View
2.565
Download
2
Category
Preview:
DESCRIPTION
Citation preview
“Greyhat Ruby”Ruby for Reverse Engineers, Vulnerability Researchers, and Infosec Professionals
SourceBoston April 2011
Stephen A. RidleyIndependent Security Researcher &
Director of Information Security (Financial Services Firm)@s7ephen
stephen@sa7ori.orghttp://www.dontstuffbeansupyournose.com
Who Am I?• Currently: Independent Security Researcher and Director of Information
Security at Financial Services Firm
• Previously: Senior Consultant at Matasano
• Senior Security Architect at McAfee and founding member of Security Architecture Group
• Researcher at major U.S. Defense contractor directly supporting U.S. Defense and Intelligence communities in realm of software exploitation and software reverse engineering
• Columnist for/interviewed by IT magazines (Wired, Ping!, Washington Post)
• Speaker at Blackhat, ReCON, EuSecWest, PacSec, SysCan, etc.
• Founding member of Kenshoto DefCon CTF organizer
• http://www.dontstuffbeansupyournose.com
• Guest Lecturer/Instructor (New York University, Netherlands Forensics Institute, Department of Defense, Google, et al)
What am I talking about?•Why use Ruby? : 12 Reasons for C and Python Coders
•“Interactive Coding” with Ruby (some neat tricks)
• Interfacing with the Real World
•Using Ruby to “make your own language”
•Ruxxer2 Fuzzing Framework: A Case Study
• Total Browser automation (3 major browsers on 3 major OSes)
• Distributed Programming with Ruby (Building a Fuzz Farm)
• A completely custom “Domain Specific Language” for protocols
Why use Ruby?
Twelve Good Reasons for C/C++/Python coders.
Ruby’s Equally Useful Interactive Interpreter
•Many use Python’s Interactive Interpreter as “Suisse Army Knife” for everything from calculator to ascii chart:
Ruby’s Equally Useful Interactive Interpreter
•Simple Hex Calculator
Ruby’s Equally Useful Interactive Interpreter
•URL Encode strings
Ruby’s Equally Useful Interactive Interpreter
•Other useful day-to-day string encoding/decoding
Ruby has real case/switch statements
•No more HUGE cumbersome pages of if/then/break statements like in Python
Ruby has C-style ternary statements
Ruby has “public” and “private” namespace.
Ruby (like C++ and Java) let’s you define classes in “pieces”.
•In Python you have to do it in one contiguous stretch of code so class definitions have to live in same file.
• In Ruby you can edit a class definition piecemeal.
Ruby has a “container” class that lets you control your namespace
•Modules act like “directories” for classes, methods, and variables... allowing you to flexibly organize your own namespace as you wish.
Ruby doesn’t automatically make a namespace for an
“included” file.
In Ruby doesn’t automatically make a namespace for an
“included” file.
•Allows you to control your own namespace
•No more namespace collisions from module imports!
A Better “sprintf”.
•No more fumbling with awkwardly long “%” output lines
Ruby has strong OOP paradigm and convenient “getter/setter” syntax
•The intuitive way to create a getter/setter
Ruby has strong OOP paradigm and convenient “getter/setter” syntax
•The Ruby convenience way: attr_accessor
•creates instance variable, getter and setter of same name
Modify Ruby Class definitions “on the fly” without cumbersome
“get_attr”/”set_attr”•Called EigenClasses, each object instance carries
around the class definition that created it.
•Each person is physically unique with a unique personality.
• In Ruby each Object instance is a “person” with its own unique eigenclass “personality”.
• In Python every Object instance is unique but all based on a single “personality” class.
•https://gist.github.com/864773
Ruby has “blocks” and “anonymous functions”.
•The basis of “functional programming”.
• I didn’t see the usefulness of “blocks” until I started thinking of them as shellcode that gets executed in the context of another method/class/object/etc.
Lots of other neat things: __END__
• Tells the interpreter to “ignore everything after”.
• Allows you to embed anything in your single script: SQLLite databases, binary blobs, zip files, etc.
Lots of other neat things: “send()”
•Like an “eval” that happens within the context of a class.
•This is virtually impossible in Python without some very clever use of the “code” module.
Interactive Coding:some neat tricks
Build CLI tools•Python’s CMD module
makes building fancy CLIs extremely simple
•Nestable to make Cisco IOS-style clis
•Over the years built many toolkits around this:
• Most recently: http://s7ephen.github.com/SandKit
Ruby has many ways to build interactive CLIs.
PDB: Tinkering under the hood while you drive the car...
PDB: Tinkering under the hood while you drive the car...•With “pdb.set_trace()” you get dropped into a
interactive debugger session wherever set_trace was inserted.
Tinkering under the hood while you drive the car...
•Ruby permits this several ways: IRB
Tinkering under the hood while you drive the car...
•Ruby permits this several ways: IRB
Tinkering under the hood while you drive the car...
