AlienVault R&D Labs Portal. Get the latest news from our research.
Header

Metasploit Payloads VS Libemu

October 4th, 2011 | Posted by jaime.blasco in Attacks | Blog | Code | Exploits | Python

                    

Today we will analyze the detection capabilities of libemu (http://libemu.carnivore.it/) using the Metasploit payloads.
Libemu is a small library to detect and analyze x86 shellcodes using heuristics.

We have written a small script to automatically generate Metasploit payloads and see if libemu is able to detect them. You can download it here.  You’ll need libemu compiled with the python extensions and the Metasploit’s xmlrpc interface up:

./msfrpcd -P test -U test -S -t Web

The script generates all the Metasploit payloads and then use libemu to check if it detects the shellcode. Here is the list of payloads detected by libemu:

PayloadOffset
windows/x64/meterpreter/bind_tcp-4657153
windows/meterpreter/bind_nonx_tcp4
windows/meterpreter/bind_ipv6_tcp1
windows/vncinject/bind_nonx_tcp4
windows/shell/bind_ipv6_tcp1
windows/x64/shell_bind_tcp-4657153
windows/vncinject/bind_ipv6_tcp1
windows/meterpreter/bind_tcp-4657153
windows/patchupmeterpreter/bind_ipv6_tcp1
windows/patchupmeterpreter/bind_nonx_tcp4
windows/vncinject/bind_tcp-4657153
windows/x64/shell/bind_tcp-4657153
linux/x86/adduser-4657153
linux/x86/chmod-4657153
windows/adduser-4657153
windows/shell/bind_nonx_tcp4
windows/x64/vncinject/bind_tcp-4657153
windows/patchupmeterpreter/bind_tcp-4657153
windows/shell_bind_tcp-4657153
windows/shell/bind_tcp-4657153

As we can see libemu is able to detect some of the shellcodes. The next step is to select one of the detected shellcodes and apply different encoders to see if libemu is still able to detect the shellcode.

For this purpose we select windows/x64/meterpreter/bind_tcp and apply different encoders using this script.

Results:

EncoderOffset
x64/xorno detected
x86/alpha_mixedno detected
x86/alpha_upperno detected
x86/avoid_utf8_tolowerno detected
x86/call4_dword_xor0
x86/context_cpuid0
x86/context_stat0
x86/context_time-4657153
x86/countdown0
x86/fnstenv_mov0
x86/jmp_call_additive1
x86/nonalpha-4657153
x86/shikata_ga_nai-4657153
x86/single_static_bit-4657153

So, after this study we can conclude that libemu is a trustful library to detect most of the shellcodes used nowadays.  

jaime.blasco

At AlienVault Jaime manages the Lab and runs the Vulnerability Research Team. Prior to working in the AlienVault lab he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. His background stems from a number of years working in vulnerability management, malware analysis and security researching.

More Posts - Website

Follow Me:
TwitterLinkedIn

, , ,

You can follow any responses to this entry through the RSS 2.0 Both comments and pings are currently closed.