How To Hide Your Browser 0-days: Free Offense And Defense Tips Included presented at deepsec 2017

by Zoltan Balazs,

Summary : Zero-day exploits targeting browsers are usually very short-lived. These zero-days are actively gathered and analyzed by security researchers. Whenever a new 0-day becomes known by the security industry, protections against the exploit are shared, AV/IDS signatures made, patches deployed, and the precious 0-day loses its value.
For example, when Ahmed Mansoor was targeted by an iOS 0-day exploit (August 2016). the Citizen Lab analyzed the 0-day exploit, and Apple patched the vulnerability within days ( Whoever targeted Mansoor, lost a precious 0-day exploit worth hundreds of thousands of dollars.
In my research, I propose a solution for law enforcement, 0-day brokers, and advanced attackers to protect their browser exploits. The key step is to establish a key agreement between the exploit server and the victim browser. After a shared key is set up, attackers can encrypt the real exploit with AES. It is recommended to encrypt both the code to trigger the exploit, and the shellcode. This idea was first published by me (, and quickly adopted by exploit kit developers in-the-wild.
During my presentation, I will propose solutions for defenders to analyze these attacks, countermeasures for attackers to further complicate this kind of analysis and release a POC Ruby code which can be integrated into Metasploit. So far, no encrypted browser exploit delivery code is available in the public to test or implement these attacks.
In addition to protecting the 0-day exploits from analysis, my proposed solution is also able to stay under the radar in IDS systems or Next Generation IDS systems (a.k.a. breach detection systems, APT detection systems). This is aligned with the trend that perimeter security is becoming less effective due to mobile devices and the increasing number of encrypted channels.