1. %SomePath%\apache\conf\httpd.conf

2. "AddHandler cgi-script"를 검색한다.

3. 주석처리가 되어 있다면 풀고 마지막에 .py를 붙힌다.

ex) 

#AddHandler cgi-script .cgi

↓

AddHandler cgi-script .cgi .py

4. 아파치 재시작

5. Py 파일을 만들어서 확인

ex)

#!/usr/bin/python (윈도우 C:\Python27에 파이썬을 설치했다면 #!/Python26/python)

print "Content-type: text/html"

print

print "<html><head>"

print ""

print "</head><body>"

print "Hello."

print "</body></html>"

주소창에서 http://localhost/test.py

IDA에 Windbg로 live debugging 중인데 symbol없다.

이렇게 하자.

WINDBG> .sympath srv*d:\sym*http://msdl.microsoft.com/download/symbols

물론 .reload 해줘서 적용!

http://www.xors.me/?p=4458

Cuckoo 설명서 보다 잘 적어놨네요.

System Requirements:
Ubuntu 12.04 LTS Desktop (64Bit) w/ 2 CPU, 2GB Memory, and 20GB Partition

Install Ubuntu
:: Once Ubuntu is launched, press Ctrl-Alt-t for a Terminal

Enter new ‘root’ password
# sudo passwd
# su – <Enter root password>

Upgrade all your Ubuntu packages
# apt-get update
# apt-get upgrade

Install Python packages
# apt-get install python python-magic python-dpkt python-mako

Install tcpdump (Ubuntu already has this, so you may not need it)
# apt-get install tcpdump
# setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump

Install git to download from repositories
# apt-get install git
# cd /opt

Install Cuckoo Sandbox
# git clone git://github.com/cuckoobox/cuckoo.git

Cloning into ‘cuckoo’…
remote: Counting objects: 3363, done.
remote: Compressing objects: 100% (1250/1250), done.
remote: Total 3363 (delta 2137), reused 3229 (delta 2008)
Receiving objects: 100% (3363/3363), 3.71 MiB | 438 KiB/s, done.
Resolving deltas: 100% (2137/2137), done.

Install Oracle VirtualBox (All Distributions)
# wget http://download.virtualbox.org/virtualbox/4.1.16/VirtualBox-4.1.16-78094-Linux_amd64.run
# chmod u+x VirtualBox-4.1.16-78094-Linux_amd64.run
# ./VirtualBox-4.1.16-78094-Linux_amd64.run

Verifying archive integrity… All good.
Uncompressing VirtualBox for Linux installation………..
VirtualBox Version 4.1.16 r78094 (2012-02-20T13:13:38Z) installer
Installing VirtualBox to /opt/VirtualBox

Install Oracle VirtualBox (SDK)
# wget http://download.virtualbox.org/virtualbox/4.1.16/VirtualBoxSDK-4.1.16-78094.zip
# unzip VirtualBoxSDK-4.1.16-78094.zip
# cd /opt/sdk/installer
# python vboxapisetup.py install

Traceback (most recent call last):
  File “vboxapisetup.py”, line 76, in <module>
    main(sys.argv)
  File “vboxapisetup.py”, line 50, in main
    raise Exception(“No VBOX_INSTALL_PATH defined, exiting”)
Exception: No VBOX_INSTALL_PATH defined, exiting

Opps! Add the required ‘VBOX_INSTALL_PATH’ path
# VBOX_INSTALL_PATH=/opt/VirtualBox python vboxapisetup.py install

running install
running build
running build_py
creating build
creating build/lib.linux-x86_64-2.7
creating build/lib.linux-x86_64-2.7/vboxapi
copying vboxapi/VirtualBox_constants.py -> build/lib.linux-x86_64-2.7/vboxapi
copying vboxapi/__init__.py -> build/lib.linux-x86_64-2.7/vboxapi
running install_lib
copying build/lib.linux-x86_64-2.7/vboxapi/VirtualBox_constants.py -> /usr/local/lib/python2.7/dist-packages/vboxapi
copying build/lib.linux-x86_64-2.7/vboxapi/__init__.py -> /usr/local/lib/python2.7/dist-packages/vboxapi
byte-compiling /usr/local/lib/python2.7/dist-packages/vboxapi/__init__.py to __init__.pyc
running install_egg_info
Removing /usr/local/lib/python2.7/dist-packages/vboxapi-1.0.egg-info
Writing /usr/local/lib/python2.7/dist-packages/vboxapi-1.0.egg-info

