Sunday, August 28, 2016

Running WPScan on Cygwin

Interesting. It's been 5 years since I last posted anything on this blog, how time flies.


Anyway, my buddy MY and I recently had to run WPScan to test some WordPress sites, but we were not able to load up Kali VMs on our Windows machines due to some constraints. So we had to improvise, and tried running WPScan on Windows using Cygwin. It was not pretty, and it took a lot of googling, troubleshooting and ruby gem debugging before we could get WPScan to run properly.
We decided to release our troubleshooting steps and the error messages, in the hopes that this might help other pentesters.

MY and I solved the issue pretty much the same way, but he did it with Cygwin x64, while I did my testing on Cygwin x86; so the steps to fix the issue are virtually identical. The steps listed below are from my testing with Cygwin x86.


First, we assumed that you have installed ruby and curl on Cygwin.

Ruby version:

pentester@mytester /cygdrive/c/test/wpscan-master
$ ruby --version
ruby 2.2.5p319 (2016-04-26 revision 54774) [i386-cygwin]

My username is "pentester", so you need to modify the directory path appropriately later on. I downloaded WPScan as a ZIP archive from https://github.com/wpscanteam/wpscan and expanded it in the C:\test directory.

Problem 1 when we tried to run WPScan.

pentester@mytester /cygdrive/c/test/wpscan-master
$ ruby wpscan.rb
[ERROR] cannot load such file -- bundler/setup


1) OK. Classic dependency issues. Let's download bundler to help solve the problem.

pentester@mytester /cygdrive/c/test/wpscan-master
$ gem install bundler
Fetching: bundler-1.12.5.gem (100%)
Successfully installed bundler-1.12.5
Parsing documentation for bundler-1.12.5
Installing ri documentation for bundler-1.12.5
Done installing documentation for bundler after 12 seconds
1 gem installed


2) Let's see what's the missing dependencies.

pentester@mytester /cygdrive/c/test/wpscan-master
$ ruby wpscan.rb
Could not find gem 'typhoeus (>= 1.0.0)' in any of the gem sources listed in your Gemfile or available on this machine.
Run `bundle install` to install missing gems.

pentester@mytester /cygdrive/c/test/wpscan-master


3) Let's use bundler to help solve the problem. Note that in the default environment, bundler is installed in your user's home directory.

pentester@mytester /cygdrive/c/test/wpscan-master
$ ~/bin/bundle install
Fetching gem metadata from https://rubygems.org/
Fetching version metadata from https://rubygems.org/
Resolving dependencies...
Installing addressable 2.4.0
Installing safe_yaml 1.0.4
Installing diff-lcs 1.2.5
Installing docile 1.1.5
Installing ffi 1.9.14 with native extensions

Gem::Ext::BuildError: ERROR: Failed to build gem native extension.

    /usr/bin/ruby.exe -r ./siteconf20160826-1832-1qlwdrs.rb extconf.rb
checking for ffi.h... *** extconf.rb failed ***
Could not create Makefile due to some reason, probably lack of necessary
libraries and/or headers.  Check the mkmf.log file for more details.  You may
need configuration options.

