PDB: The Protocol DeBugger presented at BlackhatUSA 2006

by Jeremy Rauch,

Summary : It's late. You've been assigned the unenviable task of evaluating the security of this obtuse application suite. 2006! Why doesn't everything just use SSL as its transport? No time for excuses. Deadlines loom, and you need to figure this out. And when you do figure it out, write your own fuzzer client.
This sucks.
(pdb) module add MyAction pdb-ruby.so cifs-ruby.rb
(pdb) rule add MyRule dst port 445
(pdb) rule action MyRule MyAction
(pdb) rule list
MyRule: dst port 445
Action 0: debugger
Action 1: MyAction
(pdb) go
...
(pdb) print
00000000: 45 10 00 3c 70 86 40 00 E...p...
00000008: 40 06 00 00 c0 a8 02 06 ........
00000010: c0 a8 02 56 d8 a0 01 bd ...V....
00000018: 1e 76 1b 71 00 00 00 00 .v.q....
00000020: a0 02 ff ff 14 1b 00 00 ........
00000028: 02 04 05 b4 01 03 03 00 ........
00000030: 01 01 08 0a 20 4a 7c b1 .....J..
00000038: 00 00 00 00 ....
(pdb) x/b 0x8
40
(pdb) e/b 0x8 0x20
(pdb) print
00000000: 45 10 00 3c 70 86 40 00 E...p...
00000008: 20 06 00 00 c0 a8 02 06 ........
00000010: c0 a8 02 56 d8 a0 01 bd ...V....
00000018: 1e 76 1b 71 00 00 00 00 .v.q....
00000020: a0 02 ff ff 14 1b 00 00 ........
00000028: 02 04 05 b4 01 03 03 00 ........
00000030: 01 01 08 0a 20 4a 7c b1 .....J..
00000038: 00 00 00 00 ....
(pdb) continue
cifs-ruby.rb performing packet alteration...
...
But wait, whats this? A tool chain geared around dissecting protocols like a code debugger slices through code? A protocol generation and manipulation framework with a clean, consistent interface, thats scripted instead of compiled? And a fuzzing framework to go along with it? You're saved! Or at least, maybe you'll get to sleep before the sun comes up.
PDB is a Protocol DeBugger. GDB meets a transparent proxy. Conditionally break based on BPF filters. Modify protocol contents on the fly. Build custom actions that let you manipulate how you speak on the network. Or manually edit protocol fields and send the packets along.
Racket is a protocol generation and manipulation library, in Ruby. Why Ruby? Why not. Use it as a way of writing PDB actions, or on its own. We're flexible that way.
Ramble is a Ruby based fuzzing framework. Set it going, and it just goes on and on and on. We know people like thatbut unlike them, Ramble is helpful. Automates the protocol testing you're going to have to do to get full coverage. Do the hard stuff by hand. Use Ramble to do the repetitive stuff.