..
    This file is part of the dionaea honeypot

    SPDX-FileCopyrightText: 2011-2012 Markus Koetter
    SPDX-FileCopyrightText: 2015-2017 PhiBo (DinoTools)

    SPDX-License-Identifier: GPL-2.0-or-later

Exploitation
============

Attackers do not seek your service, attackers want to exploit you,
they'll chat with the service for some packets, and afterwards sent a
payload. dionaea has to detect and evaluate the payload to be able to
gain a copy of the malware. In order to do so, dionaea uses libemu.

Given certain circumstances, libemu can detect shellcode, measure the
shellcode, and if required even execute the shellcode. Shellcode
detection is done by making use of GetPC heuristics, others wrote papers
about it, we decided to write libemu to do so. This detection is rather
time consuming, and therefore done using threads.

The part of dionaea which takes care of the network io can create a copy
of all in/output run for a connection, this copy is passed to the
detection facility, which is a tree of detection facilities, at this
moment there is only a single leaf, the emu plugin. The emu plugin uses
threads and libemu to detect and profile/measure shellcode.

Shellcode measurement/profiling is done by running the shellcode in the
libemu vm and recording API calls and arguments. For most shellcode
profiling is sufficient, the recorded API calls and arguments reveal
enough information to get an idea of the attackers intention and act
upon them. For multi-stage shellcode, where the first exploitation stage
of the shellcode would retrieve a second shellcode from the attacker,
profiling is not sufficient, as we lack the information 'what to do'
from the second stage of the shellcode, in this case we need to make use
of shellcode execution. Shellcode execution is basically the same as
shellcode profiling, the only difference is not recording the api calls,
and we allow the shellcode to take certain actions, for example creating
a network connection.


Payloads
--------

Once we have the payload, and the profile, dionaea has to guess the
intention, and act upon it


Shells - bind/connectback
^^^^^^^^^^^^^^^^^^^^^^^^^

This payload offers a shell (cmd.exe prompt) to the attacker, either by
binding a port and waiting for the attacker to connect to us again, or
by connection to the attacker. In both cases, dionaea offers an cmd.exe
emulation to the attacker, parses the input, and acts upon the input,
usually the instructions download a file via ftp or tftp.


URLDownloadToFile
^^^^^^^^^^^^^^^^^

These shellcodes use the URLDownloadToFile api call to retrieve a file
via http, and execute the retrieved file afterwards


Exec
^^^^

Making use of WinExec, these shellcode execute a single command which
has to be parsed and processed like the bind/connectback shell
shellcommands.


Multi Stage Payloads
^^^^^^^^^^^^^^^^^^^^

We never know what the second stage is, therefore libemu is used to
execute the shellcode in the libemu vm.
