Stegosploit: Owned By A JPG

November 6, 2015 by Elliot Williams 34 Comments

We’re primarily hardware hackers, but every once in a while we see a software hack that really tickles our fancy. One such hack is Stegosploit, by [Saumil Shah]. Stegosploit isn’t really an exploit, so much as it’s a means of delivering exploits to browsers by hiding them in pictures. Why? Because nobody expects a picture to contain executable code.

[Saumil] starts off by packing the real exploit code into an image. He demonstrates that you can do this directly, by encoding characters of the code in the color values of the pixels. But that would look strange, so instead the code is delivered steganographically by spreading the bits of the characters that represent the code among the least-significant bits in either a JPG or PNG image.

OK, so the exploit code is hidden in the picture. Reading it out is actually simple: the HTML canvas element has a built-in getImageData() method that reads the (numeric) value of a given pixel. A little bit of JavaScript later, and you’ve reconstructed your code from the image. This is sneaky because there’s exploit code that’s now runnable in your browser, but your anti-virus software won’t see it because it wasn’t ever written out — it was in the image and reconstructed on the fly by innocuous-looking “normal” JavaScript.

And here’s the coup de grâce. By packing HTML and JavaScript into the header data of the image file, you can end up with a valid image (JPG or PNG) file that will nonetheless be interpreted as HTML by a browser. The simplest way to do this is send your file myPic.JPG from the webserver with a Content-Type: text/html HTTP header. Even though it’s a totally valid image file, with an image file extension, a browser will treat it as HTML, render the page and run the script it finds within.

The end result of this is a single image that the browser thinks is HTML with JavaScript inside it, which displays the image in question and at the same time unpacks the exploit code that’s hidden in the shadows of the image and runs that as well. You’re owned by a single image file! And everything looks normal.

We like this because it combines two sweet tricks in one hack: steganography to deliver the exploit code, and “polyglot” files that can be read two ways, depending on which application is doing the reading. A quick tag-search of Hackaday will dig up a lot on steganography here, but polyglot files are a relatively new hack.

[Ange Ablertini] is the undisputed master of packing one file type inside another, so if you want to get into the nitty-gritty of [Ange]’s style of “polyglot” file types, watch his talk on “Funky File Formats” (YouTube). You’ll never look at a ZIP file the same again.

Sweet hack, right? Who says the hardware guys get to have all the fun?

Random Parcel Launches Steganographic Compulsion

October 16, 2015 by Mike Szczys 49 Comments

A mysterious CD arrives in the mail with a weird handwritten code on it. What should you do? Put it in the computer and play the thing, of course!

Some might be screaming at their screens right now… this is how modern horror films start and before you know it the undead are lurking behind you waiting to strike. Seasonal thrills aside, this is turning into an involved community effort to solve the puzzle. [Johny] published the video and posted a thread on reddit.

We ran a similar augmented reality game to launch the 2014 Hackaday Prize solved by a dedicated group of hackers. It’s really hard to design puzzles that won’t be immediately solved but can eventually be solved with technology and a few mental leaps. When we come across one of these extremely clever puzzles, we take note.

This has all the hallmarks of a good time. The audio spectrogram shows hidden data embedded in the file — a technique known as steganography. There are some real contortions to make meaning from this. When you’re looking for a solution any little hit of a pattern feels like you’ve found something. But searching for the decrypted string yields a YouTube video with the same name; we wonder if they’ve tried to recover steganographic data from that source?

[Johny] mentions that this parcel was unsolicited and that people have suggested it’s a threat or something non-sensical in its entirety. We’re hoping it’s a publicity stunt and we’re all disappointed in the end, because solving the thing is the best part and publicity wouldn’t work if there was no solution.

The bright minds of the Hackaday community should be the ones who actually solve this. So get to work and let us know what you figure out!

Transfer Data Via YouTube

August 23, 2015 by Al Williams 31 Comments

The original steganography technique dates back to 440 BC (according to Wikipedia) when a Greek wrote secret messages on a piece of wood, covered it in wax, and then wrote innocent text on the wax. The term, in general, means hiding a message in something that looks harmless. The LVDO project (and a recent Windows fork) says it is steganography, but we aren’t quite sure it meets the definition. What it does is converts data into a video that you can transfer like any other video. A receiver that knows what LVDO parameters you used to create the video can extract the data (although, apparently, the reproduction is not always completely error-free).

