Today we will analyze the detection capabilities of libemu http://libemu.carnivore.it/ [no longer available] using the Metasploit payloads.
Libemu is a small library to detect and analyze x86 shellcodes using heuristics.
We have written a small script to automatically generate Metasploit payloads and see if libemu is able to detect them. You can download it here http://alienvault-labs-garage.googlecode.com/svn/trunk/metasploit/payloads.py [no longer available]. You’ll need libemu compiled with the python extensions and the Metasploit’s xmlrpc interface up:
./msfrpcd -P test -U test -S -t Web
The script generates all the Metasploit payloads and then use libemu to check if it detects the shellcode. Here is the list of payloads detected by libemu:
| Payload | Offset |
|---|---|
| windows/x64/meterpreter/bind_tcp | -4657153 |
| windows/meterpreter/bind_nonx_tcp | 4 |
| windows/meterpreter/bind_ipv6_tcp | 1 |
| windows/vncinject/bind_nonx_tcp | 4 |
| windows/shell/bind_ipv6_tcp | 1 |
| windows/x64/shell_bind_tcp | -4657153 |
| windows/vncinject/bind_ipv6_tcp | 1 |
| windows/meterpreter/bind_tcp | -4657153 |
| windows/patchupmeterpreter/bind_ipv6_tcp | 1 |
| windows/patchupmeterpreter/bind_nonx_tcp | 4 |
| windows/vncinject/bind_tcp | -4657153 |
| windows/x64/shell/bind_tcp | -4657153 |
| linux/x86/adduser | -4657153 |
| linux/x86/chmod | -4657153 |
| windows/adduser | -4657153 |
| windows/shell/bind_nonx_tcp | 4 |
| windows/x64/vncinject/bind_tcp | -4657153 |
| windows/patchupmeterpreter/bind_tcp | -4657153 |
| windows/shell_bind_tcp | -4657153 |
| windows/shell/bind_tcp | -4657153 |
As we can see libemu is able to detect some of the shellcodes. The next step is to select one of the detected shellcodes and apply different encoders to see if libemu is still able to detect the shellcode.
For this purpose we select windows/x64/meterpreter/bind_tcp and apply different encoders using this script http://alienvault-labs-garage.googlecode.com/svn/trunk/metasploit/encoders.py [no longer available].
Results:
| Encoder | Offset |
|---|---|
| x64/xor | no detected |
| x86/alpha_mixed | no detected |
| x86/alpha_upper | no detected |
| x86/avoid_utf8_tolower | no detected |
| x86/call4_dword_xor | 0 |
| x86/context_cpuid | 0 |
| x86/context_stat | 0 |
| x86/context_time | -4657153 |
| x86/countdown | 0 |
| x86/fnstenv_mov | 0 |
| x86/jmp_call_additive | 1 |
| x86/nonalpha | -4657153 |
| x86/shikata_ga_nai | -4657153 |
| x86/single_static_bit | -4657153 |
So, after this study we can conclude that libemu is a trustful library to detect most of the shellcodes used nowadays.
