#============================================================#
#             Stegosploit Presentation Summary               #
#============================================================#

Steganography: Hiding a secret message in plain sight.
Cryptography: Hiding the meaning of the message.

Difference between them: Encoding to ciphertext vs camouflaging plaintext.

#============================================================#

Polyglot: Having 2 or more data formats within a single container without them breaking each others syntax.
More specifically, ensuring that a script can compile in multiple languages.

#============================================================#

Stegosploit is the combination of steganography and ployglots, hide exploit code in image
and have it be a picture but be also able to run as code (run the exploit!). 

Stegosploit is a way to _deliver_ web browser exploits using pictures. 
    - Not an exploit, XSS attack, or webshell
    - Not maniuplation of EXIF data
    
#============================================================#

Stegosploit goals:
1. Only the picture is sent over the network. No extra data so you are not caught over the network.
2. Picure looks "normal". No deformity or distortion; don't let victim get suspicious to not load image
3. Make sure that exploit code is not seen as a string in the image file. 
   image file with notepad, won't see exploit code as string.
4. Image decodes itself and executes the exploit without any user interaction

#============================================================#

Main difference between: 
<script src=> Sees and interprets jpg as _code_.
<img src=> Sees and interprets jpg as _pixels_.

#============================================================#

An image is essentially an array of pixels. Each pixel can have three colour channels - red, green and blue. 
Each channel is represented by an 8-bit value, which provides 256 discrete levels of colour. A black and white 
image uses the same values for R, G and B channels for each pixel. We can use the fact that each pixel can hold
256 bits of data as a way to encode our exploit into the picture. We just a need a decoder to read the pixels 
afterwards.

#============================================================#

Pictures are composed of 8 bit layers (from 0 - 7)

Bit layer 7 has more shape but little detail
...
From bit layer 7 to bit layer 0, detail increases, shape decreases.
...
Bit layer 0 has more detail but little shape

Also more noise, texture, shading in lower bit layers.

Use this to our advantage and encode some exploit code into one of the
layers (preferably bit layer 0 - 3) since it won't affect the picture too much.

May be difficult to encode on bit layer 0 since a lot of noise to take into account.

#============================================================#

Encode our exploit code into the picture by converting it into a bitstream.
Take the bitstream and overwrite the pixels in one of the bit layers. This is 
the steganographic part of Stegosploit, camouflaging the exploit code in plain
sight. 

#============================================================#

Lossless encoding: Pixels are saved 1 to 1 so all stay intact. Compare original with
lossless compression picture, they will be _exactly the same_. This means that we only
need to encode our exploit _once_ into the picture. PNGs use this encoding. 

Lossy compression: Pixels are approximated to their nearest neighbour. Compare original
with lossy compression picture, they will be _different_. This means that we need to 
encode our exploit _more than once_ into the picture. JPGs use this encoding.

The solution to this is to use iterative encoding to accommodate for lossy compression.
Keep encodind until our exploit code is not affected by the nearest neighbour approximation.

#============================================================#

We use HTML5 Canvas as a way to read the pixel data and convert the picture into bits without 
having to use an external library. This is important because the victim or target browser does
not need any extra things (download .exe, have specific browser settings, etc) in order to 
decode and run our Stegosploit. 

#============================================================#

IMAJS is trying to combine data formats that are loaded and parsed by browsers. 
The end result was IMAJS, a successful polyglot of a GIF image and Javascript.
Use this as our way of completing the Stegosploit.

#============================================================#

PNG / JPG headers is the way to fit our decoder code into the image. Simply edit the length
portion of the header (APP0) and fill it with your decoder code. The remaining space will be filled
with random data and empty bits. This will be the polyglot portion of the Stegosploit; being
able to run decoder code and execute exploit code that was hidden with steganography. 

#============================================================#

3 ways in reaching the target browser using Stegosploit:
1. Host image in attacker controlled web server and send direct link
2. Host entire exploit on a URL shortener
3. Upload image on 3rd party websites and have direct links to them

#============================================================#

Difficult to use Spegosploit as of right now due to the current implementation:
1. Different browsers read images differently; Stegosploit not scalable
2. Target websties need to allow images to be uploaded by users
3. Target website does not corrupt the exploit data inside the image
4. Target website loads uncorrupted image that was uploaded by attacker

#============================================================#

Stegosploit is difficult to detect since it's a new vector for attacking. 
Anti-viruses need to look at images / videos outside of the normal means of detection
Stegoploit can't be patched since it does not exploit any bugs from any libraries

Best way to stop Stegosploit as a developer is to simply re-encode the image to damage or corrupt 
any steganographic content within. Similarly, change file formats JPG -> PNG -> JPG 

Resize the image to do the same thing as above.

If we know the original size of the image, check the file size. If the file is larger
then we know that there may be some Stegosploit involved, be careful.

#============================================================#

Best way to stop Stegosploit is for W3C to be strict like compilers. Reject if code is 
malformed or invalid, don't ignore and continue.

Browsers need to reject things that do not follow strict standards.

As a user, avoid going to unsecure websites and have an updated browser with MIME
type checking.