Metasploit Payloads VS Libemu

October 4, 2011 | Jaime Blasco


Today we will analyze the detection capabilities of libemu [no longer available] using the Metasploit payloads.

Libemu is a small library to detect and analyze x86 shellcodes using heuristics.

We have written a small script to automatically generate Metasploit payloads and see if libemu is able to detect them. You can download it here [no longer available]. You’ll need libemu compiled with the python extensions and the Metasploit’s xmlrpc interface up:

./msfrpcd -P test -U test -S -t Web

The script generates all the Metasploit payloads and then use libemu to check if it detects the shellcode. Here is the list of payloads detected by libemu:

Payload Offset
windows/x64/meterpreter/bind_tcp -4657153
windows/meterpreter/bind_nonx_tcp 4
windows/meterpreter/bind_ipv6_tcp 1
windows/vncinject/bind_nonx_tcp 4
windows/shell/bind_ipv6_tcp 1
windows/x64/shell_bind_tcp -4657153
windows/vncinject/bind_ipv6_tcp 1
windows/meterpreter/bind_tcp -4657153
windows/patchupmeterpreter/bind_ipv6_tcp 1
windows/patchupmeterpreter/bind_nonx_tcp 4
windows/vncinject/bind_tcp -4657153
windows/x64/shell/bind_tcp -4657153
linux/x86/adduser -4657153
linux/x86/chmod -4657153
windows/adduser -4657153
windows/shell/bind_nonx_tcp 4
windows/x64/vncinject/bind_tcp -4657153
windows/patchupmeterpreter/bind_tcp -4657153
windows/shell_bind_tcp -4657153
windows/shell/bind_tcp -4657153

As we can see libemu is able to detect some of the shellcodes. The next step is to select one of the detected shellcodes and apply different encoders to see if libemu is still able to detect the shellcode.

For this purpose we select windows/x64/meterpreter/bind_tcp and apply different encoders using this script [no longer available].


Encoder Offset
x64/xor no detected
x86/alpha_mixed no detected
x86/alpha_upper no detected
x86/avoid_utf8_tolower no detected
x86/call4_dword_xor 0
x86/context_cpuid 0
x86/context_stat 0
x86/context_time -4657153
x86/countdown 0
x86/fnstenv_mov 0
x86/jmp_call_additive 1
x86/nonalpha -4657153
x86/shikata_ga_nai -4657153
x86/single_static_bit -4657153

So, after this study we can conclude that libemu is a trustful library to detect most of the shellcodes used nowadays.

Jaime Blasco

About the Author: Jaime Blasco

Jaime Blasco is a renowned Security Researcher with broad experience in network security, malware analysis and incident response. At AT&T Cybersecurity, Jaime leads the Alien Labs Intelligence and Research team that leads the charge of researching and integrating threat intelligence into detection mechanisms. Prior to working at AT&T, Jaime was Chief Scientist at AlienVault. Prior to that, he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. He is based in San Francisco. Jaime's work in emerging threats and targeted attacks is frequently cited in international publications such as New York Times, BBC, Washington Post and Al Jazeera.

Read more posts from Jaime Blasco ›


Get price Free trial