Emulate and Dissect MSF and *other* attacks

Related tags

MiscellaneousREW-sploit
Overview

Logo

REW-sploit

The tool has been presented at Black-Hat Arsenal USA 2021

https://www.blackhat.com/us-21/arsenal/schedule/index.html#rew-sploit-dissecting-metasploit-attacks-24086

Slides of presentation are available at https://github.com/REW-sploit/REW-sploit_docs

Need help in analyzing Windows shellcode or attack coming from Metasploit Framework or Cobalt Strike (or may be also other malicious or obfuscated code)? Do you need to automate tasks with simple scripting? Do you want help to decrypt MSF generated traffic by extracting keys from payloads?

REW-sploit is here to help Blue Teams!

Here a quick demo:

asciicast

Install

Installation is very easy. I strongly suggest to create a specific Python Env for it:

# python -m venv /rew-sploit
# source /bin/activate
# git clone https://github.com/REW-sploit/REW-sploit.git
# cd REW-sploit
# pip install -r requirements.txt
# ./apply_patch.py -f
# ./rew-sploit

If you prefer, you can use the Dockerfile. To create the image:

docker build -t rew-sploit/rew-sploit .

and then start it (sharing the /tmp/ folder):

docker run --rm -it --name rew-sploit -v /tmp:/tmp rew-sploit/rew-sploit

You see an apply_patch.py script in the installation sequence. This is required to apply a small patch to the speakeasy-emulator (https://github.com/fireeye/speakeasy/) to make it compatible with REW-sploit. You can easily revert the patch with ./apply_patch.py -r if required.

Optionally, you can also install Cobalt-Strike Parser:

# cd REW-sploit/extras
# git clone https://github.com/Sentinel-One/CobaltStrikeParser.git

Standing on the shoulder of giants

REW-sploit is based on a couple of great frameworks, Unicorn and speakeasy-emulator (but also other libraries). Thanks to everyone and thanks to the OSS movement!

How it works

In general we can say that whilst Red Teams have a lot of tools helping them in "automating" attacks, Blue Teams are a bit "tool-less". So, what I thought is to build something to help Blue Team Analysis.

REW-sploit can get a shellcode/DLL/EXE, emulate the execution, and give you a set of information to help you in understanding what is going on. Example of extracted information are:

You can find several examples on the current capabilities here below:

Fixups

In some cases emulation was simply breaking, for different reasons. In some cases obfuscation was using some techniques that was confusing the emulation engine. So I implemented some ad-hoc fixups (you can enable them by using -F option of the emulate_payload command). Fixups are implemented in modules/emulate_fixups.py. Currently we have

Unicorn issue #1092:

    #
    # Fixup #1
    # Unicorn issue #1092 (XOR instruction executed twice)
    # https://github.com/unicorn-engine/unicorn/issues/1092
    #               #820 (Incorrect memory view after running self-modifying code)
    # https://github.com/unicorn-engine/unicorn/issues/820
    # Issue: self modfying code in the same Translated Block (16 bytes?)
    # Yes, I know...this is a huge kludge... :-/
    #

FPU emulation issue:

    #
    # Fixup #2
    # The "fpu" related instructions (FPU/FNSTENV), used to recover EIP, sometimes
    # returns the wrong addresses.
    # In this case, I need to track the first FPU instruction and then place
    # its address in STACK when FNSTENV is called
    #

Trap Flag evasion:

    #
    # Fixup #3
    # Trap Flag evasion technique
    # https://unit42.paloaltonetworks.com/single-bit-trap-flag-intel-cpu/
    #
    # The call of the RDTSC with the trap flag enabled, cause an unhandled
    # interrupt. Example code:
    #        pushf
    #        or dword [esp], 0x100
    #        popf
    #        rdtsc
    #
    # Any call to RDTSC with Trap Flag set will be intercepted and TF will
    # be cleared
    #

Customize YARA rules

File modules/emulate_rules.py contains the YARA rules used to intercept the interesting part of the code, in order to implement instrumentation. I tried to comment as much as possible these sections in order to let you create your own rule (please share them with a pull request if you think they can help others). For example:

#
# Payload Name: [MSF] windows/meterpreter/reverse_tcp_rc4
# Search for  : mov esi,dword ptr [esi]
#               xor esi,0x
# Used for    : this xor instruction contains the constant used to
#               encrypt the lenght of the payload that will be sent as 2nd
#               stage
# Architecture: x32
#
yara_reverse_tcp_rc4_xor_32 = 'rule reverse_tcp_rc4_xor {                \
                               strings:                                  \
                                   $opcodes_1 = { 8b 36                  \
                                                  81 f6 ?? ?? ?? ?? }    \
                               condition:                                \
                                   $opcodes_1 }'

Issues

Please, open Issues if you find something that not work or that can be improved. Thanks!

You might also like...
A tool for study using pomodoro methodology, while study mode spotify or any other .exe app is opened and while resting is closed.
A tool for study using pomodoro methodology, while study mode spotify or any other .exe app is opened and while resting is closed.

