Emulate and Dissect MSF and other attacks

Last update: Dec 16, 2022

Related tags

Miscellaneous REW-sploit

Overview

REW-sploit

The tool has been presented at Black-Hat Arsenal USA 2021

https://www.blackhat.com/us-21/arsenal/schedule/index.html#rew-sploit-dissecting-metasploit-attacks-24086

Slides of presentation are available at https://github.com/REW-sploit/REW-sploit_docs

Need help in analyzing Windows shellcode or attack coming from Metasploit Framework or Cobalt Strike (or may be also other malicious or obfuscated code)? Do you need to automate tasks with simple scripting? Do you want help to decrypt MSF generated traffic by extracting keys from payloads?

REW-sploit is here to help Blue Teams!

Here a quick demo:

Install

Installation is very easy. I strongly suggest to create a specific Python Env for it:

# python -m venv /rew-sploit
# source /bin/activate
# git clone https://github.com/REW-sploit/REW-sploit.git
# cd REW-sploit
# pip install -r requirements.txt
# ./apply_patch.py -f
# ./rew-sploit

If you prefer, you can use the Dockerfile. To create the image:

docker build -t rew-sploit/rew-sploit .

and then start it (sharing the /tmp/ folder):

docker run --rm -it --name rew-sploit -v /tmp:/tmp rew-sploit/rew-sploit

You see an apply_patch.py script in the installation sequence. This is required to apply a small patch to the speakeasy-emulator (https://github.com/fireeye/speakeasy/) to make it compatible with REW-sploit. You can easily revert the patch with ./apply_patch.py -r if required.

Optionally, you can also install Cobalt-Strike Parser:

# cd REW-sploit/extras
# git clone https://github.com/Sentinel-One/CobaltStrikeParser.git

Standing on the shoulder of giants

REW-sploit is based on a couple of great frameworks, Unicorn and speakeasy-emulator (but also other libraries). Thanks to everyone and thanks to the OSS movement!

How it works

In general we can say that whilst Red Teams have a lot of tools helping them in "automating" attacks, Blue Teams are a bit "tool-less". So, what I thought is to build something to help Blue Team Analysis.

REW-sploit can get a shellcode/DLL/EXE, emulate the execution, and give you a set of information to help you in understanding what is going on. Example of extracted information are:

API calls
Encryption keys used by MSF payloads
decrypted 2nd stage coming from MSF
Cobalt-Strike configurations (if CobaltStrike parser is installed)

You can find several examples on the current capabilities here below:

Fixups

In some cases emulation was simply breaking, for different reasons. In some cases obfuscation was using some techniques that was confusing the emulation engine. So I implemented some ad-hoc fixups (you can enable them by using -F option of the emulate_payload command). Fixups are implemented in modules/emulate_fixups.py. Currently we have

Unicorn issue #1092:

    #
    # Fixup #1
    # Unicorn issue #1092 (XOR instruction executed twice)
    # https://github.com/unicorn-engine/unicorn/issues/1092
    #               #820 (Incorrect memory view after running self-modifying code)
    # https://github.com/unicorn-engine/unicorn/issues/820
    # Issue: self modfying code in the same Translated Block (16 bytes?)
    # Yes, I know...this is a huge kludge... :-/
    #

FPU emulation issue:

    #
    # Fixup #2
    # The "fpu" related instructions (FPU/FNSTENV), used to recover EIP, sometimes
    # returns the wrong addresses.
    # In this case, I need to track the first FPU instruction and then place
    # its address in STACK when FNSTENV is called
    #

Trap Flag evasion:

    #
    # Fixup #3
    # Trap Flag evasion technique
    # https://unit42.paloaltonetworks.com/single-bit-trap-flag-intel-cpu/
    #
    # The call of the RDTSC with the trap flag enabled, cause an unhandled
    # interrupt. Example code:
    #        pushf
    #        or dword [esp], 0x100
    #        popf
    #        rdtsc
    #
    # Any call to RDTSC with Trap Flag set will be intercepted and TF will
    # be cleared
    #

