Can Thug not detect the "use after free" type of vulnerability page?

[abay123]

Dear Sir： After reading some of the code, I found that Thug is essentially based on the detection of shellcode. Can Thug not detect the "use after free" type of vulnerability page? I used a few of that type of web page and couldn't detect it in the thug.

Thank you very much.

[buffer]

Detecting stuff like this in an emulated context can be very difficult. I am not surprised this is happening. If you want to share some samples privately I would be glad to take a look at them.

[abay123]

Dear sir： https://github.com/abay123/exp1/blob/master/a.html#L1 Thank you for your answer. You can get an html file by visiting this link. If you open it with windows7's ie8 browser, it will run a notepad program, which is a UAF vulnerability exploit. When I passed this file into docker and detected it with thug, it didn't return useful content. Of course, if you have any good software or ideas like ‘use after free’ that you can use to detect it, I will do the research. After all, many high-interaction client honeypots are now stopped. Finally, I saw in the google project that the project was rewritten to support python3.x. But only for students to participate, I was very frustrated when I graduated from college in June this year. Is there any way to join? Thank you very much!

[buffer]

I took a look at the sample and realized the exploit is coded in vbscript. Currently Thug does not support VBS dynamic analysis so this is expected result. FYI you can build Yara signatures to detect it statically through using the Thug VBSClassifier but apart from that detection in these cases can be very limited depending on the sample. The project still does not support Python 3 and I am working on that but I don't know when it will finally happen. If you want to contribute Thug development feel free to join. I would really appreciate!