“Greyhat Ruby”Ruby for Reverse Engineers, Vulnerability Researchers, and Infosec Professionals

SourceBoston April 2011

Stephen A. RidleyIndependent Security Researcher &

Director of Information Security (Financial Services Firm)@s7ephen

stephen@sa7ori.orghttp://www.dontstuffbeansupyournose.com

Who Am I?• Currently: Independent Security Researcher and Director of Information

Security at Financial Services Firm

• Previously: Senior Consultant at Matasano

• Senior Security Architect at McAfee and founding member of Security Architecture Group

• Researcher at major U.S. Defense contractor directly supporting U.S. Defense and Intelligence communities in realm of software exploitation and software reverse engineering

• Columnist for/interviewed by IT magazines (Wired, Ping!, Washington Post)

• Speaker at Blackhat, ReCON, EuSecWest, PacSec, SysCan, etc.

• Founding member of Kenshoto DefCon CTF organizer

• http://www.dontstuffbeansupyournose.com

• Guest Lecturer/Instructor (New York University, Netherlands Forensics Institute, Department of Defense, Google, et al)

What am I talking about?•Why use Ruby? : 12 Reasons for C and Python Coders

•“Interactive Coding” with Ruby (some neat tricks)

• Interfacing with the Real World

•Using Ruby to “make your own language”

•Ruxxer2 Fuzzing Framework: A Case Study

• Total Browser automation (3 major browsers on 3 major OSes)

• Distributed Programming with Ruby (Building a Fuzz Farm)

• A completely custom “Domain Specific Language” for protocols

Why use Ruby?

Twelve Good Reasons for C/C++/Python coders.

Ruby’s Equally Useful Interactive Interpreter

•Many use Python’s Interactive Interpreter as “Suisse Army Knife” for everything from calculator to ascii chart:

Ruby’s Equally Useful Interactive Interpreter

•Simple Hex Calculator

Ruby’s Equally Useful Interactive Interpreter

•URL Encode strings

Ruby’s Equally Useful Interactive Interpreter

•Other useful day-to-day string encoding/decoding

Ruby has real case/switch statements

•No more HUGE cumbersome pages of if/then/break statements like in Python

Ruby has C-style ternary statements

Ruby has “public” and “private” namespace.

Ruby (like C++ and Java) let’s you define classes in “pieces”.

•In Python you have to do it in one contiguous stretch of code so class definitions have to live in same file.

• In Ruby you can edit a class definition piecemeal.

Ruby has a “container” class that lets you control your namespace

•Modules act like “directories” for classes, methods, and variables... allowing you to flexibly organize your own namespace as you wish.

Ruby doesn’t automatically make a namespace for an

“included” file.

In Ruby doesn’t automatically make a namespace for an

“included” file.

•Allows you to control your own namespace

•No more namespace collisions from module imports!

A Better “sprintf”.

•No more fumbling with awkwardly long “%” output lines

Ruby has strong OOP paradigm and convenient “getter/setter” syntax

•The intuitive way to create a getter/setter

Ruby has strong OOP paradigm and convenient “getter/setter” syntax

•The Ruby convenience way: attr_accessor

•creates instance variable, getter and setter of same name

Modify Ruby Class definitions “on the fly” without cumbersome

“get_attr”/”set_attr”•Called EigenClasses, each object instance carries

around the class definition that created it.

•Each person is physically unique with a unique personality.

• In Ruby each Object instance is a “person” with its own unique eigenclass “personality”.

• In Python every Object instance is unique but all based on a single “personality” class.

•https://gist.github.com/864773

Ruby has “blocks” and “anonymous functions”.

•The basis of “functional programming”.

• I didn’t see the usefulness of “blocks” until I started thinking of them as shellcode that gets executed in the context of another method/class/object/etc.

Lots of other neat things: __END__

• Tells the interpreter to “ignore everything after”.

• Allows you to embed anything in your single script: SQLLite databases, binary blobs, zip files, etc.

Lots of other neat things: “send()”

•Like an “eval” that happens within the context of a class.

•This is virtually impossible in Python without some very clever use of the “code” module.

Interactive Coding:some neat tricks

Build CLI tools•Python’s CMD module

makes building fancy CLIs extremely simple

•Nestable to make Cisco IOS-style clis

•Over the years built many toolkits around this:

• Most recently: http://s7ephen.github.com/SandKit

Ruby has many ways to build interactive CLIs.

PDB: Tinkering under the hood while you drive the car...

PDB: Tinkering under the hood while you drive the car...•With “pdb.set_trace()” you get dropped into a

interactive debugger session wherever set_trace was inserted.

Tinkering under the hood while you drive the car...

•Ruby permits this several ways: IRB

Tinkering under the hood while you drive the car...

•Ruby permits this several ways: IRB

Tinkering under the hood while you drive the car...

•Ruby permits this several ways: ruby-debug

Interfacing with the Real World

HTTP and Socket stuff (simple and easy)

Using compiled shared objects/libraries/DLLs

•Ruby DL is like CTypes for Python

Ruby DL is good, but FFI is better.

