Closed twmeares closed 10 years ago
Hi Taylor, first of all I would like to suggest you to subscribe to the Thug mailing lists because these are not issues but questions about Thug and the mailing lists are a better place where to discuss these things IMHO.
BTW you chose not the best exploit considering that the MDAC exploit does not make use of any shellcode so no emulation at all in this specific case. You can easily take a look at how shellcode emulation works using one of the samples already provided.
buffer@rigel ~/thug/src $ python thug.py -l ../samples/exploits/22196.html [..] [2014-08-20 10:37:52] ActiveXObject: 77829F14-D911-40FF-A2F0-D11DB8D6D0BC [2014-08-20 10:37:52] [NCTAudioFile2 ActiveX] Overflow in SetFormatLikeSample [2014-08-20 10:37:52] [Shellcode Profile]
UINT WINAPI WinExec ( LPCSTR = 0x02eb2b80 => = "calc.exe"; UINT uCmdShow = 0; ) = 0x20; void ExitThread ( DWORD dwExitCode = 0; ) = 0x0; [..]
I subscribed to the list. Thanks for the tip. However, your response has me someone puzzled. As I said I'm quite new to this. If the exploit doesn't use shellcode what is meant by the line [Microsoft MDAC RDS.Dataspace ActiveX] CreateObject (WScript.Shell)
That log line is the result of the ActiveX object emulation. Thug implements an ActiveX layer of its own (source code located at src/ActiveX) which is used to emulate some well-known vulnerabilities in some ActiveX objects through the vulnerability modules (source code located at src/ActiveX/modules). Some of these vulnerabilities make use of a shellcode but some others (like MDAC) do not require one because they are more logical errors than vulnerabilities.
I've been trying to get a better grasp of thug over the past week, but I keep getting stuck making it difficult to gain a better understanding of the honeyclient. Today I've been looking into libemu and pylibemu I can get both of these to work independently but when I run thug I don't really see any shellcode emulation in the output or in the log files. There aren't many resources for thug usage beyond the explanation of the output given by
python thug.py -h
online, so maybe I'm just not looking in the right place.As an example I used metasploit to host a site using the ms06_014 exploit (exploit/windows/browser/ie_createobject in metasploit) with the payload windows/shell/reverse_tcp. Thug gives the following output:
From the output it's clear that thug shows the vulnerability is in ActiveX and that there is a shell script being executed but I'd like to see the detailed emulation from pylibemu. However, I can't find the shell code from the analysis, which to my knowledge is needed for the emulation as it's done that way in the pylibemu readme file. Furthermore, I tried using libemu to emulate but it crashes saying
cpu error error accessing 0x00000004 not mapped
. This could be because I ran it with the executable given in ../applications/octet-stream.I hope this isn't overly confusing. I'm somewhat new to the world of honeyclients and malware detection, but I've been asked to experiment with and report on thug. I have a number of other questions which I've been search the web for but like I said there isn't much detailed documentation of the usage. Thanks, Taylor