Code Release: Blackbag 0.9 (Binary Protocol Reversing Unix Thingies)

Thomas Ptacek | October 16th, 2006 | Filed Under: Development, Matasano, Reversing, Uncategorized

I sucked it up and copied my current source tree up. You can grab a copy of blackbag 0.9 here.

For those of you just joining us: blackbag is collection of sharp, pointy metal bars that I use to explore protocols and prototype tools. It is an intensely Unix-y answer to classic fuzzing tools like “Spike”, centering on a binary interactive netcat program.

What’s new in this code:

  • All the tools hide behind a shell script called “bkb”, which means you no longer run “blit foo”, but rather “bkb blit foo”, unless you adjust your path.

  • This release includes the source to “unasn”, which reads stdin, attempts to parse it as if it was ASN.1/BER/DER, and spits out a structured shell script that reproduces the same binary. You can read more about unasn here, sort of.

  • Tiny little utilities to handle HTTP hexification.

  • Some example shell scripts, about which more (very) later, but in the meantime you can read a rudimentary implementation of TLS/X509 handshake messages in Bourne Shell.

  • Major improvements to the “sub” tool, about which more later tonight.

  • Minor bugfixes.

Caveats: You aren’t going to be able to build this. I can build it clean under FreeBSD-CURRENT, Mac OS X, and OpenBSD. It has been built under Linux and Solaris in the past. If you make it work somewhere, post how you did it in a comment, and I’ll incorporate your fix.

This is the last time I anticipate releasing this code, for two reasons, one of which I’ll talk about tonight and one of which I’ll talk about (hopefully) next week, both of which reasons are good things.

Here’s what “bkb” tells you given no arguments:

telson host:port &      ;# binary netcat
blit foo                ;# dump data to telson
replug -b host:port &   ;# logging plugboard proxy
rebreak spans*          ;# break logs into individual messages
httpcat post://foo/     ;# like telson but for HTTP
unify foo               ;# ASCII + HTML entities -> UTF16LE
deunify f\00o\00o\00    ;# and back again
b64 foo                 ;# to base64
d64                     ;# and back again
len                     ;# prepend/append binary length
shf                     ;# strip N bytes off a buffer
deezee                  ;# seek and extract zlib-compressed buffers
dezip                   ;# or for ZIP
sub '$\{hex:10\}\'      ;# fuzzing substituter for binaries
hexify                  ;# binary-to-hexidecimal
binhex                  ;# and back again
dedump                  ;# convert 'hexdump -C' to binary
c 1000 c                ;# print 1000 c's
tcbs                    ;# print connections in a pcap file
pstrip                  ;# lose short-snap pcap packets
tsec yes                ;# wait fractional seconds, then abort
unasn foo.der           ;# translate asn1/ber-der into a script
nint 10                 ;# write a binary integer
no < text       ;# NUL->0xFF, or something else
crnl < text             ;# ensure CRNL on all lines
echo "a%20b" | dehexify ;# HTTP-style dehexify
echo "a b" | httphexify ;# HTTP-style hex encoding

28 Comments so far

  • tom ferris

    October 16th, 2006 6:59 pm

    hyperlink no workie.. ;^)

  • .:Computer Defense:. » Tiny PE Code Crunching Challenge; Blackbag 0.9 and Fuzzy

    October 17th, 2006 2:48 am

    […] The second item of interest was a software release from Thomas Ptacek over at Matasano Security. The software, blackbag 0.9, is described as: […]

  • Tyler Reguly

    October 17th, 2006 2:52 am

    Hey Hey,

    I was able to get it to compile on SuSE 10.1. I simply had to change line 44 in tsec.c.

    The current line is:
    if(setpgrp(0, getpid()) == -1) {
    Which I replaced with:
    if (setpgrp() == -1 ) {

    After that it compiled without a problem.

    The product looks great… I did a brief review of your two posts today over on my site… I plan on doing a full review with examples this upcoming weekend… but I’m quite impressed.

  • Thomas Ptacek

    October 17th, 2006 10:18 am

    Thanks for the compliments; I expect the urge to deliver more will, uh, attenuate once you’ve tried using the code. ;)

    I should make it clear that this is not our “product”, which you can tell by the fact that this code actually got released.

    I will suggest that the library code here is more useful than the programs themselves.

  • Tyler Reguly

    October 17th, 2006 10:43 am

    I didn’t mean to imply that I thought it was a Matasano Security product…. my product I just meant the code itself…

    I will, however, admin that I’m curious as to why you will most likely not be releasing this code again.

  • Thomas Ptacek

    October 17th, 2006 10:58 am

    Because I’m going to collapse it into “sub” and turn it into a proper filer/record fuzzing tool, and because in my spare time I have something cooler that’s going to use the same code.