Relocate SDK files into VirtualBox install directory
# mv sdk /opt/VirtualBox/sdk

Modify Cuckoo Configuration File
# cd /opt/cuckoo/conf
# vi cuckoo.conf

Enable Sniffer Option
[Sniffer]
# Enable or disable the following option by assigning a True or False value.
# In case you decide to disable it, you’re supposed to either not have any
# network dump or to used VirtualBox’s (or any other virtualization engine
# you are using) to handle the network monitoring instead of using an external
# sniffer such as tcpdump. [on/off]
sniffer = on
…

:: This pertains to the number of VMs you will configure later in the .conf file
[VirtualMachines]
# List virtual machines IDs separated by commas.
enabled = cuckoo1
…

:: Make sure the ‘username’ and ‘password’ matches the default logged in user in the Guest OS
:: Leave the ‘share’ section alone, as this is where the Host OS scripts will be stored to share with the Guest OS
[cuckoo1]
name = cuckoo1
username = myWindowsUsername
password = myWindowsPassword
# Please notice that the shared folder name must coincide with the current
# virtual machine id, which is the name you assigned between the square
# brackets (e.g. [cuckoo1]).
share = shares/cuckoo1

Creating Virtual Machine
:: This is were the majority of your problems may occur.  Try to follow the instructions in detail.
# mkdir /opt/vms
# virtualbox

:: Under ‘File/Preferences’ change the Default Virtual Machine Folder to -> ‘/opt/vms’

Install the Guest OS
:: Make sure you create a VM name ‘cuckoo1′ running Windows XP (SP3) or Windows 7; For Windows XP use 256 MB or Windows 7 use 1024 MB of memory. For the Hard Drive (HD) parameters, select ‘fixed storage’ for better performance. The HD storage space will depend on what you want to install, meaning the ‘vulnerable’ application to use (ie. MS Office, Adobe Reader, etc.)

Please Note: Make sure you create or change your default user account in Windows to match what we configured in the cuckoo.conf file.  Make sure you also change the user account password to reflect what is in the .conf file.

Download Python 2.7 for Guest OS
:: Install Python into the default location C:\Python2.7\

http://www.python.org/getit/releases/2.7/

Disable Guest OS Firewall
:: Go to the Network Adapter Advanced Settings and disable the running Guest OS Windows Firewall

Install VirtualBox Oracle VM VirtualBox Guest Additions
:: Select Devices/Install Guest Additions… (Reboot of OS is required)

Configuring Virtual Machine for Cuckoo Sandbox
Enable Network .PCAP Dump
# mkdir /opt/cuckoo/shares/cuckoo1
# VBoxManage controlvm “cuckoo1″ poweroff
# VBoxManage modifyvm “cuckoo1″ –nictrace1 on –nictracefile1 /opt/cuckoo/shares/cuckoo1/dump.pcap

Creating Guest OS Shared Folders (to obtain Host OS Python scripts access used by Cuckoo)
# VBoxManage sharedfolder add “cuckoo1″ –name “setup” –hostpath “/opt/cuckoo/shares/setup”
# VBoxManage sharedfolder add “cuckoo1″ –name “cuckoo1″ –hostpath “/opt/cuckoo/shares/cuckoo1″

Installing Guest OS Vulnerable Applications
# VBoxManage startvm “cuckoo1″

Download old versions of applications from http://www.oldapps.com/
:: You may want to consider installing:
Microsoft Office 2003/2007; Adobe Reader 9; Adobe Flash 10; Oracle Java 6; Mozilla Firefox 11;

:: Make sure you disable all auto update features in the OS and Applications
Please Note: Remove anything unnecessary registry keys in the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, however leave the ‘VirtualBox Guest Additions’ key

Verify Guest OS shares are accessible to Host OS
:: Start/Run, then type in ‘\\vboxsvr’.  You should see two shares ‘\\vboxsvr\setup’ & ‘\\vboxsvr\cuckoo1′
Please Note: I found connecting to the shares important.  If I didn’t, Cuckoo would quickly close the VM afterwards, without analyzing code.