Using compiled shared objects/libraries/DLLs

•Using these foreign library interfaces VERY powerful tools can be built

•They are the basis for many of the following tools

Some useful RubyDL/Ruby FFI basedtools:

Debuggers and HitTracers

•Ragweed (https://github.com/tduehr/ragweed): A scriptable debugger for OSX, Win32, & Linux

•https://github.com/emonti/dnet-ffi

•Aims to be “the Vdb of Ruby” (https://www.kenshoto.com/wiki/index.php/Vdb)

•Nerve (https://github.com/struct/Nerve) A Ruby based hittracer

Some useful RubyDL/Ruby FFI basedtools:

•LibDNet for Ruby: https://github.com/emonti/dnet-ffi

•Frasm: https://github.com/struct/frasm Ruby interface to DiStorm disassembly libraries

IDA interface: IDARub

•Spoonm’s IDA SDK interface (SDK only, no IDC support)

•Useful but not actively maintained.

JRuby and Java RMI•Like many other languages, Ruby was ported to sit on top of the Java Runtime.

•Pentesters will find this useful for interfacing with expose Java RMI interfaces:

http://chargen.matasano.com/chargen/2009/2/6/ruby-for-pen-testers-jruby.html

Ruby and Burp (Buby)•Access “Burp” from Ruby! (http://emonti.github.com/buby/)

•Build scripts to help you automate web-pentesting!

Ruby and Burp (Buby)

Usage

Automated HTTPVerb Tampering

Win32OLE/Win32API/RubyDL: Using Ruby to “script” GUI interactions

via User32

[There was embedded video here in the presentation]

You can view that video here:

http://www.youtube.com/user/dontstuffbeansupyour#p/a/u/0/j1Xb5s75pko

Win32OLE/Win32API/RubyDL: Using Ruby to “script” GUI interactions

via User32

https://github.com/s7ephen/Tamatebako/blob/master/user32.rb

Browser Automation

Browser Automation with Watir

•Instrument all the major browsers like marionettes

•Firefox, IE, Safari (partially Chrome and Opera)

•Used for QA by Facebook, Expedia, Yahoo, etc.

•Do anything a user can do.

• Input data in forms and submit it.

•Look for responses in text

•Click radio-buttons and checkboxes

Browser Automation

Distributed Code with Drb (or Rinda)

•Drb is more “RMI” than task scheduling and distribution: Lightweight and bundled with the runtime

Easy-To-Read CLI views via Hirb (example: TreeViews)

•Hirb module has many helpers to do things like create CLI based tables and treeviews. Dead simple, incredibly useful!

Brainlessly easy Data Visualizations using The Jit

•Takes a JSON blob representing your data structure as input and generates html with fancy visualizations

http://thejit.org

Write your own “language” in Ruby:Domain Specific Languages (DSL)

Why do it?•Write in a more natural and intuitive language

•Not forced to think in abstract “block”s and “primitives”.

• In 2007 released Ruxxer at PacSec which was a Python fuzzing framework with it’s own “language” (DSL).

•Language grammar written using Python Lex-Yacc

•Became difficult to maintain. Too costly for its benefit

How Ruxxer was architected:

Ruxxer 1.0 (Python)•Early Python versions of Ruxxer available:

•Advanced Combinatorics for test case generation

•Slides: https://github.com/s7ephen/Ruxxer/tree/master/presentations

https://github.com/s7ephen/Ruxxer

How Ruxxer code looked: #declarations long typeop; long_lc pkt_len; #byte length calculator string dgram; structure tlv_packet; #assignments typeop = 0x0D030A0D; pkt_len = tlv_packet; dgram = “This is userdata\r\m” push(tlv_packet, typeop, pkt_len, dgram);

Ruby metaprogramming guide

http://www.slideshare.net/d0cs4vage/ruby-meta-fuzzing

•There are many online tutorials and guides for “metaprogramming” with Ruby.

•For using metaprogramming to create fuzzers see Nephi Johnson’s “Less Dumb Fuzzing and Ruby Metaprogramming”

•For an implementation see Matasano Ruckus:https://github.com/tqbf/ruckus

With a DSL protocol definitions are more concise, easier to

write, and intuitive.

Ruxxer 2.0? (Ruby)•Ruby DSL for concisely describing protocols with

something closer to what you see in a .h

•Advanced Combinatorics for automated data mutation (like Ruxxer 1.0).

•Distributed: Fuzzing “server” controls target VMs via Drb based agents (“drones). Drones have:

• Complete browser control via Watir

• Process exception monitoring via RubyFFI/Win32OLE Dbgeng/Dbghelp bindings.

• Protocol definition visualizations using Hirb and The Jit!

“Greyhat Ruby”

More detail, code, and examples:http://www.dontstuffbeansupyournose.com

Twitter: @s7ephenstephen@sa7ori.org

THANKS FOR LISTENING!!!!!