Pomodoro-Timer-With-Spotify-Connection A tool for study using pomodoro methodology, while study mode spotify or any other .exe app is opened and while

null 2 Oct 23, 2022
Write complicated anonymous functions other than lambdas in Python.

lambdex allows you to write multi-line anonymous function expression (called a lambdex) in an idiomatic manner.

Xie Jingyi 71 May 19, 2022
Push Prometheus metrics to VictoriaMetrics or other exporters
Push Prometheus metrics to VictoriaMetrics or other exporters

Push metrics from your periodic long-running jobs to existing Prometheus/VictoriaMetrics monitoring system.

olegm 14 Nov 4, 2022
The tool helps to find hidden parameters that can be vulnerable or can reveal interesting functionality that other hunters miss.
The tool helps to find hidden parameters that can be vulnerable or can reveal interesting functionality that other hunters miss.

The tool helps to find hidden parameters that can be vulnerable or can reveal interesting functionality that other hunters miss. Greater accuracy is achieved thanks to the line-by-line comparison of pages, comparison of response code and reflections.

null 197 Nov 14, 2022
Python script for changing the SSH banner content with other content

Banner-changer-py Python script for changing the SSH banner content with other content. The Script will take the content of a specified file range and

null 2 Nov 23, 2021
A Python Perforce package that doesn't bring in any other packages to work.

P4CMD 🌴 A Python Perforce package that doesn't bring in any other packages to work. Relies on p4cli installed on the system. p4cmd The p4cmd module h

Niels Vaes 13 Dec 19, 2022
A collection of software that serve no purpose other than waste your time. Forking is encouraged!

the-useless-collection A collection of software that serve no purpose other than waste your time. Forking is encouraged! Requires Python 3.9. Usage Go

Imsad2 1 Mar 16, 2022
Generate a wordlist to fuzz amounts or any other numerical values.
Generate a wordlist to fuzz amounts or any other numerical values.

Generate a wordlist to fuzz amounts or any other numerical values. Based on Common Security Issues in Financially-Oriented Web Applications.

Ivan Šincek 3 Oct 14, 2022
Project for viewing the cheapest flight deals from Netherlands to other countries.

Flight_Deals_AMS Project for viewing the cheapest flight deals from Netherlands to other countries.

null 2 Dec 17, 2022
Comments
  • shellcode: Caught error: 'NoneType' object has no attribute 'startswith'

    shellcode: Caught error: 'NoneType' object has no attribute 'startswith'

    command: (REW-sploit)<<emulate_payload -P shell.bin -U 0

    0x10d3: Error while calling API handler for kernel32.VirtualAllocEx: Traceback: File ".../speakeasy/windows/winemu.py", line 1168, in handle_import_func rv = self.api.call-api_func(mod, func, argv, ctx=default_ctx) File ".../speakeasy/winenv/api/winapi.py", line 77, in call_api_func return func(mod, self.emu, argv, ctx) File ".../speakeasy/winenv/api/usermode/kernel32.py" line 995, in VirtualAllocEx if mm and mm.get_tag().startswith(tag_prefix): AttributeError: 'NoneType' object has no attribute 'startswith' 0x77...: shellcode: Caught error: 'NoneType' object has no attribute 'startswith'

    • Timeout of 0 sec(s) reached.
    • [+] Emulation ended
    opened by programmer4python 37
  • Antidebug detection feature

    Antidebug detection feature

    This will be released in version 0.4.0:

    • a new emulation option will execute the provided DLL/EXE/Shellcode to identify location of anti-debug techniques
    enhancement 
    opened by cecio 3
  • Reduced container image size

    Reduced container image size

    Modified Dockerfile to reduce the image size:

    $ docker image ls rew-sploit
REPOSITORY   TAG       IMAGE ID       CREATED         SIZE
rew-sploit   devel     e6e5b0244a0f   8 minutes ago   209MB
rew-sploit   latest    1c477a013cc2   9 days ago      1.1GB
    opened by camandel 3
  • Not working with MSF payload x64

    Not working with MSF payload x64

    Hey,

    Here is what I tried to test your tool, first I generate a classic reverse TCP:

    msfvenom -p windows/x64/shell/reverse_tcp LHOST=127.0.0.1 LPORT=4444 -o test.bin -f raw

    Then I tried to emulate it with REW-sploit:

    (REW-sploit)<< emulate_payload -P samples/test.bin

    But here is the output:

    [+] Starting emulation
* exec: shellcode
0x10fb: shellcode: Caught error: invalid_write
* Timeout of 0 sec(s) reached.
[+] Emulation ended

    I also tried with this shellcode:

    msfvenom -p windows/x64/messagebox TITLE='Title' TEXT='Text' EXITFUNC=thread -f raw -o msgbox.bin

    However, examples in the samples folder are working fine (e.g: payload_tcp_rc4.bin), do you have an idea of what I'm doing wrong ?

    opened by lap1nou 2
Releases(v0.5.0)
Owner
GitHub Repository
Animation retargeting tool for Autodesk Maya. Retargets mocap to a custom rig with a few clicks.

