I have been working on browser exploit delivery using steganographic techniques since the past 5 years. I have spoken about some of these techniques at several conferences around the world. This past year, I had a few breakthroughs combining steganography with file format polyglots. The goal of Stegosploit was to demonstrate my motto: "A good exploit is one that is delivered in style". I demonstrated this technique at Hack In The Box 2015 Amsterdam, on 28th May 2015. I "painted" an exploit on the face of my good friend Kevin McPeake, as a demonstration of browser exploit delivery via images. In my slide deck, I made it very clear that Stegosploit was not an exploit (although it has a cute logo associated with it). Slide 7.
I presented private demonstrations to reporters from iDigitalTimes and Vice Motherboard, who did a very thorough job in fact checking and representing the research as accurately as possible in a media article.
And then, something happened. Reddit and Twitter exploded with several scathing commentaries on my work. The backlash was caused by commenters who were not present during my presentation, nor had seen any demo or even bothered to research into the technical details that I presented. Instead, these were just conjectures and inferences derived from my older presentations at SyScan 2015 and HITB 2013 - techniques that are at best described as precursors to what Stegosploit actually is.
Rather than speculate on the merits or demerits of the technique and competency of my work and research, I leave you to read this detailed paper about Stegosploit in Issue 0x08 of PoC||GTFO, the only befitting journal for publishing research of this kind!
Along with the paper, I have also released the Stegosploit v0.2 toolkit, which is packaged as a PNG image within the issue itself. It is an interesting exercise to extract the tools, and for those of you who do, it gives you a better appreciation of this kind of research. Hint: "unzip pocorgtfo08.pdf".
Oliver Söhlke published a very well written interview in Vulnerability Magazine clarifying my position and purpose of Stegosploit, while documenting the effects of Stegosploit on evading detection.
In the end, I do want to publicly appreciate the fact that the author of the article published in The Medium was honest enough to revise his mistake.
I am looking forward to his new article on the topic.
My parting piece of advice to those interested in analyzing or dissecting an an infosec research topic - when in doubt, please ask the researcher, instead of kicking off a troll-fest. We would be happy to help you with your fact checking and correct any mistaken assumptions. We play nice.