    The library code here is more useful than the actual programs are (although I use the programs every day and would be basically sunk without them).

  • Matasano Chargen » NTFS Fuzzing With BlackBag

    October 26th, 2006 11:07 pm

    […] For what it’s worth, here’s what I started doing with NTFS this week (before NTFS went out-of-scope on my project). I’m attacking a Win32 tool, and my toolchain is all Unix, so I use a thumb drive to run experiments: […]

  • Matasano Chargen » De-Universalizing Mac Binaries for Disassembly

    November 2nd, 2006 12:48 pm

    […] I use one of the little Blackbag tools, but you could just use ‘dd’: ‘cat universal.bin | bkb shf 0×53ea000 > universal.ppc’. […]

  • Jon Myers

    April 14th, 2007 7:09 pm

    So wheres the announcement about the hiding of blackbag and deezee? (I’m really looking for deezee). I’m guessing you removed them both from your pages for some reason.. and I’m still scouring the internet looking for deezee so I can see how axis fixed thier broken rtsp on the 210 camera, so I can apply the same thing to the 214, which they havnt gotten around to fixing yet.

  • Thomas Ptacek

    April 15th, 2007 12:34 am

    I’ll post a link tomorrow morning; we didn’t “hide it”, we moved servers and they, uh, didn’t come along for the ride. =)

  • Chris

    May 1st, 2007 10:04 pm

    where be the linky? :) your post today about bkb seems to have peaked my interest. (dave G’s post really, May 1st 2007)

  • Thomas Ptacek

    May 1st, 2007 10:06 pm

    Grumble grmbl mlmbd dfjmevmr.

    I’ll get it up this evening, unless I don’t, in which case I will allow you to shame me publicly with more comments.

  • Dave G.

    May 5th, 2007 3:52 pm

    SHAME! SHAME! SHAME!

  • Thomas Ptacek

    May 6th, 2007 7:06 pm

    I am shamed.

  • gwen

    May 9th, 2007 6:10 am

    So where does the code live currently..? macports archives seem to have lost it and matasano.com/tools/
    doesnt let strangers like me in :)

    thanx in advance
    gwen

  • gwen

    May 9th, 2007 6:12 am

    never mind.. dot cache still had the sockpuppet link above..
    thanx anyway
    gwen

  • gwen

    May 9th, 2007 6:17 am

    oops zero length file…. so any hints about where to find? sounds like a fun tool

    gwen

  • Dave G.

    May 9th, 2007 8:33 am

    SHAME! SHAME! SHAME! SHAME!

  • Thomas Ptacek

    May 9th, 2007 9:11 am

    I uploaded a tarball and everything but then I couldn’t figure out how to configure Apache so I gave up sorry.

  • gwen

    May 9th, 2007 1:35 pm

    well the search engines had it logged at
    http://72.14.209.104/search?q=cache:http%3A//www.matasano.com/tools/
    for the .6 version which is now giving forbidden errors , so I will take a stab at this and say make sure the the tools directory is readable/executable by all if not owned by the http user.
    and take a look at www/logs/error_log with a tail -f while working at it to determine why it cant be found..

    sigh..
    gwen
    ps or I am sure one of us can post it someplace for you to refer to if emailed ..
    pss.. I wont shame u..

  • gwen

    May 10th, 2007 7:44 pm

    maybe I ought to rethink the shaming!! :)

    gwen
    ps.. SHAME SHAME SHAME!!!!

  • gwen

    May 11th, 2007 9:00 pm

    gee Thomas.. there is even a macports entry that doesnt function because of no distfile for blackbag-0.9.(and any copys I had from before went with my crashed powerbook harddisk)

    any chance soon??(it has been months…)
    gwen

  • Thomas Ptacek

    May 11th, 2007 9:08 pm

    I GIVE UP!

    http://www.sockpuppet.org/blackbag-0.9.tgz

  • gwen

    May 12th, 2007 2:44 pm

    yeah!!!!!!!!

    thanx thomas
    gwen

  • gwen

    May 12th, 2007 2:45 pm

    yay!!!!!!!!!!

    thanx thomas
    gwen

  • Thomas Ptacek

    May 12th, 2007 4:39 pm

    Let me know if you have any trouble getting it built, or using it, or making sense of it.

  • chopstick

    July 5th, 2007 2:37 pm

    I built it on Ubuntu 7.04 without too much problems. I also had the ’setpgrp’ error in tsec.c:44, but replaced ’setpgrp’ with ’setpgid’ and all was well.

    During the make install, the ’sub.macros’ file wasn’t available. I just used touch to create the file.

  • mcuelenaere

    August 27th, 2007 1:26 pm

    Could you also put deezee back up? Cause I really need it

    • Leave a reply