RubyGuides
Share this post!

All posts by Jesus Castello

Ruby tracing – A useful debugging tool

Tracing is following all the steps taken by a program, specially function calls/methods, this can be a useful debugging tool when tracking down some problems with your application.

In Ruby we have a tracing tool built-in, we can invoke it with ruby -rtracer script.rb but as you can see here it’s not easy to tell what’s going on:

What we can do is implement our own tracer and format the output to our liking, for this Ruby provides us with the set_trace_func method, we setup our tracing by giving this method a proc that will be called for each tracing event.

Here is a summary of what each argument means:

  • event, this is whats happening in this step of execution, it can be one of the following: “c-return”, “end”, “return”, “c-call”, “line”, “call”, “class”
  • file, this is the file where the event happens
  • line, the line number
  • id, this is the method name we are in
  • binding, the current scope where we are running
  • classname, this one doesn’t need much explanation 🙂

I have made a gem that implements this and focuses on ruby method calls:

You can call it with just “st my_script.rb” and this is how it looks:

ruby tracing

Wireshark: Auto-start capturing

Most of the time when you open wireshark you will want to start capturing right away. You can pass some flags to wireshark so it starts capturing as soon as it opens. The option for this is -k but you also need to choose and interface to capture from, in Linux you can see your interfaces with ifconfig or ip show addr (shortcut: ip a) and edit your menu entry or panel launcher like this:

wireshark

And with that you should be good to go. For windows interface names are a bit more involved, you can list them using wireshark -D, in my case it looks like this:

The part that you need has this format: DeviceNPF_{0F09D25E-33C7-493D-9CB9-8E9B3433439B}  
So now you can modify your shortcut:

"C:\Program FilesWiresharkwireshark.exe" -k -i "DeviceNPF_{0F09D25E-33C7-493D-9CB9-8E9B3433439B}"

Finally, remember that when you update wireshark the shortcut will be removed, so you may want to rename it to avoid this.

Squashing spaces

If we want to remove extra spaces in a text like this:

You could be tempted to use sed, but there is a simpler way using tr

And we end up with:

With tr you can also delete characters instead of compressing them. Let’s say we wanted to get rid of the vowels.

We get:

Variables with Awk

Awk comes with some predefined variables, like NF for number of fields or OFS for field separator. If you wanna know more about these ‘man awk’ and search for ‘Built-in Variables’. In this post we are going to talk about using your own variables just like in any other programming language. If you are new to awk start here: http://www.blackbytes.info/2012/01/intro-to-awk/

Awk variables example

If we want to find the biggest number in a file we could do something like this:

There is a few interesting things in this line. To start with we don’t need to declare our variable which is cool, but what I want you to pay attention to is that variables in awk don’t have a leading $, neither when assigning or accessing the value, this may be a bit confusing if you are used to do bash scripting. Here the leading $ always references fields so if you used $max instead it wouldn’t work as expected.

Then there is this END statement, which allows us to execute some code after all the lines of input have been processed. There is also a BEGIN statement which does exactly what you would expect.

Finally here is an Awk reference card you may find useful: http://www.catonmat.net/download/awk.cheat.sheet.pdf

Analysis of a backdoored Web shell

I frequent the elearnsecurity student forums, an one of the common questions is about webshells and it ends up with a link to backdoored scripts. Here is my quick analysis of one of them.

I start downloading our target and open it with a text editor, and what I see is immediately suspicious: the code is all packed on one line and what seems to be base64 encoding, scrolling all the way to the end confirms this:

malware analysis

Time to reach for some base64 tool. In this case I used:
http://www.opinionatedgeek.com/dotnet/tools/base64decode/

Clicking on “Decode safely as text” will get us the decoded script. Now I paste this into my text editor for syntax highlighting and skimmed over the code to see if something stood out. First thing I noticed is it seemed that no further obfuscation has been done in this code other than a few blobs of base64 that seem to be some images and a bind shell script in perl. By the end of the file something got my attention; a script tag loading some js code from the site this was downloaded from.

A wget later we get this:

Well, looks like we found what we where looking for! This is loaded when you use the shell. And what it does is create an invisible image that request a script from the malicious domain sending our current url, this means that these guys are getting reported of websites that have been compromised using their shell so they can use it to get access and do whatever they please without any effort. I think I don’t need to tell you how bad this would be if this happens to be a pentesting client.