Verify Guest OS is ready for malware analysis
:: Reboot the Guest OS, log in and leave it running for 5 – 10 minutes.
Make sure:
1) All OS or Application Updates are disabled.
2) All Applications are launched at least once, to accept default Licensing Agreements.
3) Make sure you disabled the Guest OS Firewall.
Once you are satisfied that nothing unwanted will pop-up or prompt you during the malware analysis stage continue to the next step.

Create a Guest OS Clean Snapshot
# VBoxManage snapshot “cuckoo1″ take “baseImage” –pause
# VBoxManage controlvm “cuckoo1″ poweroff
# VBoxManage snapshot “cuckoo1″ restorecurrent

Testing Cuckoo Sandbox (for the First Time)
# cd /opt/cuckoo
# ./cuckoo.py
                     _                  
    ____ _   _  ____| |  _ ___   ___    
   / ___) | | |/ ___) |_/ ) _ \ / _ \ 
  ( (___| |_| ( (___|  _ ( |_| | |_| |  
   \____)____/ \____)_| \_)___/ \___/ v0.3.2

 www.cuckoobox.org
 Copyright (C) 2010-2012

[2012-02-20 18:58:19,311] [Core.Init] INFO: Started.
[2012-02-20 18:58:19,386] [VirtualMachine.Check] INFO: Your VirtualBox version is: “4.1.16″, good!
[2012-02-20 18:58:19,387] [Core.Init] INFO: Populating virtual machines pool…
[2012-02-20 18:58:19,390] [VirtualMachine] ERROR: Virtual machine “Cuckoo1″ not found: 0x80bb0001 (Could not find a registered machine named ‘Cuckoo1′)
[2012-02-20 18:58:19,390] [VirtualMachine.Restore] ERROR: No virtual machine handle.
[2012-02-20 18:58:19,390] [VirtualMachine.Infos] ERROR: No virtual machine handle.
[2012-02-20 18:58:19,390] [Core.Init] CRITICAL: None of the virtual machines are available. Please review the errors.

Opps! Seems like my cuckoo.conf has a typo.  Make sure your VM name (inc. Case) matches ‘exactly’ is in the .conf file. Let’s try again:
# ./cuckoo.py
                    _                  
    ____ _   _  ____| |  _ ___   ___    
   / ___) | | |/ ___) |_/ ) _ \ / _ \ 
  ( (___| |_| ( (___|  _ ( |_| | |_| |  
   \____)____/ \____)_| \_)___/ \___/ v0.3.2

 www.cuckoobox.org
 Copyright (C) 2010-2012

[2012-02-20 19:02:22,059] [Core.Init] INFO: Started.

————————————[ERROR]————————————-
Cuckoo stumbled in an unhandled error!
Before reporting the problem, please run with latest release from the development
Git repository at:
  http://github.com/cuckoobox/cuckoo
If the exception persists, please send the following traceback to:
  cuckoo@public.honeynet.org
The developers will try to reproduce the bug, fix it and get in touch with you.

———————————-[TRACEBACK]———————————–
Cuckoo version: v0.3.2
Python version: 2.7.3 (default, Jan 20 2012, 22:39:59) 
[GCC 4.6.3]
OS: linux2
Command line: ./cuckoo.py
Traceback (most recent call last):
  File “./cuckoo.py”, line 665, in <module>
    if not VirtualMachine().check():
  File “/opt/cuckoo/cuckoo/core/virtualbox.py”, line 54, in __init__
    vbm = vboxapi.VirtualBoxManager(None, None)
  File “/usr/local/lib/python2.7/dist-packages/vboxapi/__init__.py”, line 513, in __init__
    exec “self.platform = Platform”+style+”(platparams)”
  File “<string>”, line 1, in <module>
  File “/usr/local/lib/python2.7/dist-packages/vboxapi/__init__.py”, line 349, in __init__
    import xpcom.vboxxpcom
ImportError: No module named xpcom.vboxxpcom
——————————————————————————–

Opps! Seems like it is not finding the VirtualBox SDK APIs.  Let’s put the proper environment variables in.
# vi /etc/environment

Add the following line:
PYTHONPATH=”/opt/VirtualBox/:/opt/VirtualBox/sdk/bindings/xpcom/python/”