Customize YARA rules

File modules/emulate_rules.py contains the YARA rules used to intercept the interesting part of the code, in order to implement instrumentation. I tried to comment as much as possible these sections in order to let you create your own rule (please share them with a pull request if you think they can help others). For example:

#
# Payload Name: [MSF] windows/meterpreter/reverse_tcp_rc4
# Search for  : mov esi,dword ptr [esi]
#               xor esi,0x
# Used for    : this xor instruction contains the constant used to
#               encrypt the lenght of the payload that will be sent as 2nd
#               stage
# Architecture: x32
#
yara_reverse_tcp_rc4_xor_32 = 'rule reverse_tcp_rc4_xor {                \
                               strings:                                  \
                                   $opcodes_1 = { 8b 36                  \
                                                  81 f6 ?? ?? ?? ?? }    \
                               condition:                                \
                                   $opcodes_1 }'

Issues

Please, open Issues if you find something that not work or that can be improved. Thanks!

You might also like...

A tool for study using pomodoro methodology, while study mode spotify or any other .exe app is opened and while resting is closed.

Pomodoro-Timer-With-Spotify-Connection A tool for study using pomodoro methodology, while study mode spotify or any other .exe app is opened and while

2 Oct 23, 2022

Write complicated anonymous functions other than lambdas in Python.

lambdex allows you to write multi-line anonymous function expression (called a lambdex) in an idiomatic manner.

71 May 19, 2022

Push Prometheus metrics to VictoriaMetrics or other exporters

Push metrics from your periodic long-running jobs to existing Prometheus/VictoriaMetrics monitoring system.

14 Nov 4, 2022

The tool helps to find hidden parameters that can be vulnerable or can reveal interesting functionality that other hunters miss.

The tool helps to find hidden parameters that can be vulnerable or can reveal interesting functionality that other hunters miss. Greater accuracy is achieved thanks to the line-by-line comparison of pages, comparison of response code and reflections.

197 Nov 14, 2022

Python script for changing the SSH banner content with other content

Banner-changer-py Python script for changing the SSH banner content with other content. The Script will take the content of a specified file range and

2 Nov 23, 2021

A Python Perforce package that doesn't bring in any other packages to work.

P4CMD 🌴 A Python Perforce package that doesn't bring in any other packages to work. Relies on p4cli installed on the system. p4cmd The p4cmd module h

13 Dec 19, 2022

A collection of software that serve no purpose other than waste your time. Forking is encouraged!

the-useless-collection A collection of software that serve no purpose other than waste your time. Forking is encouraged! Requires Python 3.9. Usage Go

1 Mar 16, 2022

Generate a wordlist to fuzz amounts or any other numerical values.

Generate a wordlist to fuzz amounts or any other numerical values. Based on Common Security Issues in Financially-Oriented Web Applications.

3 Oct 14, 2022

Project for viewing the cheapest flight deals from Netherlands to other countries.

Flight_Deals_AMS Project for viewing the cheapest flight deals from Netherlands to other countries.

2 Dec 17, 2022

Comments

shellcode: Caught error: 'NoneType' object has no attribute 'startswith'
command: (REW-sploit)<<emulate_payload -P shell.bin -U 0

0x10d3: Error while calling API handler for kernel32.VirtualAllocEx: Traceback: File ".../speakeasy/windows/winemu.py", line 1168, in handle_import_func rv = self.api.call-api_func(mod, func, argv, ctx=default_ctx) File ".../speakeasy/winenv/api/winapi.py", line 77, in call_api_func return func(mod, self.emu, argv, ctx) File ".../speakeasy/winenv/api/usermode/kernel32.py" line 995, in VirtualAllocEx if mm and mm.get_tag().startswith(tag_prefix): AttributeError: 'NoneType' object has no attribute 'startswith' 0x77...: shellcode: Caught error: 'NoneType' object has no attribute 'startswith'

Timeout of 0 sec(s) reached.

