Auto Restore Virtualbox

For the security class I’m teaching we recently had a box to pwn. Problem is, they would sometimes get the address wrong and crash the virtual system. I probably would have just distributed the vdi, but not all of them have machines robust enough to run a vm, so I had to set something up.
First off, I gave the virtual vulnerable box a public IP by bridging.


auto eth0
iface eth0 inet manual

auto br0
iface br0 inet static
    bridge_ports eth0 vbox0 vbox1

# The loopback network interface
auto lo
iface lo inet loopback


vbox0 lundeen br0
vbox1 lundeen br0

Awesome, now firewall rules work. In the vulnbox, I give myself an ip address. On the host, I set up very strict firewall rules using iptables.

Another big issue is auto-restore. Since the class often gets an address wrong, the vulnbox often crashes.

The following will shut the box down, revert to a snapshot, and turn it back on.

/usr/bin/VBoxManage controlvm vulnxp poweroff;
sleep 5;
/usr/bin/VBoxManage snapshot vulnxp discardcurrent -state
sleep 10;
/usr/bin/VBoxManage startvm vulnxp</pre>

Anyway, I put this in crontab to do every 20 minutes.

0,20,40 * * * * /path/to/virtualscript

Count number of lines in a file

find . -type f -exec cat {} ; | wc -l

and if you don’t want repeats

find . -type f -exec cat {} ; | egrep \S | wc -l

I even thought about cat, but I ended up doing something like:

for i in $( find -H . -type f ); do
  temp=$( wc -l "$i" | cut -f 1 -d  )
  if [ $temp &gt; 0 ]; then
  echo $total
echo $total

Bash Error Checking

I was reading an oriley bash scripting book, and they had an entire chapter dedicated to error checking in bash.  For me, this was a little weird since I think the way they handled it made the code cluttered.

They have cascaded statements like

if [ $ -ne 0 ]; then
#handle error

For me, this is strange.  I think in a bourne shell, the best way is to just set the -e flag, which according to the man page

-e errexit If not interactive, exit immediately if any untested command fails. The exit status of a command is considered to be explicitly tested if the command is used to control an if, elif, while, or until; or if the command is the left hand operand of an “&&” or “||” operator.

This can be accomblished by

set -e

in your script.

Error handling is a balancing act between doing too much and handling everything (thus making the code unreadable) and not checking enough.  Normally, if I need much more error checking than that, time to pull out the python.

Golay G24

This is a dirty implemenation of Golay correcting code using python.

This is a solution to 18.13 problem 1 from Trappe and Washington’s Crytography book. To run this, you need bash, python, and the numpy libraries. To run, run  The algorithm is located in

#!/usr/bin/env python
from numpy import *
import sys
geng24 = array([[1,0,0,0,0,0,0,0,0,0,0,0,1,1,1,0,1,1,1,0,0,0,1,0],
B = array([[1,1,1,0,1,1,1,0,0,0,1,0],
errorvector = array([0,0,0,0,0,0,0,0,0,0,0,0])
def weight(obj):
  wt = 0
  for i in obj:
    wt += i
  return wt
geng24_transpose = geng24.transpose()
#r = array([1,1,0,1,0,0,0,0,0,0,1,0,1,0,0,0,0,1,0,0,0,0,1,0])
#r = array([0,1,0,0,0,0,1,1,0,1,0,1,1,0,1,1,0,1,0,0,0,0,1,1])
#r = array([0,0,1,0,1,0,1,0,1,0,1,0,0,1,0,0,1,1,1,0,1,1,0,0])
#r = array([1,1,1,0,1,1,1,1,1,1,1,1,1,1,1,0,1,1,1,1,1,1,1,1])
r = []
for i in sys.argv[1].split(','):
r = array(r)
s = (dot(r,geng24_transpose) % 2 )
sdotb = (dot(s,B) % 2 )
#e = array([0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0])
e = zeros( (1,24), dtype=int8)
e = e.flat
if weight(s) <= 3:
  e = array([s, array([0,0,0,0,0,0,0,0,0,0,0,0])])
  e.shape = (1,24)
  e = e.flat
if weight(sdotb) <= 3:
  e_new = array([array([0,0,0,0,0,0,0,0,0,0,0,0]), sdotb])
  e_new.shape = (1,24)
  e = (e + e_new) % 2
  e = e.flat
for j in range(12,24):
  if weight((geng24[:,j] + s)%2) < 2:
    print "ERROR CORRECTION 5"
    e[j] = 1
    e_new = array([(geng24[:,j]+s)%2, array([0,0,0,0,0,0,0,0,0,0,0,0])])
    e_new.shape = (1,24)
    e = (e + e_new) % 2
    e = e.flat
for j in range(0,12):
  if weight((sdotb + B[j,:])%2) <= 2:
    print "ERROR CORRECTION 6"
    e[j] = 1
    e_new = array([array([0,0,0,0,0,0,0,0,0,0,0,0]),((sdotb + B[j,:])%2)])
    e_new.shape = (1, 24)
    e = (e + e_new) % 2
    e = e.flat
print "\ne =  [",
for i in e:
  print i,
print "]\n"
c = ((e + r)%2)
m = array(c[:12])
print "r = ", r
print "c = ", c
print "m = ", m