•Ruby permits this several ways: ruby-debug
Interfacing with the Real World
HTTP and Socket stuff (simple and easy)
Using compiled shared objects/libraries/DLLs
•Ruby DL is like CTypes for Python
Ruby DL is good, but FFI is better.
Using compiled shared objects/libraries/DLLs
•Using these foreign library interfaces VERY powerful tools can be built
•They are the basis for many of the following tools
Some useful RubyDL/Ruby FFI basedtools:
Debuggers and HitTracers
•Ragweed (https://github.com/tduehr/ragweed): A scriptable debugger for OSX, Win32, & Linux
•https://github.com/emonti/dnet-ffi
•Aims to be “the Vdb of Ruby” (https://www.kenshoto.com/wiki/index.php/Vdb)
•Nerve (https://github.com/struct/Nerve) A Ruby based hittracer
Some useful RubyDL/Ruby FFI basedtools:
•LibDNet for Ruby: https://github.com/emonti/dnet-ffi
•Frasm: https://github.com/struct/frasm Ruby interface to DiStorm disassembly libraries
IDA interface: IDARub
•Spoonm’s IDA SDK interface (SDK only, no IDC support)
•Useful but not actively maintained.
JRuby and Java RMI•Like many other languages, Ruby was ported to sit on top of the Java Runtime.
•Pentesters will find this useful for interfacing with expose Java RMI interfaces:
http://chargen.matasano.com/chargen/2009/2/6/ruby-for-pen-testers-jruby.html
Ruby and Burp (Buby)•Access “Burp” from Ruby! (http://emonti.github.com/buby/)
•Build scripts to help you automate web-pentesting!
Ruby and Burp (Buby)
Usage
Automated HTTPVerb Tampering
Win32OLE/Win32API/RubyDL: Using Ruby to “script” GUI interactions
via User32
[There was embedded video here in the presentation]
You can view that video here:
http://www.youtube.com/user/dontstuffbeansupyour#p/a/u/0/j1Xb5s75pko
Win32OLE/Win32API/RubyDL: Using Ruby to “script” GUI interactions
via User32
https://github.com/s7ephen/Tamatebako/blob/master/user32.rb
Browser Automation
Browser Automation with Watir
•Instrument all the major browsers like marionettes
•Firefox, IE, Safari (partially Chrome and Opera)
•Used for QA by Facebook, Expedia, Yahoo, etc.
•Do anything a user can do.
• Input data in forms and submit it.
•Look for responses in text
•Click radio-buttons and checkboxes
Browser Automation
Distributed Code with Drb (or Rinda)
•Drb is more “RMI” than task scheduling and distribution: Lightweight and bundled with the runtime
Easy-To-Read CLI views via Hirb (example: TreeViews)
•Hirb module has many helpers to do things like create CLI based tables and treeviews. Dead simple, incredibly useful!
Brainlessly easy Data Visualizations using The Jit
•Takes a JSON blob representing your data structure as input and generates html with fancy visualizations
http://thejit.org
Write your own “language” in Ruby:Domain Specific Languages (DSL)
Why do it?•Write in a more natural and intuitive language
•Not forced to think in abstract “block”s and “primitives”.
• In 2007 released Ruxxer at PacSec which was a Python fuzzing framework with it’s own “language” (DSL).
•Language grammar written using Python Lex-Yacc
•Became difficult to maintain. Too costly for its benefit
How Ruxxer was architected:
Ruxxer 1.0 (Python)•Early Python versions of Ruxxer available:
•Advanced Combinatorics for test case generation
•Slides: https://github.com/s7ephen/Ruxxer/tree/master/presentations
https://github.com/s7ephen/Ruxxer
How Ruxxer code looked: #declarations long typeop; long_lc pkt_len; #byte length calculator string dgram; structure tlv_packet; #assignments typeop = 0x0D030A0D; pkt_len = tlv_packet; dgram = “This is userdata\r\m” push(tlv_packet, typeop, pkt_len, dgram);
Ruby metaprogramming guide
http://www.slideshare.net/d0cs4vage/ruby-meta-fuzzing
•There are many online tutorials and guides for “metaprogramming” with Ruby.
•For using metaprogramming to create fuzzers see Nephi Johnson’s “Less Dumb Fuzzing and Ruby Metaprogramming”
•For an implementation see Matasano Ruckus:https://github.com/tqbf/ruckus
With a DSL protocol definitions are more concise, easier to
write, and intuitive.
Ruxxer 2.0? (Ruby)•Ruby DSL for concisely describing protocols with
something closer to what you see in a .h
•Advanced Combinatorics for automated data mutation (like Ruxxer 1.0).
•Distributed: Fuzzing “server” controls target VMs via Drb based agents (“drones). Drones have:
• Complete browser control via Watir
• Process exception monitoring via RubyFFI/Win32OLE Dbgeng/Dbghelp bindings.
• Protocol definition visualizations using Hirb and The Jit!
“Greyhat Ruby”
More detail, code, and examples:http://www.dontstuffbeansupyournose.com
Twitter: @s7ephenstephen@sa7ori.org
THANKS FOR LISTENING!!!!!
Recommended