This started off as an internal thread as to why C++ just downright sucks. There’s been a whole lot of hoopla around the security vulnerabilities while writing C++ code, specifically to do with delete and delete[]. I frankly think C++ for a large scale project is a big mistake.
Archive for Tools
Diffie-Hellman in Ruby
I looked around and couldn’t find a pure-ruby implementation of Diffie-Hellman key exchange. Diffie-Hellman key exchange is a nifty way to end up with the same shared secret between Alice and Bob without ever sending the secret key to the other side. It’s used in ISAKMP, SSH and a host of other crypto-based protocols. The code for Diffie-Hellman in Ruby is unbelievably terse to the point you wonder if you actually got it working right. Two things come in handy: Ruby has open classes that you can extend and Ruby has built-in Bignum support. Integers don’t overflow in Ruby, they just keep expanding.
Wireshark patch for MMS support
We have created a patch for Wireshark that allows it to dissect MMS (Manufacturing Messaging Specification) PDUs when transported over COTP/TPKT. Previously, Wireshark only dissected the protocol when the OSI session and presentation layers were present. This patch adds COTP as a heuristic dissector for MMS. Be sure to enable ‘try heuristics sub-dissectors first’ in the TCP options as well as fragmentation assembly for TPKT and COTP.
USAGE:
The patch was submitted to Wireshark and was added to trunk (with some small changes made by the wireshark team). You can either download the latest development release from Wireshark(recommended) or download the latest stable release and apply the patch.
download mms_patch.txt
Tomahawk patch for routed network testing
We have added some options to the Tomahawk network testing tool which allows for testing of routed networks.
Consider the following topology ( A1 and A2 are network interfaces on a box running tomahawk ):
[A1] +----------+
|
| ip = 192.168.1.254
| mac = aa:aa:aa:aa:aa:aa
|
[ DUT ]
|
| mac = bb:bb:bb:bb:bb:bb
| ip = 10.0.0.1
|
[A2] +----------+
When replaying an ip conversation, packets coming from A1 destined for A2 must have the destination IP address be within the subnet that contains A2 ( 10.0.0.0 ), and a destination MAC address of the router’s interface which is on the same network as A1 (aa:aa:aa:aa:aa:aa).
We have added 4 options to tomahawk to enable testing in this scenario. In the descriptions below, “client” and “server” refer to the interfaces specified by the -I and -J tomahawk options respectively ( and the examples assume “-I A1 -J A2″ ).
-x
-y
-X
-Y
The -Y and -X options only use the two most significant bytes when re-writing the packet ip addresses.
USAGE:
Apply patch and build:
download tomahawk
download tomahawk.patch
tar -xvf tomahawk1.1.tar
cd tomahawk1.1
patch -p1 < ../tomahawk_patch.txt
Then build tomahawk as normal.
Example:
tomahawk -i eth0 -j eth1 -x aa:aa:aa:aa:aa:aa -y bb:bb:bb:bb:bb:bb -X 10.0.0.0 -Y 192.168.0.0 -l 1 -f test.pcap
Categories: C
Code coverage and fuzzing
In previous blogs, I’ve talked about using code coverage as one metric for assessing the effectiveness of fuzzing. While protocol specifications and application definitions can be used for fuzzing, the interdependencies of fields and messages within protocols, including state, are not always obvious. For example, when looking at the telnetd source, it’s pretty obvious that you need to send 4 or 5 primary telnet options before the server will enter the main loop. Or the fact that no matter what you do with the XDISPLAYLOC telnet option, you are wasting time since the server simply passes this to setenv.
ruby, dup2 and rinetd
When you are attacking an xinetd-based process model, there’s no reliable way to know if the child process seg-faulted. The accept’ing socket is always alive and GDB’s follow-fork-mode doesn’t quite help us with this since child processes are being spawned and killed all the time.
Proxies, procs and yield
First the definition: Proxies are objects that masquerade as some other object that’s contained within them, effectively intercepting all messages to the contained object. Proxies are used in multiple places like debugging, tracing, intercepted delegation, benchmarking, etc. But those have already been solved. This post is not about that.
Enums, strings and laziness
If you look at the glibc equivalent for converting #defines to strings for purposes of perror, it’s a massive array that, at compile-time, builds all the strings.
The biggest drawback with this approach is that the #define and the corresponding friendly strings are defined and reconciled in two different places. If someone updates the header file to add a new errno, then s/he has to remember to also update this other place so perror works as expected. I’m using errno as an example, but this is a common problem when writing code in C or C++. The problem is exacerbated when certain enums are conditional (based on the operating system, cpu type and so on). Then these checks now need to be in multiple places. Ugliness.
