Injecting xss or shell in picture(jpeg or etc) works very nice.I made my small childish lab last night and was tring to actually injecting a virus(.exe) in a picture and then hosted it.So when I tested on me,it did not infect me..is it possible actually to small .exe servers in pics...


I know it's Unethical,just for knowledge purpose.Hope you understand.

I just want to know,is it possible for an exe format to act like a mp3..?Only binding won't work here..please help

Thanks for the link Negrita!  It looks like a cool site.

Thans for the link.

But it's more of steganography,steg will only hide the data,but it won't be executed..??

Most of the stuff I've seen revolves around buffer overflows that occur when images(GIF, ANI, etc) are processed and shellcode is tacked on. I believe with the onload function in javascript and probably activeX as well, you can have whatever you want executed when the image is loaded on the page.

Oneeyedcarmen,

thanks for the link, I haven't come across that attack vector before. Unfortunately it sounds fairly promising (one more reason to disable javascript, thank you NoScript).

Was anyone at this talk @ Blackhat? more technical information regarding the vector would be good.

Here is a link from one of the presenters with some information about it.

http://blogs.zdnet.com/security/?p=1666