Jump to content
Nytro

Shellcode Detection and Emulation with Libemu

By Nytro, in Reverse engineering & exploit development

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

Shellcode Detection and Emulation with Libemu

Introduction

Libemu is a library which can be used for x86 emulation and shellcode detection. Libemu can be used in IDS/IPS/Honeypot systems for emulating the x86 shellcode, which can be further processed to detect malicious behavior. It can also be used together with Wireshark to pull shellcode off the wire to be analyzed, analyze shellcode inside malicous .rtf/.pdf documents, etc. It has a lot of use-cases and is used in numerous open-source projects like dionaea, thug, peepdf, pyew, etc., and it plays an integral part in shellcode analysis. Libemu can detect and execute shellcode by using the GetPC heuristics, as we will see later in the article.

The very first thing we can do is download Libemu via Git with the following command:

[TABLE]

[TR]

[TD=class: gutter]1[/TD]

[TD=class: code]# git clone git://git.carnivore.it/libemu.git

[/TD]

[/TR]

[/TABLE]

If we would like to know how much code has been written for this project, we can simply execute sloccount, which will output the number of lines for each subdirectory and a total of 43,742 AnsiC code lines and 15 Python code lines. If we would rather take a look at nice graphs, we can visit the Ohloh web page to see something like below, where it’s evident that about 50k lines of code has been written.

072914_1304_ShellcodeDe1.png

The installation instructions can be found at [1], which is why we won’t describe them in this article. We can also install the Pylibemu, so we can interact with Libemu directly from Python.

Creating the Shellcode

Let’s create a simple text case with Metasploit to see how Libemu works. First, we have to create a shellcode with msfpayload, which is a command-line tool specifically built to generate and output various versions of shellcode. Let’s first present all Linux payloads by grepping for the “linux” keyword through msfpayload command output.

# msfpayload -l 2>&1 | grep linux
linux/armle/adduser                              Create a new user with UID 0
linux/armle/exec                                 Execute an arbitrary command
linux/armle/shell/bind_tcp                       Listen for a connection, dup2 socket in r12, then execve
linux/armle/shell/reverse_tcp                    Connect back to the attacker, dup2 socket in r12, then execve
linux/armle/shell_bind_tcp                       Connect to target and spawn a command shell
linux/armle/shell_reverse_tcp                    Connect back to attacker and spawn a command shell
linux/mipsbe/shell_reverse_tcp                   Connect back to attacker and spawn a command shell
linux/mipsle/shell_bind_tcp                      Listen for a connection and spawn a command shell
linux/mipsle/shell_reverse_tcp                   Connect back to attacker and spawn a command shell
linux/ppc/shell_bind_tcp                         Listen for a connection and spawn a command shell
linux/ppc/shell_find_port                        Spawn a shell on an established connection
linux/ppc/shell_reverse_tcp                      Connect back to attacker and spawn a command shell
linux/ppc64/shell_bind_tcp                       Listen for a connection and spawn a command shell
linux/ppc64/shell_find_port                      Spawn a shell on an established connection
linux/ppc64/shell_reverse_tcp                    Connect back to attacker and spawn a command shell
linux/x86/exec                                   Execute an arbitrary command
linux/x86/shell/bind_tcp                         Listen for a connection, Spawn a command shell (staged)
linux/x86/shell/reverse_tcp                      Connect back to the attacker, Spawn a command shell (staged)
linux/x86/shell_bind_tcp                         Listen for a connection and spawn a command shell
linux/x86/shell_bind_tcp_random_port
linux/x86/shell_find_port                        Spawn a shell on an established connection
linux/x86/shell_reverse_tcp                      Connect back to attacker and spawn a command shell
linux/x86/adduser                                Create a new user with UID 0
linux/x86/chmod                                  Runs chmod on specified file with specified mode
linux/x86/exec                                   Execute an arbitrary command
linux/x86/meterpreter/bind_ipv6_tcp              Listen for a connection over IPv6, Staged meterpreter server
linux/x86/meterpreter/bind_nonx_tcp              Listen for a connection, Staged meterpreter server
linux/x86/meterpreter/bind_tcp                   Listen for a connection, Staged meterpreter server
linux/x86/meterpreter/find_tag                   Use an established connection, Staged meterpreter server
linux/x86/meterpreter/reverse_ipv6_tcp           Connect back to attacker over IPv6, Staged meterpreter server
linux/x86/meterpreter/reverse_nonx_tcp           Connect back to the attacker, Staged meterpreter server
linux/x86/meterpreter/reverse_tcp                Connect back to the attacker, Staged meterpreter server
linux/x86/metsvc_bind_tcp                        Stub payload for interacting with a Meterpreter Service
linux/x86/metsvc_reverse_tcp                     Stub payload for interacting with a Meterpreter Service
linux/x86/read_file                              Read up to 4096 bytes from the local file system and write it back out to the specified file descriptor
linux/x86/shell/bind_ipv6_tcp                    Listen for a connection over IPv6, Spawn a command shell (staged)
linux/x86/shell/bind_nonx_tcp                    Listen for a connection, Spawn a command shell (staged)
linux/x86/shell/bind_tcp                         Listen for a connection, Spawn a command shell (staged)
linux/x86/shell/find_tag                         Use an established connection, Spawn a command shell (staged)
linux/x86/shell/reverse_ipv6_tcp                 Connect back to attacker over IPv6, Spawn a command shell (staged)
linux/x86/shell/reverse_nonx_tcp                 Connect back to the attacker, Spawn a command shell (staged)
linux/x86/shell/reverse_tcp                      Connect back to the attacker, Spawn a command shell (staged)
linux/x86/shell_bind_ipv6_tcp                    Listen for a connection over IPv6 and spawn a command shell
linux/x86/shell_bind_tcp                         Listen for a connection and spawn a command shell
linux/x86/shell_bind_tcp_random_port
linux/x86/shell_find_port                        Spawn a shell on an established connection
linux/x86/shell_find_tag                         Spawn a shell on an established connection (proxy/nat safe)
linux/x86/shell_reverse_tcp                      Connect back to attacker and spawn a command shell
linux/x86/shell_reverse_tcp2                     Connect back to attacker and spawn a command shell

Articol complet: Shellcode Detection and Emulation with Libemu - InfoSec Institute

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...