[+] Emulation ended
opened by programmer4python 37
Antidebug detection feature
This will be released in version 0.4.0:

a new emulation option will execute the provided DLL/EXE/Shellcode to identify location of anti-debug techniques

enhancement
opened by cecio 3

Reduced container image size

Modified Dockerfile to reduce the image size:

$ docker image ls rew-sploit
REPOSITORY   TAG       IMAGE ID       CREATED         SIZE
rew-sploit   devel     e6e5b0244a0f   8 minutes ago   209MB
rew-sploit   latest    1c477a013cc2   9 days ago      1.1GB

opened by camandel 3

Not working with MSF payload x64

Hey,

Here is what I tried to test your tool, first I generate a classic reverse TCP:

msfvenom -p windows/x64/shell/reverse_tcp LHOST=127.0.0.1 LPORT=4444 -o test.bin -f raw

Then I tried to emulate it with REW-sploit:

(REW-sploit)<< emulate_payload -P samples/test.bin

But here is the output:

[+] Starting emulation
* exec: shellcode
0x10fb: shellcode: Caught error: invalid_write
* Timeout of 0 sec(s) reached.
[+] Emulation ended

I also tried with this shellcode:

msfvenom -p windows/x64/messagebox TITLE='Title' TEXT='Text' EXITFUNC=thread -f raw -o msgbox.bin

However, examples in the samples folder are working fine (e.g: payload_tcp_rc4.bin), do you have an idea of what I'm doing wrong ?

opened by lap1nou 2

Releases(v0.5.0)

v0.5.0(Sep 9, 2022)
dump option added, to dump entire emulated process memory at specific EIP

added hook for GetProcAddress for customized actions

Source code(tar.gz)
Source code(zip)
v0.4.3(Jun 3, 2022)
minor mods to comments and help

added memory dump on VirtualFree

Source code(tar.gz)
Source code(zip)
v0.4.2(May 23, 2022)
by default uses latest Speakeasy commit instead of stable release

added CreateRemoteThread dump to option -T

Source code(tar.gz)
Source code(zip)
v0.4.1(Apr 21, 2022)
Added support to emulate DLL exports by ordinal

Source code(tar.gz)
Source code(zip)
v0.4.0(Mar 21, 2022)
New antidebug detection command

Allocated Memory dump option added

Several bug fix

Source code(tar.gz)
Source code(zip)
v0.3.5(Jan 11, 2022)
Some fixes in the interface, to better handle output redirection

cmd2 package updated to 2.3.3

bump to release 0.3.5

Source code(tar.gz)
Source code(zip)
v0.3.4(Nov 24, 2021)
minor bug fixes

new SpeakEasy release 1.5.9

bump to version 0.3.4

Source code(tar.gz)
Source code(zip)
v0.3.3(Oct 12, 2021)
Using new SpeakEasy release 1.5.7.2

Source code(tar.gz)
Source code(zip)
v0.3.2(Oct 6, 2021)
Release Notes

added unhook option to increase performance

clean up of some code

Source code(tar.gz)
Source code(zip)
v0.3.1(Aug 25, 2021)

Few bugfixes and support for SGN
Source code(tar.gz)
Source code(zip)
v0.3(Aug 17, 2021)

Source code(tar.gz)
Source code(zip)
v0.2(Aug 5, 2021)

Source code(tar.gz)
Source code(zip)

Owner

GitHub Repository

BDD base project: Python + Behave

BDD base project: Python + Behave Basic example of using Python with Behave (BDD). This Gherkin example includes: Basic Scenario Scenario Outline Tagg

1 Dec 08, 2021

FCurve-Cleaner: Tries to clean your dense mocap graphs like an animator would

Tries to clean your dense mocap graphs like an animator would! So it will produce a usable artist friendly result while maintaining the original graph.

5 Aug 17, 2022

Howell County, Missouri, COVID-19 data and (unofficial) estimates

COVID-19 in Howell County, Missouri This repository contains the daily data files used to generate my COVID-19 dashboard for Howell County, Missouri,

0 Jun 18, 2022

Extend the maya channel box with searchability and colour

channel-box-plus will add search-ability over its attributes, and it will colour user defined attributes, making them easier to distinguish.

12 Jun 08, 2022

JSEngine is a simple wrapper of Javascript engines.