Provided configuration options:
        --with-opt-dir
        --without-opt-dir
        --with-opt-include
        --without-opt-include=${opt-dir}/include
        --with-opt-lib
        --without-opt-lib=${opt-dir}/lib
        --with-make-prog
        --without-make-prog
        --srcdir=.
        --curdir
        --ruby=/usr/bin/$(RUBY_BASE_NAME)
        --with-ffi_c-dir
        --without-ffi_c-dir
        --with-ffi_c-include
        --without-ffi_c-include=${ffi_c-dir}/include
        --with-ffi_c-lib
        --without-ffi_c-lib=${ffi_c-dir}/lib
        --with-libffi-config
        --without-libffi-config
        --with-pkg-config
        --without-pkg-config
/usr/share/ruby/2.2.0/mkmf.rb:456:in `try_do': The compiler failed to generate an executable file. (RuntimeError)
You have to install development tools first.
        from /usr/share/ruby/2.2.0/mkmf.rb:587:in `try_cpp'
        from /usr/share/ruby/2.2.0/mkmf.rb:1060:in `block in have_header'
        from /usr/share/ruby/2.2.0/mkmf.rb:911:in `block in checking_for'
        from /usr/share/ruby/2.2.0/mkmf.rb:351:in `block (2 levels) in postpone'
        from /usr/share/ruby/2.2.0/mkmf.rb:321:in `open'
        from /usr/share/ruby/2.2.0/mkmf.rb:351:in `block in postpone'
        from /usr/share/ruby/2.2.0/mkmf.rb:321:in `open'
        from /usr/share/ruby/2.2.0/mkmf.rb:347:in `postpone'
        from /usr/share/ruby/2.2.0/mkmf.rb:910:in `checking_for'
        from /usr/share/ruby/2.2.0/mkmf.rb:1059:in `have_header'
        from extconf.rb:16:in `
' extconf failed, exit code 1 Gem files will remain installed in /home/pentester/.gem/ruby/gems/ffi-1.9.14 for inspection. Results logged to /home/pentester/.gem/ruby/extensions/x86-cygwin/ffi-1.9.14/gem_make.out Installing hashdiff 0.3.0 Installing json 2.0.2 with native extensions Gem::Ext::BuildError: ERROR: Failed to build gem native extension. /usr/bin/ruby.exe -r ./siteconf20160826-1832-15plk7k.rb extconf.rb creating Makefile make "DESTDIR=" clean rm -f rm -f generator.so *.o *.bak mkmf.log .*.time make "DESTDIR=" gcc -I. -I/usr/include/ruby-2.2.0 -I/usr/include/ruby-2.2.0/ruby/backward -I/usr/include/ruby-2.2.0 -I. -DJSON_GENERATOR -ggdb -O2 -pipe -Wimplicit-function-declaration -o generator.o -c generator.c rm -f generator.so gcc -shared -o generator.so generator.o -L. -L/usr/lib -L. -fstack-protector -Wl,--export-all-symbols -Wl,--enable-auto-image-base,--enable-auto-import -lruby220 -lpthread -lgmp -ldl -lcrypt /usr/lib/gcc/i686-pc-cygwin/4.9.3/../../../../i686-pc-cygwin/bin/ld: cannot find -lgmp collect2: error: ld returned 1 exit status Makefile:254: recipe for target 'generator.so' failed make: *** [generator.so] Error 1 make failed, exit code 2 Gem files will remain installed in /home/pentester/.gem/ruby/gems/json-2.0.2 for inspection. Results logged to /home/pentester/.gem/ruby/extensions/x86-cygwin/json-2.0.2/gem_make.out Installing mini_portile2 2.1.0 Installing pkg-config 1.1.7 Installing rspec-support 3.5.0 Installing ruby-progressbar 1.8.1 Installing simplecov-html 0.10.0 Installing terminal-table 1.6.0 Installing yajl-ruby 1.2.1 with native extensions Gem::Ext::BuildError: ERROR: Failed to build gem native extension. /usr/bin/ruby.exe -r ./siteconf20160826-1832-1kwy2vo.rb extconf.rb creating Makefile make "DESTDIR=" clean rm -f rm -f yajl.so *.o *.bak mkmf.log .*.time make "DESTDIR=" gcc -I. -I/usr/include/ruby-2.2.0 -I/usr/include/ruby-2.2.0/ruby/backward -I/usr/include/ruby-2.2.0 -I. -ggdb -O2 -pipe -Wimplicit-function-declaration -Wall -funroll-loops -o yajl.o -c yajl.c yajl.c: In function ‘yajl_status_to_string’: yajl.c:61:1: warning: visibility attribute not supported in this configuration; ignored [-Wattributes] } ^ yajl.c: In function ‘yajl_alloc’: yajl.c:105:1: warning: visibility attribute not supported in this configuration; ignored [-Wattributes] } ^ yajl.c: In function ‘yajl_reset_parser’: yajl.c:110:1: warning: visibility attribute not supported in this configuration; ignored [-Wattributes] } ^ yajl.c: In function ‘yajl_free’: yajl.c:119:1: warning: visibility attribute not supported in this configuration; ignored [-Wattributes] } ^ yajl.c: In function ‘yajl_parse’: yajl.c:128:1: warning: visibility attribute not supported in this configuration; ignored [-Wattributes] } ^ yajl.c: In function ‘yajl_parse_complete’: yajl.c:140:1: warning: visibility attribute not supported in this configuration; ignored [-Wattributes] } ^ yajl.c: In function ‘yajl_get_error’: yajl.c:147:1: warning: visibility attribute not supported in this configuration; ignored [-Wattributes] } ^ yajl.c: In function ‘yajl_get_bytes_consumed’: yajl.c:154:1: warning: visibility attribute not supported in this configuration; ignored [-Wattributes] } ^ yajl.c: In function ‘yajl_free_error’: yajl.c:162:1: warning: visibility attribute not supported in this configuration; ignored [-Wattributes] } ^ gcc -I. -I/usr/include/ruby-2.2.0 -I/usr/include/ruby-2.2.0/ruby/backward -I/usr/include/ruby-2.2.0 -I. -ggdb -O2 -pipe -Wimplicit-function-declaration -Wall -funroll-loops -o yajl_alloc.o -c yajl_alloc.c yajl_alloc.c: In function ‘yajl_set_default_alloc_funcs’: yajl_alloc.c:64:1: warning: visibility attribute not supported in this configuration; ignored [-Wattributes] } ^ gcc -I. -I/usr/include/ruby-2.2.0 -I/usr/include/ruby-2.2.0/ruby/backward -I/usr/include/ruby-2.2.0 -I. -ggdb -O2 -pipe -Wimplicit-function-declaration -Wall -funroll-loops -o yajl_buf.o -c yajl_buf.c yajl_buf.c: In function ‘yajl_buf_alloc’: yajl_buf.c:78:1: warning: visibility attribute not supported in this configuration; ignored [-Wattributes] } ^ yajl_buf.c: In function ‘yajl_buf_free’: yajl_buf.c:85:1: warning: visibility attribute not supported in this configuration; ignored [-Wattributes] } ^ yajl_buf.c: In function ‘yajl_buf_append’: yajl_buf.c:96:1: warning: visibility attribute not supported in this configuration; ignored [-Wattributes] } ^ yajl_buf.c: In function ‘yajl_buf_clear’: yajl_buf.c:102:1: warning: visibility attribute not supported in this configuration; ignored [-Wattributes] } ^ yajl_buf.c: In function ‘yajl_buf_data’: yajl_buf.c:107:1: warning: visibility attribute not supported in this configuration; ignored [-Wattributes] } ^ yajl_buf.c: In function ‘yajl_buf_len’: yajl_buf.c:112:1: warning: visibility attribute not supported in this configuration; ignored [-Wattributes] } ^ yajl_buf.c: In function ‘yajl_buf_truncate’: yajl_buf.c:119:1: warning: visibility attribute not supported in this configuration; ignored [-Wattributes] } ^ gcc -I. -I/usr/include/ruby-2.2.0 -I/usr/include/ruby-2.2.0/ruby/backward -I/usr/include/ruby-2.2.0 -I. -ggdb -O2 -pipe -Wimplicit-function-declaration -Wall -funroll-loops -o yajl_encode.o -c yajl_encode.c yajl_encode.c: In function ‘yajl_string_encode2’: yajl_encode.c:99:1: warning: visibility attribute not supported in this configuration; ignored [-Wattributes] } ^ yajl_encode.c: In function ‘yajl_string_encode’: yajl_encode.c:52:1: warning: visibility attribute not supported in this configuration; ignored [-Wattributes] } ^ yajl_encode.c: In function ‘yajl_string_decode’: yajl_encode.c:201:1: warning: visibility attribute not supported in this configuration; ignored [-Wattributes] } ^ gcc -I. -I/usr/include/ruby-2.2.0 -I/usr/include/ruby-2.2.0/ruby/backward -I/usr/include/ruby-2.2.0 -I. -ggdb -O2 -pipe -Wimplicit-function-declaration -Wall -funroll-loops -o yajl_ext.o -c yajl_ext.c yajl_ext.c: In function ‘rb_yajl_parser_parse’: yajl_ext.c:471:17: warning: variable ‘stat’ set but not used [-Wunused-but-set-variable] yajl_status stat; ^ gcc -I. -I/usr/include/ruby-2.2.0 -I/usr/include/ruby-2.2.0/ruby/backward -I/usr/include/ruby-2.2.0 -I. -ggdb -O2 -pipe -Wimplicit-function-declaration -Wall -funroll-loops -o yajl_gen.o -c yajl_gen.c yajl_gen.c: In function ‘yajl_gen_alloc2’: yajl_gen.c:132:1: warning: visibility attribute not supported in this configuration; ignored [-Wattributes] } ^ yajl_gen.c: In function ‘yajl_gen_alloc’: yajl_gen.c:71:1: warning: visibility attribute not supported in this configuration; ignored [-Wattributes] } ^ yajl_gen.c: In function ‘yajl_gen_free’: yajl_gen.c:139:1: warning: visibility attribute not supported in this configuration; ignored [-Wattributes] } ^ yajl_gen.c: In function ‘yajl_gen_integer’: yajl_gen.c:211:1: warning: visibility attribute not supported in this configuration; ignored [-Wattributes] } ^ yajl_gen.c: In function ‘yajl_gen_double’: yajl_gen.c:231:1: warning: visibility attribute not supported in this configuration; ignored [-Wattributes] } ^ yajl_gen.c: In function ‘yajl_gen_number’: yajl_gen.c:241:1: warning: visibility attribute not supported in this configuration; ignored [-Wattributes] } ^ yajl_gen.c: In function ‘yajl_gen_string’: yajl_gen.c:254:1: warning: visibility attribute not supported in this configuration; ignored [-Wattributes] } ^ yajl_gen.c: In function ‘yajl_gen_null’: yajl_gen.c:264:1: warning: visibility attribute not supported in this configuration; ignored [-Wattributes] } ^ yajl_gen.c: In function ‘yajl_gen_bool’: yajl_gen.c:276:1: warning: visibility attribute not supported in this configuration; ignored [-Wattributes] } ^ yajl_gen.c: In function ‘yajl_gen_map_open’: yajl_gen.c:289:1: warning: visibility attribute not supported in this configuration; ignored [-Wattributes] } ^ yajl_gen.c: In function ‘yajl_gen_map_close’: yajl_gen.c:303:1: warning: visibility attribute not supported in this configuration; ignored [-Wattributes] } ^ yajl_gen.c: In function ‘yajl_gen_array_open’: yajl_gen.c:315:1: warning: visibility attribute not supported in this configuration; ignored [-Wattributes] } ^ yajl_gen.c: In function ‘yajl_gen_array_close’: yajl_gen.c:328:1: warning: visibility attribute not supported in this configuration; ignored [-Wattributes] } ^ yajl_gen.c: In function ‘yajl_gen_get_buf’: yajl_gen.c:338:1: warning: visibility attribute not supported in this configuration; ignored [-Wattributes] } ^ yajl_gen.c: In function ‘yajl_gen_clear’: yajl_gen.c:344:1: warning: visibility attribute not supported in this configuration; ignored [-Wattributes] } ^ gcc -I. -I/usr/include/ruby-2.2.0 -I/usr/include/ruby-2.2.0/ruby/backward -I/usr/include/ruby-2.2.0 -I. -ggdb -O2 -pipe -Wimplicit-function-declaration -Wall -funroll-loops -o yajl_lex.o -c yajl_lex.c yajl_lex.c: In function ‘yajl_lex_alloc’: yajl_lex.c:130:1: warning: visibility attribute not supported in this configuration; ignored [-Wattributes] } ^ yajl_lex.c: In function ‘yajl_lex_realloc’: yajl_lex.c:141:1: warning: visibility attribute not supported in this configuration; ignored [-Wattributes] } ^ yajl_lex.c: In function ‘yajl_lex_free’: yajl_lex.c:149:1: warning: visibility attribute not supported in this configuration; ignored [-Wattributes] } ^ yajl_lex.c: In function ‘yajl_lex_lex’: yajl_lex.c:673:1: warning: visibility attribute not supported in this configuration; ignored [-Wattributes] } ^ yajl_lex.c: In function ‘yajl_lex_error_to_string’: yajl_lex.c:708:1: warning: visibility attribute not supported in this configuration; ignored [-Wattributes] } ^ yajl_lex.c: In function ‘yajl_lex_get_error’: yajl_lex.c:718:1: warning: visibility attribute not supported in this configuration; ignored [-Wattributes] } ^ yajl_lex.c: In function ‘yajl_lex_current_line’: yajl_lex.c:723:1: warning: visibility attribute not supported in this configuration; ignored [-Wattributes] } ^ yajl_lex.c: In function ‘yajl_lex_current_char’: yajl_lex.c:728:1: warning: visibility attribute not supported in this configuration; ignored [-Wattributes] } ^ yajl_lex.c: In function ‘yajl_lex_peek’: yajl_lex.c:748:1: warning: visibility attribute not supported in this configuration; ignored [-Wattributes] } ^ gcc -I. -I/usr/include/ruby-2.2.0 -I/usr/include/ruby-2.2.0/ruby/backward -I/usr/include/ruby-2.2.0 -I. -ggdb -O2 -pipe -Wimplicit-function-declaration -Wall -funroll-loops -o yajl_parser.o -c yajl_parser.c yajl_parser.c: In function ‘yajl_render_error_string’: yajl_parser.c:126:1: warning: visibility attribute not supported in this configuration; ignored [-Wattributes] } ^ yajl_parser.c: In function ‘yajl_do_parse’: yajl_parser.c:449:1: warning: visibility attribute not supported in this configuration; ignored [-Wattributes] } ^ gcc -I. -I/usr/include/ruby-2.2.0 -I/usr/include/ruby-2.2.0/ruby/backward -I/usr/include/ruby-2.2.0 -I. -ggdb -O2 -pipe -Wimplicit-function-declaration -Wall -funroll-loops -o yajl_version.o -c yajl_version.c yajl_version.c: In function ‘yajl_version’: yajl_version.c:6:1: warning: visibility attribute not supported in this configuration; ignored [-Wattributes] } ^ rm -f yajl.so gcc -shared -o yajl.so yajl.o yajl_alloc.o yajl_buf.o yajl_encode.o yajl_ext.o yajl_gen.o yajl_lex.o yajl_parser.o yajl_version.o -L. -L/usr/lib -L. -fstack-protector -Wl,--export-all-symbols -Wl,--enable-auto-image-base,--enable-auto-import -lruby220 -lpthread -lgmp -ldl -lcrypt /usr/lib/gcc/i686-pc-cygwin/4.9.3/../../../../i686-pc-cygwin/bin/ld: cannot find -lgmp collect2: error: ld returned 1 exit status Makefile:254: recipe for target 'yajl.so' failed make: *** [yajl.so] Error 1 make failed, exit code 2 Gem files will remain installed in /home/pentester/.gem/ruby/gems/yajl-ruby-1.2.1 for inspection. Results logged to /home/pentester/.gem/ruby/extensions/x86-cygwin/yajl-ruby-1.2.1/gem_make.out Using bundler 1.12.5 Installing crack 0.4.3 An error occurred while installing ffi (1.9.14), and Bundler cannot continue. Make sure that `gem install ffi -v '1.9.14'` succeeds before bundling. pentester@mytester /cygdrive/c/test/wpscan-master $