Here is

echo "Running with Example Problem"
echo "==========================="
./ 1,1,0,1,0,0,0,0,0,0,1,0,1,0,0,0,0,1,0,0,0,0,1,0
echo "
Running with Problem1"
echo "==========================="
./ 0,1,0,0,0,0,1,1,0,1,0,1,1,0,1,1,0,1,0,0,0,0,1,1
echo "
Running with Problem2"
echo "==========================="
./ 0,0,1,0,1,0,1,0,1,0,1,0,0,1,0,0,1,1,1,0,1,1,0,0
echo "
Running with Problem3"
echo "==========================="
./ 1,1,1,0,1,1,1,1,1,1,1,1,1,1,1,0,1,1,1,1,1,1,1,1

process monitoring with kill

Part of the reason why pid files often exist.  This technique avoids parsing through ps output or rumaging around /proc.

From the man page:

Name Num Action Description
0 0 n/a exit code indicates if a signal may be sent

Here is example usage

lundeen2@lundeen-office:~$ ps
12833 pts/7 00:00:00 bash
12899 pts/7 00:00:00 ps
lundeen2@lundeen-office:~$ /bin/bash
lundeen2@lundeen-office:~$ ps
12833 pts/7 00:00:00 bash
12902 pts/7 00:00:00 bash
12968 pts/7 00:00:00 ps
lundeen2@lundeen-office:~$ kill -0 99999
bash: kill: (99999) – No such process
lundeen2@lundeen-office:~$ echo $?
lundeen2@lundeen-office:~$ kill -0 12902
lundeen2@lundeen-office:~$ echo $?
lundeen2@lundeen-office:~$ ps
12833 pts/7 00:00:00 bash
12902 pts/7 00:00:00 bash
12977 pts/7 00:00:00 ps

wget login pages

how do you scrape a page that you have to login to get to? Well, one way is to save the cookies and use –post-data, though this depends on how the session is saved.

$ wget http://site/login/index.php –post-data “username=user&password=pass” –save-cookies=cookies.txt –keep-session-cookies

then to grab other pages

$ wget –load-cookies=cookies.txt http://login/someotherpage/index.php

Bash Bomb

So my buddy Greg pointed me to what he called a ‘bash bomb’.  It looks like:

:(){ :|:& };:

Anyway, all it does is recursively fork. gives a good explanation.  I do like it, because of its simplicity and obscurity. I have to deal with recursively forking things all the time (thanks operating system class with students experimenting with fork for the first time).

A simple pam hard limit on the number of processes can mitigate against this.  Put it in /etc/security/limits.conf.

My applicable limits are (fairly liberal):

*               soft    nproc           225
*               hard    nproc          300

So far, nothing has crashed the system with these, but I keep having to tweak them, so I may restrict them further in the future.