messing with binary formats (live)

Messing withbinary formats

Ange Albertini2013/09/13

London, England

http://corkami.com

reverse engineering&

visual documentations

?MZ

Structure

1. start○ PE Signature

■ %PDF + fake obj start■ HTML comment start

2. next○ PE (next)○ HTML○ PDF (next)

3. bottom○ ZIP

%PDF*****1 0 obj<< /Size 2 /W[[]1/] /Root 1 0 R /Pages<< /Kids[<< /Contents<<>> stream BT{99 Tf{Td(Inlined PDF)' endstream >>] >>>>stream*endstreamstartxref%*******

%PDF-1.11 0 obj<<% /Type /Catalog

...>>endobj

2 0 obj<<

/Type /Pages...

>>endobj

3 0 obj<<

/Type /Page/Resources <<

/Font <</F1 <<

/Type /Font/Subtype

/Type1...

>>>>

>>>>endobj

4 0 obj<< /Length 47>>stream...

xref0 10000000000 65535 f0000000010 00000 n...

DEMO

10.1.4 10.1.5

Weaknesses

● evasion○ filters → exfiltration○ same origin policy○ detection

■ ex: clean PE but malicious PDF/HTML/...■ exhaust checks■ pretend to be corrupt

● DoS

Conclusion

Conclusion

● type confusion is bad○ succinct docs too○ lazy softwares as well

● go beyond the specs○ Adobe: good

● suggestions○ more extensions checks○ isolate downloaded files○ enforce magic signature at offset 0

Questions ?

thank YOU !

http://

reverseengineering.stackexchange.com

@angealbertini✉ ange@corkami.com

Bonus