4) If the ffi gem installation failed, you are probably missing some Cygwin modules like me. Run your Cygwin setup again, and install the following modules:
  • libcurl-devel
  • libcurl4
  • ruby-devel


5) Let's run bundler again.

pentester@mytester /cygdrive/c/test/wpscan-master
$ ~/bin/bundle install
Fetching gem metadata from https://rubygems.org/
Fetching version metadata from https://rubygems.org/
Resolving dependencies...
Using addressable 2.4.0
Using safe_yaml 1.0.4
Using diff-lcs 1.2.5
Using docile 1.1.5
Installing ffi 1.9.14 with native extensions
Using hashdiff 0.3.0
Installing json 2.0.2 with native extensions
Using mini_portile2 2.1.0
Using pkg-config 1.1.7
Using rspec-support 3.5.0
Using ruby-progressbar 1.8.1
Using simplecov-html 0.10.0
Using terminal-table 1.6.0
Installing yajl-ruby 1.2.1 with native extensions
Using bundler 1.12.5
Using crack 0.4.3
Installing ethon 0.9.0
Installing nokogiri 1.6.8 with native extensions
Installing rspec-core 3.5.2
Installing rspec-expectations 3.5.0
Installing rspec-mocks 3.5.0
Installing simplecov 0.12.0
Installing webmock 2.1.0
Installing typhoeus 1.1.0
Installing rspec-its 1.2.0
Installing rspec 3.5.0
Bundle complete! 10 Gemfile dependencies, 26 gems now installed.
Use `bundle show [gemname]` to see where a bundled gem is installed.
Post-install message from webmock:

  WebMock 2.0 has some breaking changes. Please check the CHANGELOG: https://goo.gl/piDGLu



pentester@mytester /cygdrive/c/test/wpscan-master
$ ~/bin/bundle install
Fetching gem metadata from https://rubygems.org/
Fetching version metadata from https://rubygems.org/
Resolving dependencies...
Using addressable 2.4.0
Using safe_yaml 1.0.4
Using diff-lcs 1.2.5
Using docile 1.1.5
Installing ffi 1.9.14 with native extensions
Using hashdiff 0.3.0
Installing json 2.0.2 with native extensions
Using mini_portile2 2.1.0
Using pkg-config 1.1.7
Using rspec-support 3.5.0
Using ruby-progressbar 1.8.1
Using simplecov-html 0.10.0
Using terminal-table 1.6.0
Installing yajl-ruby 1.2.1 with native extensions
Using bundler 1.12.5
Using crack 0.4.3
Installing ethon 0.9.0
Installing nokogiri 1.6.8 with native extensions
Installing rspec-core 3.5.2
Installing rspec-expectations 3.5.0
Installing rspec-mocks 3.5.0
Installing simplecov 0.12.0
Installing webmock 2.1.0
Installing typhoeus 1.1.0
Installing rspec-its 1.2.0
Installing rspec 3.5.0
Bundle complete! 10 Gemfile dependencies, 26 gems now installed.
Use `bundle show [gemname]` to see where a bundled gem is installed.
Post-install message from webmock:

  WebMock 2.0 has some breaking changes. Please check the CHANGELOG: https://goo.gl/piDGLu


pentester@mytester /cygdrive/c/test/wpscan-master
$


6) Success! Let's try to run WPScan again.

pentester@mytester /cygdrive/c/test/wpscan-master
$ ruby wpscan.rb
[ERROR] Could not open library 'libcurl': No such file or directory.
Could not open library 'cyglibcurl.dll': No such file or directory.
Could not open library 'libcurl.so.4': No such file or directory.
Could not open library 'cyglibcurl.so.4.dll': No such file or directory

pentester@mytester /cygdrive/c/test/wpscan-master
$


7) After debugging and tracing through the gem dependencies, we found that the ethon gem is not opening the right libcurl library for Cygwin. You need to modify the following gem file (note the user home directory):
C:\cygwin\home\pentester\.gem\ruby\gems\ethon-0.9.0\lib\ethon\curls\settings.rb: line 6

Original:
6:    ffi_lib ['libcurl', 'libcurl.so.4']

Modified:
6:    ffi_lib ['libcurl', 'libcurl.so.4', 'libcurl-4.dll']


8) libcurl library problem solved! Let's try to run WPScan again.