Close the terminal and re-open it.  Let’s try again:
Open a new Terminal (Ctrl-Alt-T)
# su – <Enter root password>
# cd /opt/cuckoo
# ./cuckoo.py
                     _                  
    ____ _   _  ____| |  _ ___   ___    
   / ___) | | |/ ___) |_/ ) _ \ / _ \ 
  ( (___| |_| ( (___|  _ ( |_| | |_| |  
   \____)____/ \____)_| \_)___/ \___/ v0.3.2

 www.cuckoobox.org
 Copyright (C) 2010-2012

[2012-02-20 19:01:24,894] [Core.Init] INFO: Started.
[2012-02-20 19:01:24,925] [VirtualMachine.Check] INFO: Your VirtualBox version is: “4.1.16″, good!
[2012-02-20 19:01:24,926] [Core.Init] INFO: Populating virtual machines pool…
[2012-02-20 19:01:24,996] [VirtualMachine.Restore] INFO: Virtual machine “cuckoo1″ successfully restored to current snapshot.
[2012-02-20 19:01:25,441] [VirtualMachine.Infos] INFO: Virtual machine “cuckoo1″ information:
[2012-02-20 19:01:25,442] [VirtualMachine.Infos] INFO:     \_| Name: cuckoo1
[2012-02-20 19:01:25,442] [VirtualMachine.Infos] INFO:       | ID: d959f177-8a5f-4bf5-8e5c-2197fa63aa30
[2012-02-20 19:01:25,443] [VirtualMachine.Infos] INFO:       | CPU Count: 1 Core/s
[2012-02-20 19:01:25,443] [VirtualMachine.Infos] INFO:       | Memory Size: 256 MB
[2012-02-20 19:01:25,443] [VirtualMachine.Infos] INFO:       | VRAM Size: 16 MB
[2012-02-20 19:01:25,443] [VirtualMachine.Infos] INFO:       | State: Saved
[2012-02-20 19:01:25,444] [VirtualMachine.Infos] INFO:       | Current Snapshot: “baseImage”
[2012-02-20 19:01:25,444] [VirtualMachine.Infos] INFO:       | MAC Address: 08:00:01:02:03:04
[2012-02-20 19:01:25,444] [Core.Init] INFO: 1 virtual machine/s added to pool.
[2012-02-20 19:01:25,488] [Database.Init] INFO: Generated database “db/cuckoo.db” which didn’t exist before.

Success! No Errors… Let’s continue.

Testing Cuckoo Sandbox w/ Malware
Open a new Terminal (Ctrl-Alt-T)
# su – <Enter root password>
# cd /opt/cuckoo

*** WARNING ***
The next step is considered dangerous.  If you do not know what you are doing, it is recommended you DO NOT continue. There are various websites which contain a list of recently discovered websites containing malicious URLs, which can be submitted to Cuckoo Sandbox for analysis. If you do not feel comfortable looking for these sites, then search through your mail inbox, as you are bound to have a malicious attachments, which can be used to test out Cuckoo Sandbox.
*** WARNING ***

Cuckoo Sandbox Submission Utility
:: The easiest way to submit an analysis is to use the provided submit.py command-line utility.  The following are some submission examples:

:: If the VM closes very quickly, after spawning, it is a result of either:
A) Guest OS username or password does not match what is in the cuckoo.conf file.
B) You did not manually connect to the \\vboxsvr\setup and \\vboxsvr\cuckoo1 shares, to cache the session.
C) Your \\vboxsvr shares are not mapped to the proper Host OS (ie. /opt/cuckoo/shares) paths.
D) Something is not correct when you enabled your .pcap dump file.

:: You can also enable debug logging to help you out
# vi /opt/cuckoo/conf/cuckoo.conf

[Logging]
# Enable/Disable additional debugging messages. This messages won’t wrote to
# log file but just printed on screen. [on/off]
debug = on

Cuckoo Sandbox Malware Results
All the results are kept in the /opt/cuckoo/analysis directory.  You can also spawn the Cuckoo Sandbox Web Analyzer, which is very pretty:
# cd /opt/cuckoo
# ./web.pl

:: Now launch Firefox in Ubuntu and go to http://127.0.0.1:8080

That’s it folks!  For any other issues, please leave a comment below.  If anyone managed to get Cuckoo running in non-root mode, tell me how.