Animation Retargeting Tool for Maya A tool for transferring animation data between rigs or transfer raw mocap from a skeleton to a custom rig. (The sc

Joaen 62 Dec 19, 2022
An kind of operating system portal to a variety of apps with pure python

pyos An kind of operating system portal to a variety of apps. Installation Run this on your terminal: git clone https://github.com/arjunj132/pyos.git

1 Jan 22, 2022
Streamlit Component, for a Chatbot UI

st-chat Streamlit Component, for a Chat-bot UI, example app authors - @yashppawar & @YashVardhan-AI Installation Install streamlit-chat with pip pip i

Yash AI 99 Jan 07, 2023
Advanced Variable Manager {AVM} [0.8.0]

Advanced Variable Manager {AVM} [0.8.0] By Grosse pastèque#6705 WARNING : This modules need some typing modifications ! If you try to run it without t

Big watermelon 1 Dec 11, 2021
Medical appointments No-Show classifier

Medical Appointments No-shows Why do 20% of patients miss their scheduled appointments? A person makes a doctor appointment, receives all the instruct

4 Apr 20, 2022
0xFalcon - 0xFalcon Tool For Python

0xFalcone Installation Install 0xFalcone Tool: apt install git git clone https:/

Alharb7 6 Sep 24, 2022
Model synchronization from dbt to Metabase.

dbt-metabase Model synchronization from dbt to Metabase. If dbt is your source of truth for database schemas and you use Metabase as your analytics to

Mike Gouline 270 Jan 08, 2023
Different steganography methods with examples and my own small image database

literally-the-most-useless-project [Different steganography methods with examples and my own small image database] This project currently contains thr

Kamyishka 1 Dec 09, 2022
Double Pendulum implementation in Python, now with added pendulums and trails :D

Double Pendulum Using Curses in Python. A nice relaxing double pendulum simulation using ASCII, able to simulate multiple pendulums at once, and provi

Nekurone 62 Dec 14, 2022
Liquid Rocket Engine Cooling Simulation

Liquid Rocket Engine Cooling Simulation NASA CEA The implemented class calls NASA CEA via RocketCEA. INSTALL GUIDE In progress install instructions fo

John Salib 1 Jan 30, 2022
JPMC Virtual Experience

This repository contains the submitted patch files along with raw files of the various tasks assigned by JPMorgan Chase & Co. through its Software Engineering Virtual Experience Program on Forage (fo

Vardhini K 1 Dec 05, 2021
My sister is a GR of her class. She had to mark attendance of students from screenshots of teams meeting on an excel sheet. I resolved her problem by reading names from screenshots using PyTesseract and marking them present on the excel using Pandas in Python. It took me 1hr to write the code and it is saving half an hour everyday.

auto-team-attandance Don't judge the code, this is not the best way to write code. I was learning tkinter that is why GUI is bad. Here's the Mega link

Hassan Anwar 25 Sep 04, 2022
A bunch of codes for procedurally modeling and texturing futuristic cities.

Procedural Futuristic City This is our final project for CPSC 479. We created a procedural futuristic city complete with Worley noise procedural textu

1 Dec 22, 2021
Linux Security and Monitoring Scripts

Linux Security and Monitoring Scripts These are a collection of security and monitoring scripts you can use to monitor your Linux installation for sec

Andre Pawlowski 65 Aug 27, 2022
An almost fully customizable language made in python!

Whython is a project language, the idea of it is that anyone can download and edit the language to make it suitable to what they want.

Julian 47 Nov 05, 2022
A program to generate random numbers b/w 0 to 10 using time

random-num-using-time A program to generate random numbers b/w 0 to 10 using time it uses python's in-built module datetime and an equation which retu

Atul Kushwaha 1 Oct 01, 2022
Never get kicked for inactivity ever again!

FFXIV AFK Bot Tired of getting kicked from games due to inactivity? This Bot will make random movements in random intervals to prevent you from gettin

5 Jan 12, 2022
LOL英雄联盟云顶之弈挂机刷代币脚本,全自动操作,智能逻辑,功能齐全。

LOL云顶之弈挂机刷代币脚本 这是2019年全球总决赛写的一个云顶挂机脚本,python完成的。 功能: 自动拿牌卖牌 策略是高星策略,非固定阵容 自动登陆账号、打码、异常重启 战利品截图上传百度云 web中控发号,改密码,查看信息等 代码是三天赶出来的,所以有点混乱,WEB中控代码也不知道扔哪去了

77 Oct 10, 2022
Script para generar automatización de registro de formularios IEEH

Formularios_IEEH Script para generar automatización de registro de formularios IEEH Corresponde a un conjunto de script en python que permiten la auto

vhevia11 1 Jan 06, 2022
A feed generator. Currently supports generating RSS feeds from Google, Bing, and Yahoo news.

A feed generator. Currently supports generating RSS feeds from Google, Bing, and Yahoo news.

Josh Cardenzana 0 Dec 13, 2021