pentester@mytester /cygdrive/c/test/wpscan-master
$ ruby wpscan.rb
/home/pentester/.gem/ruby/gems/ffi-1.9.14/lib/ffi/types.rb:69:in `find_type': unable to resolve type 'time_t' (TypeError)
        from /home/pentester/.gem/ruby/gems/ffi-1.9.14/lib/ffi/library.rb:535:in `find_type'
        from /home/pentester/.gem/ruby/gems/ffi-1.9.14/lib/ffi/struct.rb:332:in `find_type'
        from /home/pentester/.gem/ruby/gems/ffi-1.9.14/lib/ffi/struct.rb:326:in `find_field_type'
        from /home/pentester/.gem/ruby/gems/ffi-1.9.14/lib/ffi/struct.rb:368:in `array_layout'
        from /home/pentester/.gem/ruby/gems/ffi-1.9.14/lib/ffi/struct.rb:278:in `layout'
        from /home/pentester/.gem/ruby/gems/ethon-0.9.0/lib/ethon/curls/classes.rb:49:in `'
        from /home/pentester/.gem/ruby/gems/ethon-0.9.0/lib/ethon/curls/classes.rb:44:in `'
        from /home/pentester/.gem/ruby/gems/ethon-0.9.0/lib/ethon/curls/classes.rb:2:in `'
        from /home/pentester/.gem/ruby/gems/ethon-0.9.0/lib/ethon/curls/classes.rb:1:in `'
        from /home/pentester/.gem/ruby/gems/ethon-0.9.0/lib/ethon/curl.rb:28:in `require'
        from /home/pentester/.gem/ruby/gems/ethon-0.9.0/lib/ethon/curl.rb:28:in `'
        from /home/pentester/.gem/ruby/gems/ethon-0.9.0/lib/ethon/curl.rb:13:in `'
        from /home/pentester/.gem/ruby/gems/ethon-0.9.0/lib/ethon/curl.rb:8:in `'
        from /home/pentester/.gem/ruby/gems/ethon-0.9.0/lib/ethon.rb:15:in `require'
        from /home/pentester/.gem/ruby/gems/ethon-0.9.0/lib/ethon.rb:15:in `'
        from /home/pentester/.gem/ruby/gems/typhoeus-1.1.0/lib/typhoeus.rb:2:in `require'
        from /home/pentester/.gem/ruby/gems/typhoeus-1.1.0/lib/typhoeus.rb:2:in `'
        from /cygdrive/c/test/wpscan-master/lib/environment.rb:35:in `require'
        from /cygdrive/c/test/wpscan-master/lib/environment.rb:35:in `'
        from /usr/share/rubygems/rubygems/core_ext/kernel_require.rb:54:in `require'
        from /usr/share/rubygems/rubygems/core_ext/kernel_require.rb:54:in `require'
        from /cygdrive/c/test/wpscan-master/lib/common/common_helper.rb:52:in `'
        from /usr/share/rubygems/rubygems/core_ext/kernel_require.rb:54:in `require'
        from /usr/share/rubygems/rubygems/core_ext/kernel_require.rb:54:in `require'
        from /cygdrive/c/test/wpscan-master/lib/wpscan/wpscan_helper.rb:3:in `'
        from /usr/share/rubygems/rubygems/core_ext/kernel_require.rb:54:in `require'
        from /usr/share/rubygems/rubygems/core_ext/kernel_require.rb:54:in `require'
        from wpscan.rb:8:in `
' pentester@mytester /cygdrive/c/test/wpscan-master $


9) We get variable type issues now. Let's try to update all the gems.

pentester@mytester /cygdrive/c/test/wpscan-master
$ gem update --system
Updating rubygems-update
Fetching: rubygems-update-2.6.6.gem (100%)
Successfully installed rubygems-update-2.6.6
Parsing documentation for rubygems-update-2.6.6
Installing ri documentation for rubygems-update-2.6.6
Installing darkfish documentation for rubygems-update-2.6.6
Done installing documentation for rubygems-update after 68 seconds
Parsing documentation for rubygems-update-2.6.6
Done installing documentation for rubygems-update after 0 seconds
Installing RubyGems 2.6.6
RubyGems 2.6.6 installed
Parsing documentation for rubygems-2.6.6
Installing ri documentation for rubygems-2.6.6

=== 2.6.6 / 2016-06-22

Bug fixes:

* Sort installed versions to make sure we install the latest version when
  running `gem update --system`. As a one-time fix, run
  `gem update --system=2.6.6`. Pull request #1601 by David Radcliffe.

=== 2.6.5 / 2016-06-21

Minor enhancements:

* Support for unified Integer in Ruby 2.4. Pull request #1618
  by SHIBATA Hiroshi.
* Update vendored Molinillo to 0.5.0 for performance improvements.
  Pull request #1638 by Samuel Giddins.

Bug fixes:

* Raise an explicit error if Signer#sign is called with no certs. Pull
  request #1605 by Daniel Berger.
* Update `update_bundled_ca_certificates` utility script for directory
  nesting. Pull request #1583 by James Wen.
* Fix broken symlink support in tar writer (+ fix broken test). Pull
  request #1578 by Cezary Baginski.
* Remove extension directory before (re-)installing. Pull request #1576
  by Jeremy Hinegardner.
* Regenerate test CA certificates with appropriate extensions. Pull
  request #1611 by rhenium.
* Rubygems does not terminate on failed file lock when not superuser. Pull
  request #1582 by Ellen Marie Dash.
* Fix tar headers with a 101 character name. Pull request #1612 by Pawel
  Tomulik.
* Add Gem.platform_defaults to allow implementations to override defaults.
  Pull request #1644 by Charles Oliver Nutter.
* Run Bundler tests on TravisCI. Pull request #1650 by Samuel Giddins.

=== 2.6.4 / 2016-04-26

Minor enhancements:

* Use Gem::Util::NULL_DEVICE instead of hard coded strings. Pull request #1588
  by Chris Charabaruk.
* Use File.symlink on MS Windows if supported. Pull request #1418
  by Nobuyoshi Nakada.

Bug fixes:

* Redact uri password from error output when gem fetch fails. Pull request
  #1565 by Brian Fletcher.
* Suppress warnings. Pull request #1594 by Nobuyoshi Nakada.
* Escape user-supplied content served on web pages by `gem server` to avoid
  potential XSS vulnerabilities. Samuel Giddins.

=== 2.6.3 / 2016-04-05

Minor enhancements:

* Lazily calculate Gem::LoadError exception messages. Pull request #1550
  by Aaron Patterson.
* New fastly cert. Pull request #1548 by David Radcliffe.
* Organize and cleanup SSL certs. Pull request #1555 by James Wen.
* [RubyGems] Make deprecation message for paths= more helpful. Pull
  request #1562 by Samuel Giddins.
* Show default gems when using "gem list". Pull request #1570 by Luis
  Sagastume.

Bug fixes:

* Stub ordering should be consistent regardless of how cache is populated.
  Pull request #1552 by Aaron Patterson.
* Handle cases when the @@stubs variable contains non-stubs. Pull request
  #1558 by Per Lundberg.
* Fix test on Windows for inconsistent temp path. Pull request #1554 by
  Hiroshi Shirosaki.
* Fix `Gem.find_spec_for_exe` picks oldest gem. Pull request #1566 by
  Shinichi Maeshima.
* [Owner] Fallback to email and userid when owner email is missing. Pull
  request #1569 by Samuel Giddins.
* [Installer] Handle nil existing executable. Pull request #1561 by Samuel
  Giddins.
* Allow two digit version numbers in the tests. Pull request #1575 by unak.

=== 2.6.2 / 2016-03-12

Bug fixes:

* Fix wrong version of gem activation for bin stub. Pull request #1527 by
  Aaron Patterson.
* Speed up gem activation failures. Pull request #1539 by Aaron Patterson.
* Fix platform sorting in the resolver. Pull request #1542 by Samuel E.
  Giddins.
* Ensure we unlock the monitor even if try_activate throws. Pull request
  #1538 by Charles Oliver Nutter.


=== 2.6.1 / 2016-02-28

Bug fixes:

* Ensure `default_path` and `home` are set for paths. Pull request #1513
  by Aaron Patterson.
* Restore but deprecate support for Array values on `Gem.paths=`. Pull
  request #1514 by Aaron Patterson.
* Fix invalid gem file preventing gem install from working. Pull request
  #1499 by Luis Sagastume.