JSEngine This is a simple wrapper of Javascript engines, it wraps the Javascript interpreter for Python use. There are two ways to call interpreters,

11 Dec 18, 2022

Solve various integral equations using numerical methods in Python

Solve Volterra and Fredholm integral equations This Python package estimates Volterra and Fredholm integral equations using known techniques. Installa

18 Nov 28, 2022

Zapiski za ure o C++-u

cpp-notes Zapiski o C++-u. Objavljena verzija je na https://e6.ijs.si/~jslak/c++/ Generating the notes The setup assumes you are working in a Linux en

1 Jan 05, 2022

Esercizi di Python svolti per il biennio di Tecnologie Informatiche.

Esercizi di Python Un piccolo aiuto per Sofia che nel 2° quadrimestre inizierà Python :) Questo repository (termine tecnico di Git) puoi trovare tutti

2 Nov 07, 2022

Saturne best tools pour baiser tout le système de discord

Installation | Important | Discord 🌟 Comme Saturne est gratuit, les dons sont vraiment appréciables et maintiennent le développement! Caractéristique

8 Oct 02, 2022

A collection of repositories used to realise various end-to-end high-level synthesis (HLS) flows centering around the CIRCT project.

circt-hls What is this?: A collection of repositories used to realise various end-to-end high-level synthesis (HLS) flows centering around the CIRCT p

29 Dec 14, 2022

Emulate and Dissect MSF and *other* attacks

Related tags

Overview

REW-sploit

Install

Standing on the shoulder of giants

How it works

Fixups

Customize YARA rules

Issues

You might also like...

A tool for study using pomodoro methodology, while study mode spotify or any other .exe app is opened and while resting is closed.

Write complicated anonymous functions other than lambdas in Python.

Push Prometheus metrics to VictoriaMetrics or other exporters

The tool helps to find hidden parameters that can be vulnerable or can reveal interesting functionality that other hunters miss.

Python script for changing the SSH banner content with other content

A Python Perforce package that doesn't bring in any other packages to work.

A collection of software that serve no purpose other than waste your time. Forking is encouraged!

Generate a wordlist to fuzz amounts or any other numerical values.

Project for viewing the cheapest flight deals from Netherlands to other countries.

Comments

shellcode: Caught error: 'NoneType' object has no attribute 'startswith'

Antidebug detection feature

Reduced container image size

Not working with MSF payload x64

Releases(v0.5.0)

v0.5.0(Sep 9, 2022)

v0.4.3(Jun 3, 2022)

v0.4.2(May 23, 2022)

v0.4.1(Apr 21, 2022)

v0.4.0(Mar 21, 2022)

v0.3.5(Jan 11, 2022)

v0.3.4(Nov 24, 2021)

v0.3.3(Oct 12, 2021)

v0.3.2(Oct 6, 2021)

Release Notes

v0.3.1(Aug 25, 2021)

v0.3(Aug 17, 2021)

v0.2(Aug 5, 2021)

Owner

BDD base project: Python + Behave

FCurve-Cleaner: Tries to clean your dense mocap graphs like an animator would

Howell County, Missouri, COVID-19 data and (unofficial) estimates

Extend the maya channel box with searchability and colour

JSEngine is a simple wrapper of Javascript engines.

Solve various integral equations using numerical methods in Python

Zapiski za ure o C++-u

Esercizi di Python svolti per il biennio di Tecnologie Informatiche.

Saturne best tools pour baiser tout le système de discord

A collection of repositories used to realise various end-to-end high-level synthesis (HLS) flows centering around the CIRCT project.

NGEBUG is a tool that sends viruses to victims

BlackIP-Rep is a tool designed to gather the reputation and information of Bulk IP's.

Automatic and platform-independent unpacker for Windows binaries based on emulation

Sailwind Mod Manager

Simple script to match riders with drivers.

How to create the game Rock, Paper, Scissors in Python

Py4J enables Python programs to dynamically access arbitrary Java objects

NFT-Image-Generator - Utility to generate a large collection of unique images

This is an example manipulation package of for a robot manipulator based on Drake with ROS2.

Unofficial package for fetching users information based on National ID Number (Tanzania)

Emulate and Dissect MSF and other attacks