PDF (next)
3. bottom○ ZIP
%PDF*****1 0 obj<< /Size 2 /W[[]1/] /Root 1 0 R /Pages<< /Kids[<< /Contents<<>> stream BT{99 Tf{Td(Inlined PDF)' endstream >>] >>>>stream*endstreamstartxref%*******
%PDF-1.11 0 obj<<% /Type /Catalog
...>>endobj
2 0 obj<<
/Type /Pages...
>>endobj
3 0 obj<<
/Type /Page/Resources <<
/Font <</F1 <<
/Type /Font/Subtype
/Type1...
>>>>
>>>>endobj
4 0 obj<< /Length 47>>stream...
xref0 10000000000 65535 f0000000010 00000 n...
DEMO
10.1.4 10.1.5
Weaknesses
● evasion○ filters → exfiltration○ same origin policy○ detection
■ ex: clean PE but malicious PDF/HTML/...■ exhaust checks■ pretend to be corrupt
● DoS
Conclusion
Conclusion
● type confusion is bad○ succinct docs too○ lazy softwares as well
● go beyond the specs○ Adobe: good
● suggestions○ more extensions checks○ isolate downloaded files○ enforce magic signature at offset 0
Questions ?
thank YOU !
Bonus