=== 2.6.0 / 2016-02-26

Minor enhancements:

* RubyGems now defaults the `gem push` to the gem's "allowed_push_host"
  metadata setting.  Pull request #1486 by Josh Lane.
* Update bundled Molinillo to 0.4.3. Pull request #1493 by Samuel E. Giddins.
* Add version option to gem open command. Pull request #1483 by Hrvoje
  Šimic.
* Feature/add silent flag. Pull request #1455 by Luis Sagastume.
* Allow specifying gem requirements via env variables. Pull request #1472
  by Samuel E. Giddins.

Bug fixes:

* RubyGems now stores `gem push` credentials under the host you signed-in for.
  Pull request #1485 by Josh Lane.
* Move `coding` location to first line. Pull request #1471 by SHIBATA
  Hiroshi.
* [PathSupport] Handle a regexp path separator. Pull request #1469 by
  Samuel E. Giddins.
* Clean up the PathSupport object. Pull request #1094 by Aaron Patterson.
* Join with File::PATH_SEPARATOR in Gem.use_paths. Pull request #1476 by
  Samuel E. Giddins.
* Handle when the gem home and gem path arent set in the config file. Pull
  request #1478 by Samuel E. Giddins.
* Terminate TimeoutHandler. Pull request #1479 by Nobuyoshi Nakada.
* Remove redundant cache. Pull request #1482 by Eileen M. Uchitelle.
* Freeze `Gem::Version@segments` instance variable. Pull request #1487 by
  Ben Dean.
* Gem cleanup is trying to uninstall gems outside GEM_HOME and reporting
  an error after it tries. Pull request #1353 by Luis Sagastume.
* Avoid duplicated sources. Pull request #1489 by Luis Sagastume.
* Better description for quiet flag. Pull request #1491 by Luis Sagastume.
* Raise error if find_by_name returns with nil. Pull request #1494 by
  Zoltán Hegedüs.
* Find_files only from loaded_gems when using gemdeps. Pull request #1277
  by Michal Papis.

=== 2.5.2 / 2016-01-31

Bug fixes:

* Fix memoization of Gem::Version#prerelease? Pull request #1125 by Matijs van
  Zuijlen.
* Handle trailing colons in GEM_PATH, by Damien Robert.
* Improve the Gemfile `gemspec` method, fixing #1204 and #1033. Pull request
  #1276 by Michael Papis.
* Warn only once when a gemspec license is invalid. Pull request #1414 by Samuel
  E. Giddins.
* Check for exact constants before using them, fixing Ruby bug #11940. Pull
  request #1438 by Nobuyoshi Nakada.
* Fix building C extensions on Ruby 1.9.x on Windows. Pull request #1453 by Marie
  Markwell.
* Handle symlinks containing ".." correctly. Pull request #1457 by Samuel E.
  Giddins.

Minor enhancements:

* Add `--no-rc` flag, which skips loading `.gemrc`. Pull request #1329 by Luis
  Sagastume.
* Allow basic auth to be excluded from `allowed_push_host`. By Josh Lane.
* Add `gem list --exact`, which finds gems by string match instead of regex. Pull
  request #1344 by Luis Sagastume.
* Suggest alternatives when gem license is unknown. Pull request #1443 by Samuel
  E. Giddins.
* Print a useful error if a binstub expects a newer version of a gem than is
  installed. Pull request #1407 by Samuel E. Giddins.
* Allow the (supported) s3:// scheme to be used with `--source`. Pull request
  #1416 by Dave Adams.
* Add `--[no-]post-install-message` to `install` and `update`. Pull request #1162
  by Josef Šimánek.
* Add `--host` option to `yank`, providing symmetry with `pull`. Pull request
  #1361 by Mike Virata-Stone.
* Update bundled Molinillo to 0.4.1. Pull request #1452 by Samuel E. Giddins.
* Allow calling `build` without '.gemspec'. Pull request #1454 by Stephen
  Blackstone.
* Add support for `source` option on gems in Gemfile. Pull request #1355 by
  Michael Papis.
* Function correctly when string literals are frozen on Ruby 2.3. Pull request
  #1408 by Samuel E. Giddins.

=== 2.5.1 / 2015-12-10

Bug fixes:

* Ensure platform sorting only uses strings. Affected binary installs on Windows.
  Issue #1369 reported by Ryan Atball (among others).
  Pull request #1375 by Samuel E. Giddins.
* Revert PR #1332. Unable to reproduce, and nil should be impossible.
* Gem::Specification#to_fullpath now returns .rb extensions when such a file
  exists.  Pull request #1114 by y-yagi.
* RubyGems now handles Net::HTTPFatalError instead of crashing.  Pull
  request #1314 by Samuel E. Giddins.
* Updated bundled Molinillo to 0.4.0.  Pull request #1322, #1396 by Samuel E.
  Giddins.
* Improved performance of spec loading by reducing likelihood of loading the
  complete specification.  Pull request #1373 by Aaron Patterson.
* Improved caching of requirable files  Pull request #1377 by Aaron Patterson.
* Fixed activation of gems with development dependencies.  Pull request #1388
  by Samuel E. Giddins.
* RubyGems now uses the same Molinillo vendoring strategy as Bundler.  Pull
  request #1397 by Samuel E. Giddins.
* Fixed documentation of Gem::Requirement.parse.  Pull request #1398 by
  Juanito Fatas.
* RubyGems no longer warns when a prerelease gem has prerelease dependencies.
  Pull request #1399 by Samuel E. Giddins.
* Fixed Gem::Version documentation example.  Pull request #1401 by Guilherme
  Goettems Schneider.
* Updated documentation links to https://.  Pull request #1404 by Suriyaa
  Kudo.
* Fixed double word typo.  Pull request #1411 by Jake Worth.

=== 2.5.0 / 2015-11-03

Major enhancements:

* Added the Gem::Licenses class which provides a set of standard license
  identifiers as set by spdx.org. This is now used by the
  Gem::Specification#license attribute to try to standardize (though not
  enforce) licenses set by gem authors.

  Pull request #1249 by Kyle Mitchell.

Minor enhancements:

* Use Molinillo as the resolver library.  This is the same resolver as used by
  Bundler.  Pull request #1189 by Samuel E. Giddins.
* Add `--skip=gem_name` to Pristine command.  Pull request #1018 by windwiny.
* The parsed gem dependencies file is now available via Gem.gemdeps following
  Gem.use_gemdeps.  Pull request #1224 by Hsing-Hui Hsu, issue #1213 by
  Michal Papis.
* Moved description attribute to recommended for Gem::Specification.
  Pull request #1046 by Michal Papis
* Moved `Gem::Indexer#abbreviate` and `#sanitize` to `Gem::Specification`.
  Pull request #1145 by Arthur Nogueira Neves
* Cache Gem::Version segments for `#bump` and `#release`.
  Pull request #1131 by Matijs van Zuijlen
* Fix edge case in `levenshtein_distance` for comparing longer strings.
  Pull request #1173 by Richard Schneeman
* Remove duplication from List#to_a, improving from O(n^2) to O(n) time.
  Pull request #1200 by Marc Siegel.
* Gem::Specification.add_specs is deprecated and will be removed from version
  3.0 with no replacement.  To add specs, install the gem, then reset the
  cache.
* Gem::Specification.add_spec is deprecated and will be removed from version
  3.0 with no replacement.  To add specs, install the gem, then reset the
  cache.
* Gem::Specification.remove_spec is deprecated and will be removed from version
  3.0 with no replacement.  To remove specs, uninstall the gem, then reset the
  cache by calling Gem::Specification.reset.
* Call Array#compact before calling Array#uniq for minor speed improvement in
  the Gem::Specification#files method.
  Pull request #1253 by Marat Amerov.
* Use stringio instead of custom String classes.
  Pull request #1250 by Petr Skocik.
* Use URI#host instead of URI#hostname to retain backwards compatibility with
  Ruby 1.9.2 and earlier in util library.
  Pull request #1288 by Joe Rafaniello.
* Documentation update for gem sources.
  Pull request #1324 by Ilya Vassilevsky.
* Documentation update for required_ruby_version.
  Pull request #1321 by Matt Patterson.
* Documentation update for gem update.
  Pull request #1306 by Tim Blair.
* Emit a warning on SRV resolve failure.
  Pull request #1023 by Ivan Kuchin.
* Allow duplicate dependencies between runtime and development.
  Pull request #1032 by Murray Steele.
* The gem env command now shows the user installation directory.
  Pull request #1343 by Luis Sagastume.
* The Gem::Platform#=== method now treats a nil cpu arch the same as 'universal'.
  Pull request #1356 by Daniel Berger.
* Improved memory performance in Gem::Specification.traverse.  Pull request
  #1188 by Aaron Patterson.
* RubyGems packages now support symlinks.  Pull request #1209 by Samuel E.
  Giddins.
* RubyGems no longer outputs mkmf.log if it does not exist.  Pull request
  #1222 by Andrew Hooker.
* Added Bitrig platform.  Pull request #1233 by John C. Vernaleo.
* Improved error message for first-time RubyGems developers.  Pull request
  #1241 by André Arko
* Improved performance of Gem::Specification#load with cached specs.  Pull
  request #1297 by Samuel E. Giddins.
* Gem::RemoteFetcher allows users to set HTTP headers.  Pull request #1363 by
  Agis Anastasopoulos.

