1

I have a binary file which uses some exploit(i guess, it was generated with metasploit), but I can`t determine the exact exploit it uses.

The disassembly listing of it contains a plenty of "mov" operators, and .data section contains a lot of strings like:

"!!\"#$$%&''()**+,--./0112344567789::;<==>?@@ABCCDEFFGHIIJKLLMNOOPQRRSTUUVWXXYZ[[\]^^_`abbcdeefghhijkklmnnopqqrsttuvwwxyzz{|}}~"

enter image description here

And assembler code consists of plenty "mov"s

enter image description here

Is there any way to define which exploit this malicious binary uses?

HashHazard
  • 5,105
  • 1
  • 17
  • 29
AseN
  • 155
  • 1
  • 7
  • Can you share more of the exploit code? It's hard to tell based on what you've shared. – HashHazard Sep 23 '16 at 20:57
  • @Hollowproc, sure – AseN Sep 23 '16 at 21:04
  • What metasploit module are you using? – HashHazard Sep 23 '16 at 21:09
  • The thing is I haven`t - Im trying to figure this out. I have binary only. All info I have found for now is - https://malwr.com/analysis/ZjMyMjJjNjQxY2MzNGJlMGI1NjY1NGRiNjNlYmE0ZGQ/#dropped – AseN Sep 23 '16 at 21:13
  • 3
    From that alone, you won't be able to determine which module was used. This is just shellcode (aka the *payload*), not the exploit code. Multiple modules in metasploit can use the same payload, because they rely on the same payload generator (msfvenom) for payload generation. Furthermore, why do you think this was metasploit? – HashHazard Sep 23 '16 at 21:17
  • @Hollowproc, you right about this could be not just a single module of metasploit. I just would like to know what CVE was used.. – AseN Sep 23 '16 at 21:21
  • I migrated this [discussion to chat](http://chat.stackexchange.com/rooms/45820/discussion-between-hollowproc-and-0xffh). – HashHazard Sep 23 '16 at 21:28

2 Answers2

2

Based on further discussion with the OP, the answer to this question is that there isn't enough information to determine the exploit this payload was used in.

The best bet would be to forensically image the machine that it was used on (if available) and perform a complete analysis of the device including generation of timelines which should be reviewed for correlations regarding the appearance of the binary.

Secondary methods include scanning the system it was used on for vulnerabilities and trying to identify which exploits could have been used on this system. Narrowing it down from there. Much less reliable than the former.

HashHazard
  • 5,105
  • 1
  • 17
  • 29
0

Yes there is, but you have to give us the information required to do it. You can disassemble and analyse it on IDA ?

Look for any common behaviour, names, strings, anything that can give you a hint, if you think that it's based on a Metasploit module, try to understand how it works by how it connect and handle the socket communication. After that you can analyse Metasploit's modules and determine in which exploit this one is based on.

Another hint, try to search for file hash (md5, sha1) on google. Sorry, but it's all I can say based on the information given.

OPSXCQ
  • 336
  • 1
  • 5
  • I could track this malware to here - https://malwr.com/analysis/ZjMyMjJjNjQxY2MzNGJlMGI1NjY1NGRiNjNlYmE0ZGQ/ I absolutelly sure, that this is it. I cant find any more info about this malware – AseN Sep 23 '16 at 20:53
  • Based on the OPs comments, this probably isn't the right answer. The better answer would be that from just the payload and a link to the binary on malwr.com, you don't have enough information to determine what exploit this payload was used in, nor how it was created in the first place. – HashHazard Sep 23 '16 at 21:27