Nytro Posted August 8, 2014 Report Share Posted August 8, 2014 Shellcode Detection and Emulation with LibemuIntroduction Libemu is a library which can be used for x86 emulation and shellcode detection. Libemu can be used in IDS/IPS/Honeypot systems for emulating the x86 shellcode, which can be further processed to detect malicious behavior. It can also be used together with Wireshark to pull shellcode off the wire to be analyzed, analyze shellcode inside malicous .rtf/.pdf documents, etc. It has a lot of use-cases and is used in numerous open-source projects like dionaea, thug, peepdf, pyew, etc., and it plays an integral part in shellcode analysis. Libemu can detect and execute shellcode by using the GetPC heuristics, as we will see later in the article. The very first thing we can do is download Libemu via Git with the following command: [TABLE][TR][TD=class: gutter]1[/TD][TD=class: code]# git clone git://git.carnivore.it/libemu.git[/TD][/TR][/TABLE] If we would like to know how much code has been written for this project, we can simply execute sloccount, which will output the number of lines for each subdirectory and a total of 43,742 AnsiC code lines and 15 Python code lines. If we would rather take a look at nice graphs, we can visit the Ohloh web page to see something like below, where it’s evident that about 50k lines of code has been written. The installation instructions can be found at [1], which is why we won’t describe them in this article. We can also install the Pylibemu, so we can interact with Libemu directly from Python. Creating the Shellcode Let’s create a simple text case with Metasploit to see how Libemu works. First, we have to create a shellcode with msfpayload, which is a command-line tool specifically built to generate and output various versions of shellcode. Let’s first present all Linux payloads by grepping for the “linux” keyword through msfpayload command output.# msfpayload -l 2>&1 | grep linuxlinux/armle/adduser Create a new user with UID 0linux/armle/exec Execute an arbitrary commandlinux/armle/shell/bind_tcp Listen for a connection, dup2 socket in r12, then execvelinux/armle/shell/reverse_tcp Connect back to the attacker, dup2 socket in r12, then execvelinux/armle/shell_bind_tcp Connect to target and spawn a command shelllinux/armle/shell_reverse_tcp Connect back to attacker and spawn a command shelllinux/mipsbe/shell_reverse_tcp Connect back to attacker and spawn a command shelllinux/mipsle/shell_bind_tcp Listen for a connection and spawn a command shelllinux/mipsle/shell_reverse_tcp Connect back to attacker and spawn a command shelllinux/ppc/shell_bind_tcp Listen for a connection and spawn a command shelllinux/ppc/shell_find_port Spawn a shell on an established connectionlinux/ppc/shell_reverse_tcp Connect back to attacker and spawn a command shelllinux/ppc64/shell_bind_tcp Listen for a connection and spawn a command shelllinux/ppc64/shell_find_port Spawn a shell on an established connectionlinux/ppc64/shell_reverse_tcp Connect back to attacker and spawn a command shelllinux/x86/exec Execute an arbitrary commandlinux/x86/shell/bind_tcp Listen for a connection, Spawn a command shell (staged)linux/x86/shell/reverse_tcp Connect back to the attacker, Spawn a command shell (staged)linux/x86/shell_bind_tcp Listen for a connection and spawn a command shelllinux/x86/shell_bind_tcp_random_portlinux/x86/shell_find_port Spawn a shell on an established connectionlinux/x86/shell_reverse_tcp Connect back to attacker and spawn a command shelllinux/x86/adduser Create a new user with UID 0linux/x86/chmod Runs chmod on specified file with specified modelinux/x86/exec Execute an arbitrary commandlinux/x86/meterpreter/bind_ipv6_tcp Listen for a connection over IPv6, Staged meterpreter serverlinux/x86/meterpreter/bind_nonx_tcp Listen for a connection, Staged meterpreter serverlinux/x86/meterpreter/bind_tcp Listen for a connection, Staged meterpreter serverlinux/x86/meterpreter/find_tag Use an established connection, Staged meterpreter serverlinux/x86/meterpreter/reverse_ipv6_tcp Connect back to attacker over IPv6, Staged meterpreter serverlinux/x86/meterpreter/reverse_nonx_tcp Connect back to the attacker, Staged meterpreter serverlinux/x86/meterpreter/reverse_tcp Connect back to the attacker, Staged meterpreter serverlinux/x86/metsvc_bind_tcp Stub payload for interacting with a Meterpreter Servicelinux/x86/metsvc_reverse_tcp Stub payload for interacting with a Meterpreter Servicelinux/x86/read_file Read up to 4096 bytes from the local file system and write it back out to the specified file descriptorlinux/x86/shell/bind_ipv6_tcp Listen for a connection over IPv6, Spawn a command shell (staged)linux/x86/shell/bind_nonx_tcp Listen for a connection, Spawn a command shell (staged)linux/x86/shell/bind_tcp Listen for a connection, Spawn a command shell (staged)linux/x86/shell/find_tag Use an established connection, Spawn a command shell (staged)linux/x86/shell/reverse_ipv6_tcp Connect back to attacker over IPv6, Spawn a command shell (staged)linux/x86/shell/reverse_nonx_tcp Connect back to the attacker, Spawn a command shell (staged)linux/x86/shell/reverse_tcp Connect back to the attacker, Spawn a command shell (staged)linux/x86/shell_bind_ipv6_tcp Listen for a connection over IPv6 and spawn a command shelllinux/x86/shell_bind_tcp Listen for a connection and spawn a command shelllinux/x86/shell_bind_tcp_random_portlinux/x86/shell_find_port Spawn a shell on an established connectionlinux/x86/shell_find_tag Spawn a shell on an established connection (proxy/nat safe)linux/x86/shell_reverse_tcp Connect back to attacker and spawn a command shelllinux/x86/shell_reverse_tcp2 Connect back to attacker and spawn a command shellArticol complet: Shellcode Detection and Emulation with Libemu - InfoSec Institute Quote Link to comment Share on other sites More sharing options...