Bug fixes:

* Fixed Rake homepage url in example for Gem::Specification#homepage.
  Pull request #1171 by Arthur Nogueira Neves
* Don't crash if partially uninstalled gem can't be found.
  Pull request #1283 by Cezary Baginski.
* Test warning cleanup.
  Pull request #1298 by Samuel E. Giddins.
* Documentation fix for GemDependencyAPI.
  Pull request #1308 by Michael Papis.
* Fetcher now ignores ENOLCK errors in single threaded environments. This
  handles an issue with gem installation on NFS as best we can. Addresses
  issue #1176 by Ryan Moore.
  Pull request #1327 by Daniel Berger.
* Fix some path quoting issues in the test suite.
  Pull request #1328 by Gavin Miller.
* Fix NoMethodError in running ruby processes when gems are uninstalled.
  Pull request #1332 by Peter Drake.
* Fixed a potential NoMethodError for gem cleanup.
  Pull request #1333 by Peter Drake.
* Fixed gem help bug.
  Issue #1352 reported by bogem, pull request #1357 by Luis Sagastume.
* Remove temporary directories after tests finish.  Pull request #1181 by
  Nobuyoshi Nokada.
* Update links in RubyGems documentation.  Pull request #1185 by Darío Hereñú.
* Prerelease gem executables can now be run.  Pull request #1186 by Samuel E.
  Giddins.
* Updated RubyGems travis-ci ruby versions.  Pull request #1187 by Samuel E.
  Giddins.
* Fixed release date of RubyGems 2.4.6.  Pull request #1190 by Frieder
  Bluemle.
* Fixed bugs in gem activation.  Pull request #1202 by Miklós Fazekas.
* Fixed documentation for `gem list`.  Pull request #1228 by Godfrey Chan.
* Fixed #1200 history entry.  Pull request #1234 by Marc Siegel.
* Fixed synchronization issue when resetting the Gem::Specification gem list.
  Pull request #1239 by Samuel E. Giddins.
* Fixed running tests in parallel.  Pull request #1257 by SHIBATA Hiroshi.
* Fixed running tests with `--program-prefix` or `--program-suffix` for ruby.
  Pull request #1258 by Shane Gibbs.
* Fixed Gem::Specification#to_yaml.  Pull request #1262 by Hiroaki Izu.
* Fixed taintedness of Gem::Specification#raw_require_paths.  Pull request
  #1268 by Sam Ruby.
* Fixed sorting of platforms when installing gems.  Pull request #1271 by
  nonsequitur.
* Use `--no-document` over deprecated documentation options when installing
  dependencies on travis.  Pull request #1272 by takiy33.
* Improved support for IPv6 addresses in URIs.  Pull request #1275 by Joe
  Rafaniello.
* Spec validation no longer crashes if a file does not exist.  Pull request
  #1278 by Samuel E. Giddins.
* Gems can now be installed within `rescue`.  Pull request #1282 by Samuel E.
  Giddins.
* Increased Diffie-Hellman key size for tests for modern OpenSSL.  Pull
  request #1290 by Vít Ondruch.
* RubyGems handles invalid config files better.  Pull request #1367 by Agis
  Anastasopoulos.

=== 2.4.8 / 2015-06-08

Bug fixes:

* Tightened API endpoint checks for CVE-2015-3900


------------------------------------------------------------------------------

RubyGems installed the following executables:
        /usr/bin/gem

Ruby Interactive (ri) documentation was installed. ri is kind of like man
pages for ruby libraries. You may access it like this:
  ri Classname
  ri Classname.class_method
  ri Classname#instance_method
If you do not wish to install this documentation in the future, use the
--no-document flag, or set it as the default in your ~/.gemrc file. See
'gem help env' for details.

RubyGems system software updated

pentester@mytester /cygdrive/c/test/wpscan-master
$


10) Let's try to run WPScan again, and we get a Winsock library issue this time.

pentester@mytester /cygdrive/c/test/wpscan-master
$ ruby wpscan.rb
[ERROR] Could not open library 'ws2_32': No such file or directory.
Could not open library 'cygws2_32.dll': No such file or directory


11) After more debugging and tracing through the gem dependencies, we found that the ethon gem is not opening the right Winsock library for Cygwin. The original code is meant to use Windows's Winsock library if the environment is Windows. You need to modify the following gem file (note the user home directory):
C:\cygwin\home\pentester\.gem\ruby\gems\ethon-0.9.0\lib\ethon\curls\functions.rb: line 55 to 59

Original:
55:        if Curl.windows?
56:            base.ffi_lib 'ws2_32'
57:        else
58:            base.ffi_lib ::FFI::Library::LIBC
59:        end

Modified:
55:#        if Curl.windows?
56:#            base.ffi_lib 'ws2_32'
57:#        else
58:            base.ffi_lib ::FFI::Library::LIBC
59:#        end


12) Let's try to run WPScan again, and success!

pentester@mytester /cygdrive/c/test/wpscan-master
$ ruby wpscan.rb
_______________________________________________________________
        __          _______   _____
        \ \        / /  __ \ / ____|
         \ \  /\  / /| |__) | (___   ___  __ _ _ __
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team
                       Version 2.9.1
          Sponsored by Sucuri - https://sucuri.net
   @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________


Examples :

-Further help ...
ruby wpscan.rb --help

-Do 'non-intrusive' checks ...
ruby wpscan.rb --url www.example.com

-Do wordlist password brute force on enumerated users using 50 threads ...
ruby wpscan.rb --url www.example.com --wordlist darkc0de.lst --threads 50

-Do wordlist password brute force on the 'admin' username only ...
ruby wpscan.rb --url www.example.com --wordlist darkc0de.lst --username admin

-Enumerate installed plugins ...
ruby wpscan.rb --url www.example.com --enumerate p

-Enumerate installed themes ...
ruby wpscan.rb --url www.example.com --enumerate t

-Enumerate users ...
ruby wpscan.rb --url www.example.com --enumerate u

-Enumerate installed timthumbs ...
ruby wpscan.rb --url www.example.com --enumerate tt

-Use a HTTP proxy ...
ruby wpscan.rb --url www.example.com --proxy 127.0.0.1:8118

-Use a SOCKS5 proxy ... (cURL >= v7.21.7 needed)
ruby wpscan.rb --url www.example.com --proxy socks5://127.0.0.1:9000

-Use custom content directory ...
ruby wpscan.rb -u www.example.com --wp-content-dir custom-content

-Use custom plugins directory ...
ruby wpscan.rb -u www.example.com --wp-plugins-dir wp-content/custom-plugins

-Update the DB ...
ruby wpscan.rb --update

-Debug output ...
ruby wpscan.rb --url www.example.com --debug-output 2>debug.log

See README for further information.