The reason we aren’t sure if this really counts as steganography is that–judging from the example YouTube video (which is not encoded)–the output video looks like snow. It uses a discrete cosine transform to produce patterns. If you are the secret police, you might not know what the message says, but you certainly know it must be something. We’d be more interested in something that encodes data in funny cat videos, for example.

Continue reading “Transfer Data Via YouTube” →

Encoding Data In Packet Delays

May 28, 2015 by Eric Evenchick 25 Comments

If you’ve ever been to a capture the flag hacking competition (CTF), you’ve probably seen some steganography challenges. Steganography is the art of concealing data in plain sight. Tools including secret inks that are only visible under certain light have been used for this purpose in the past. A modern steganography challenge will typically require you to find a “flag” hidden within an image or file.

[Anfractuosus] came up with a method of hiding packets within a stream of network traffic. ‘Timeshifter’ encodes data as delays between packets. Depending on the length of the delay, each packet is interpreted as a one or zero.

To do this, a C program uses libnetfilter_queue to get access to packets. The user sets up a network rule using iptables, which forwards traffic to the Timeshifter program. This is then used to send and receive data.

All the code is provided, and it makes for a good example if you’ve ever wanted to play around with low-level networking on Linux. If you’re interested in steganography, or CTFs in general, check out this great resource.

Images Carrying An Encrypted Data Payload

March 31, 2013 by Mike Szczys 28 Comments

encrypted-data-image

This is a tidy looking banner image. But according to [Ian] it contains 52KB of source code. You can’t just read out all of that data. Well, you can but it will be gibberish. Before hiding the bits in plain sight he encrypted them with two different keys.

He’s using AES-256 encryption to keep his data away from prying eyes. But if that wasn’t enough, he also wrote a PHP program to hide the bits in a PNG image. Not just any picture will do (otherwise your eye will be able to see something’s awry). The post linked above focuses mainly on how to choose an image that will hide your data most easily. We asked him if he would share his techniques for actually merging the encrypted file with the picture and he delivered. Head on over to his repository if you want to take a look at the generator code.

Steganography In Xkcd Comics Without The Img Alt Tag

March 10, 2012 by Brian Benchoff 28 Comments

Inspired by a recent Hackaday post [austin] decided to try his hand at steganography. Steganography, or ‘concealed writing’ has come a long way from ancient Greek slaves/couriers shaving their head, tattooing a message on their scalp, and regrowing their hair. We recently saw a music file masquerading as a picture of a kitten, but that method of hiding data required running a Ruby script. [austin] thought steganography would be a great way to hone his JavaScript skills, so he made an image encoder and decoder purely in JS and HTML.

Like the previous incarnation, [austin]’s work takes a regular .PNG image file and hides stuff in the pixel data. A few of the lower bits for each pixel are modified (three bits from the red and blue, two bits from the green – a good choice, the human eye is very sensitive to green) and a file is embedded inside the .PNG image.

For an example, [austin] embedded some stuff inside the xkcd comic underneath this post’s title. Even though the image is mostly white, we can’t see anything wrong with the colors. If you’d like to decode the message, [austin] put his encoder and decoder up on github. Feel free to take a shot at it.

This Image Contains A Hidden Audio Track

February 27, 2012 by Mike Szczys 60 Comments

This image contains a hidden audio track which you’re very familiar with. Well, it used to. We’d bet we messed up the careful encoding that [Chris McKenzie] used to hide data within an image when we resized the original.

He’s using a method called Steganography to hide a message in plain sight. Since digital images use millions of colors, you can mess with that color data just a bit and the eye will not really be able to pick up any difference. Each pixel has had the eight least significant bits swapped out for the data [Chris] is hiding. Since the image uses 24-bit color, the largest possible change (going from 0 to 255) in those bottom eight bits will only result in a color change of about 0.15%. And that’s only for one pixel; in most cases the change will be much less.

He shows his work, both decoding and encoding using Ruby, and even provides a one-liner which lets you playback the audio without downloading anything (just make sure you’ve got all of the dependencies installed). Never gonna give, you, up…

[via Reddit]