libemu.mwcollect.org

shellcode detection

Information

Start
News
About libemu
compiling libemu

Documentation

Gallery
Manpage
API
Hacking
Examples

Download

Download
Patches

Contact

Contact

svn.mwcollect.org

Software Development

Projects

nepenthes
honeytrap
HoneyBow
libemu
liblcfg

Code Repository

svn.mwcollect.org.

libemu examples

SQL Slammer

In 2003 SQL Slammer made it to every major media. The worm, spreading autonomously using a single udp packet exploiting a flaw in Microsoft SQL Server, created enough traffic to take down parts of the internet. As of today, the worm still exists, and tries to infect yet unpatched servers. As SQL Slammer is pure assembly without any PE file overhead, we were able to create a callgraph using libemu.

sqlslammer callgraph

Download:
.dot file
large graph

Metasploit linux/x86/shell_bind_tcp

This is a linux shellcode, provided by the Metasploit Framework. The payload was constructed using 

./msfpayload linux/x86/shell_bind_tcp r | \
./msfencode -a x86 -e x86/shikata_ga_nai -t raw

msf linux bindshell callgraph

Download:
.dot file
large graph

linkbot connectback filestransfer

A very intresting two stage shellcode which uses a stack cookie to verfiy the host downloading the file was actually attacked.
The second stage sends the attacker a cookie which was put on stack by the first stage, and receives a file afterwards. When the filetransfer is done, the received file gets executed.

linkbot connectback callgraph

Download:
.dot file
large graph