[!] No argument supplied

pentester@mytester /cygdrive/c/test/wpscan-master
$


12) Let's try to update WPScan to make sure that curl is working. Success again!

pentester@mytester /cygdrive/c/test/wpscan-master
$ ruby wpscan.rb --update
_______________________________________________________________
        __          _______   _____
        \ \        / /  __ \ / ____|
         \ \  /\  / /| |__) | (___   ___  __ _ _ __
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team
                       Version 2.9.1
          Sponsored by Sucuri - https://sucuri.net
   @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________

[i] Updating the Database ...
[i] Update completed.

pentester@mytester /cygdrive/c/test/wpscan-master
$


After that, we were able to get WPScan running on our Cygwin environment.

That's all folk! Hope that this guide will be useful to future pentesters out there.

-- DD and MY

Monday, February 7, 2011

Do dereferencing null or uninitialized pointers in Objective C cause runtime errors?

I recently a interesting "discussion" with a Objective C developer about what happens when we dereference null or uninitialized pointers in Objective C?

First a little recap: A pointer references a location in memory, and obtaining the value at the location a pointer refers to is known as dereferencing the pointer. A null pointer is a variable that makes reference to something that is not initialized. Uninitialized pointer is pointing to some memory location but the pointer value is not assigned.

From my experience in C programming, dereferencing these types of pointers will almost certainly cause a runtime error resulting in a segmentation fault when the compiled program is executed. I'm pretty certain that this applies to Objective C too as the fundamentals are the same. However, my opponent insists that the Objective C language takes care of null and uninitialized pointers by making them point to Nil by default.

To proof that dereferencing null or uninitialized pointers in Objective C will cause runtime errors, I found a simple Objective C sample file online and modified it to compile with gcc in Mac OS X. Attached below are 3 files that are identical except for 1 line of code with the following differences:
  • hello.m: with normal initialized pointer
  • hello-null.m: with pointer pointing to NULL
  • hello-uninit.m: with uninitialized pointer

The screenshot below shows the programs compiled from hello-null.m and hello-uninit.m causing segfaults.

The test environment is a default install Mac OS X 10.6.6 Snow Leopard and the gcc compiler is from Xcode 3.2.5 and iOS SDK 4.2.

There you have to it: Dereferencing null or uninitialized pointers in Objective C will cause runtime errors resulting in segmentation faults.

Saturday, January 9, 2010

Testing for TLS1/SSLv3 Renegotiation Vulnerability

I noticed that eEye's Retina Network Scanner and Tenable's Nessus added the check for TLS1/SSLv3 Renegotiation Vulnerability in December. During my research, I came across the excellent whitepaper by Thierry Zoller from G-SEC titled "TLS/SSLv3 renegotiation vulnerability explained":

To help sysadmins who needs to find out if their own webservers are vulnerable, I'm going to demonstrate how to test for the vulnerability using the OpenSSL toolkit (http://www.openssl.org). I'm not going to discuss the details of the vulnerabilty as that can be found in the Zollor whitepaper. If your target is Internet-accessible, Nasko provided a great online "TLS Renegotiation Test" at:

In a nutshell, we can test the issue by running the following command:
$ openssl s_client -connect targetserver:443
then adding:
GET / HTTP/1.0
R
<CRLF>

* Please note that <CRLF> means hitting the Enter/Return key.

If the target is vulnerable, the server will return a renegotiation message. After receiving the renegotiation message, the server will return the content of the page if another <CRLF> is sent.

Since a picture paints a thousand words, the following two examples illustrates the SSL transactions of a non-vulnerable and a vulnerable server using OpenSSL.


OpenSSL transaction of a non-vulnerable server:
$ openssl s_client -connect good-server.org:443
CONNECTED(00000003)
depth=0 /OU=SAMPLE ONLY/O=<DELETED>
A 1024 Server Certificate/C=CA
verify error:num=20:unable to get local issuer certificate
verify return:1
<DELETED>
---
Certificate chain
 0 s:/OU=SAMPLE ONLY/O=<DELETED>
---
Server certificate
-----BEGIN CERTIFICATE-----
<DELETED>
-----END CERTIFICATE-----
subject=/OU=SAMPLE ONLY/O=<DELETED>
---
No client certificate CA names sent
---
SSL handshake has read 1421 bytes and written 316 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: D37DC0B86A49D57900149FF75419F31221E862FFB18A38CA9ABDE165D6DC3A32

    Session-ID-ctx:
    Master-Key: 801C70181E7597FB2355FC842D35ED741236E148E17002498C1CA85D287FF64B
5AB2FC0C9653977C7B6621DCF249C325
    Key-Arg   : None
    Start Time: 1263012957
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
GET / HTTP/1.0
R
<CRLF>
RENEGOTIATING
5648:error:140940F5:SSL routines:SSL3_READ_BYTES:unexpected record:s3_pkt.c:1210:

$

OpenSSL transaction of a vulnerable server:
$ openssl s_client -connect bad-server.org:443
CONNECTED(00000003)
depth=0 /CN=<DELETED>
verify error:num=20:unable to get local issuer certificate
<DELETED>
---
Certificate chain
 0 s:/CN=<DELETED>
---
Server certificate
-----BEGIN CERTIFICATE-----
<DELETED>
-----END CERTIFICATE-----
subject=/CN=<DELETED>
---
No client certificate CA names sent
---
SSL handshake has read 1620 bytes and written 316 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 100B637C67A441127FEE9836EDB8364D7F3D78280D1C991AF59AF7D6F09960A6

    Session-ID-ctx:
    Master-Key: 86E28EB111FDF81ED9970D05769582ED2AE217E1C992DDA3CB36DD2F5AA2570B
258F5C44C2CBAB95D3145C124AC3B7F7
    Key-Arg   : None
    Start Time: 1263013004
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
GET / HTTP/1.0
R
<CRLF>
RENEGOTIATING
depth=0 /CN=bad-server.org
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /CN=bad-server.org
verify error:num=27:certificate not trusted
verify return:1
depth=0 /CN=bad-server.org
verify error:num=21:unable to verify the first certificate
verify return:1
<CRLF>
HTTP/1.1 200 OK
Date: Sat, 09 Jan 2010 04:56:52 GMT
Server: Apache
Last-Modified: Mon, 13 Apr 2009 06:12:41 GMT
ETag: "758012-fe3-467699a12e840"
Accept-Ranges: bytes
Content-Length: 4067
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<HTML>

<HEAD>
<DELETED>

</HTML>
closed

$


For this vulnerablity, there's no known generic fix yet. Let's hope something comes along soon.

Saturday, October 31, 2009

Where is the ASP.NET Web Service template in Visual Studio 2005

I recently needed to create a Web Service (WS) application fast, and since I know nothing about web services, I thought that the best way would be to try out some sample WS apps first. I found that most of the online sample WS app were introduced using Visual Studio .NET.

Since I have a newer Visual Studio 2005 Professional Edition, I thought that there will be no problem for me to follow the online exercises. Boy was I wrong!!!

The first problem I encountered was just to create a Visual C# Web Service project. According to the instructions: from Visual Studio, select File -> New -> Project.... Then select the ASP.NET Web Service template...


























Wait a minute!!! There's no ASP.NET Web Service template!!!

The only one I found was by selecting File -> New -> Web Site....

























After a lot of googling and countless failed attempts to load the ASP.NET Web Service template, I found out that all I had to do was to install the Service Pack 1 for Visual Studio.

Unbelievable right?

Publishing Web Service in IIS 6 from Visual Studio 2005

I was recently tasked with creating a simple Web Service (WS) application to serve as a training tool, and the problems that I encountered can be considered cruel and unusual for any pentester. The most idiotic issue came from using Visual Studio 2005 to publish the WS in IIS 6. When I used the debugger in Visual Studio (VS) to run the WS app, the app worked fine. But when I tried to publish the WS app in the wwwroot of IIS, the stupid ASP keeps throwing me errors.

I believe that no one should be made to suffer through this again, so I'm going to summarize what I did for *posterity*.

Before I can start, we're going to need a baseline. I was using a default installation of Windows 2003 Server R2 Standard Edition with IIS 6, and a default installation of Visual Studio 2005 Professional Edition without SP1. The baseline WS app will be the default "Hello World" Web Service Web Site from Visual Studio.

1. To create the Web Site in Visual Studio, go to File -> New -> Web Site. Choose ASP.NET Web Service in the dialog box.

I'm going to name and save the project as per the following for brevity in this post:
C:\Documents and Settings\Administrator\My Documents\Visual Studio 2005\WebSites\Sample1

You may notice that the Web.config file is missing from VS's Solution Explorer (right windows), but it'll be created when you start debugging.


2. Then in VS, select Debug -> Start Debugging. and choose Add a new Web.config file with debugging enabled. in the next dialog box. A new browser is started showing the Web Service directory and you can start playing with the Web Service without any problem.



Notice the port number in the URL, this is not the default IIS 6 web server.


3. Now we will try to publish the WS. In VS, select Build -> Build Web Site. You should get the Build succeeded status. Then select Build -> Publish Web Site. I'm going to publish the WS app in the root directory of IIS: C:\Inetpub\wwwroot\Sample1.













You should get the Publish succeeded status. Here comes the nightmare!!!


4. On the local machine, open the WS's URL in a new browser: http://localhost/Sample1/Service.asmx

You will get the following error:

Server Error in '/' Application.

Parser Error
Description: An error occurred during the parsing of a resource required to service this request. Please review the following specific parse error details and modify your source file appropriately.

Parser Error Message: Could not create type 'Service'.

Source Error:

Line 1:  <%@ WebService Language="C#" CodeBehind="~/App_Code/Service.cs" Class="Service" %>

Source File: c:\inetpub\wwwroot\Sample1\Service.asmx    Line: 1



Version Information: Microsoft .NET Framework Version:1.1.4322.2300; ASP.NET Version:1.1.4322.2300















5. You need to make 2 changes to solve this error. The first step is to copy the bin directory from your project directory into IIS's web root.  Look at your IIS's wwwroot directory structure:
C:\
+- Inetpub
   +- AdminScripts
   +- wwwroot
      +- aspnet_client
      +- Sample1
         +- bin
         +- App_Code.compiled
         +- App_Code.dll

You need to put all your "App_Code" and "bin" directories into the wwwroot directory instead of the published project directory (sub-directory where the asmx file resides). For some unknown reasons, Visual Studio 2005 do not move or copy them from the project directory for you automatically.

Your new IIS wwwroot directory structure should look like this:
C:\
+- Inetpub
   +- AdminScripts
   +- wwwroot
      +- aspnet_client
      +- bin
         +- App_Code.compiled
         +- App_Code.dll

      +- Sample1
         +- bin
            +- App_Code.compiled
            +- App_Code.dll

You should still get the same error if you reload the browser.


5. The second step is changing the .NET version in IIS 6. IIS 6 is trying to run code compiled in .NET 2 with .NET 1. In Windows, go to Administrative Tools -> Internet Information Services (IIS) Manager. In IIS Manager, expand LOCALSERVER(local computer) -> Web Sites -> Default Web Site.














Right-click Default Web Site and select Properties.In the dialog box, select the ASP.NET tab. Change the ASP.NET version from 1.1.4322 to 2.0.50727 and click OK.



















6. Reload the local browser. You should see the following error:

Server Error in '/' Application.

Configuration Error
Description: An error occurred during the processing of a configuration file required to service this request. Please review the specific error details below and modify your configuration file appropriately.

Parser Error Message: It is an error to use a section registered as allowDefinition='MachineToApplication' beyond application level.  This error can be caused by a virtual directory not being configured as an application in IIS.

Source Error:

Line 24:             ASP.NET to identify an incoming user.
Line 25:         -->
Line 26:        
Line 27:         <!--
Line 28:             The section enables configuration

Source File: c:\inetpub\wwwroot\sample1\web.config    Line: 26



Version Information: Microsoft .NET Framework Version:2.0.50727.42; ASP.NET Version:2.0.50727.42
















On a remote browser, you should see the following error when you open the WS's URL (assuming 192.168.1.185 is the WS server's IP): http://192.168.1.185/Sample1/Service.asmx

Server Error in '/' Application.

Runtime Error
Description: An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine. 


Details: To enable the details of this specific error message to be viewable on remote machines, please create a <customErrors> tag within a "web.config" configuration file located in the root directory of the current web application. This <customErrors> tag should then have its "mode" attribute set to "Off".

<!-- Web.Config Configuration File -->

<configuration>
    <system.web>
        <customErrors mode="Off"/>
    </system.web>
</configuration>

Notes: The current error page you are seeing can be replaced by a custom error page by modifying the "defaultRedirect" attribute of the application's <customErrors> configuration tag to point to a custom error page URL.

<!-- Web.Config Configuration File -->

<configuration>
    <system.web>
        <customErrors mode="RemoteOnly" defaultRedirect="mycustompage.htm"/>
    </system.web>
</configuration>



















7. You need to create an application in IIS 6 with the same name as the virtual directory. From IIS Manager, expand LOCALSERVER(local computer) -> Web Sites -> Default Web Site -> Sample1.
 













Right-click Sample1 and select Properties.In the dialog box, select the Directory tab. Click on the Create button and click OK.


















8. You should find that the WS app is working normally on the local machine.














9. On a remote machine, it looks like the WS is working.
















But you will see the following error message when you select the HelloWorld WS:

The test form is only available for requests from the local machine.

















10. Since .NET Framework 1.1, HTTP GET and HTTP POST are both disabled by default. You need to enable them in the Web.config file. From VS, insert the following code into Web.config and re-publish the Web Site as shown in step 3:

<webServices>
    <protocols>
        <add name="HttpGet"/>
        <add name="HttpPost"/>
    </protocols>
</webServices>

Note that the code must be inserted inside the <system.web> tags like so:

<configuration>
    <system.web>
    <webServices>
        <protocols>
            <add name="HttpGet"/>
            <add name="HttpPost"/>
        </protocols>
    </webServices>

    </system.web>
</configuration>
















11. You should find that the WS app is working normally on the remote machine now.
















12. If you're going to release this WS app into the production environment, you probably should disable Debugging for your app. From VS, find the following line in Web.config:

<compilation debug="true"/>

Set debug to false and re-publish the Web Site as shown in step 3:

<compilation debug="false"/>


--- The End ---

Monday, June 22, 2009

Guide to Cracking EnableDebugger2 Password in SWF/Flash

Caveat Emptor!!! Let me first state that I am not an ActionScript programmer. The reason I wrote this article was because I needed to crack an EnableDebugger2 password in a Flash file, but could not find any DIY guide to do it. From the references I found from Google, the details of the hashing scheme used were very sketchy and threw me off the correct trail for hours. This article represents hours of research, experimentation and source code review, and I’ve provided all the technical details that I feel is important for my peers reading this article.

The article presumes an intermediate level of technical competency.

You can access the PDF version from here.

Wednesday, June 10, 2009

Windows Update IE Frame Recursion/Loop Problem when Selecting "Optional" Updates

I've been having problems performing the "Windows Update" with the Internet Explorer on one of my Windows Server 2003 system, which is used as a software testing workstation.

From IE6 to IE8, the whole "Windows Update" process goes on normally until I try to select the "Software, Optional" option on the side frame. IE just loads another "Windows Update" process in the center frame.


Prior to IE8, the recursive process just cascades deeper and deeper, with more frames within frame. But since IE8, the process is now a loop. When I try to continue the "Windows Update" process in the sub-frame window, the sub-frame just goes back to the original "High Priority" option sub-frame.

The funny thing is that it only happens to one of my machines. Usually, I just use CTupdate to update this machine and forget about it; but I thought I'll fix it since I have some free time now.

After a little googling, I found a link to this page:

http://www.microsoft.com/communities/newsgroups/en-us/default.aspx?dg=microsoft.public.windowsupdate&mid=bcd4ec08-55d3-4ee5-8daa-56dcd25f5311

The forum poster found out that it was the "BitComet Helper" add-on from his BitComet 0.84 that was affecting his Windows XP system.

I checked and I found that I have an old BitComet 0.7 in my system that I have totally forgotten about, so I went on to disable the add-on.

In IE8, I went to "Tools -> Manage Add-ons", and disabled the "BitComet Helper" add-on.



Problem solved and my "Windows Update" is now working fine.