Dragonmount Networks has released Part 1 of Using Lookout, which gives an overview of how the Lookout program can be used to quickly test servers for the presence of buffer overflows by taking you through a routine example.
29af8aa269b9de7ff54d1b8593f69425bbc591f9ac74957ead8c9f7b27f6ef7f<!DOCTYPE HTML PUBLIC "html.dtd">
<HTML>
<HEAD>
<META CONTENT="en-us" HTTP-EQUIV="Content-Language">
<META CONTENT="text/html; charset=windows-1252" HTTP-EQUIV="Content-Type">
<META NAME="GENERATOR" CONTENT="Microsoft FrontPage 4.0">
<META NAME="ProgId" CONTENT="FrontPage.Editor.Document">
<TITLE>Dragonmount Networks -=- Lookout -=- Using Lookout, Part 1</TITLE>
<LINK TYPE="text/css" REL="stylesheet" HREF="http://www.dragonmount.net/styles.css">
<META NAME="Microsoft Border" CONTENT="tb, default"></HEAD>
<BODY><!-- msnavigation--><TABLE WIDTH="100%" CELLSPACING="0" BORDER="0" CELLPADDING="0"><TR><TD>
<SCRIPT LANGUAGE="javascript">
function NavRollOver(oTd)
{
if (navigator.userAgent.indexOf("MSIE") != -1)
if (!oTd.contains(event.fromElement)){oTd.bgColor="990000";}
}
function NavRollOut(oTd)
{
if (navigator.userAgent.indexOf("MSIE") != -1)
if (!oTd.contains(event.toElement)){oTd.bgColor="003377";}
}
</SCRIPT>
<TABLE WIDTH="100%" BGCOLOR="#E0E0E0" HEIGHT="20" CELLSPACING="1" BORDER="0">
<TR>
<TD WIDTH="75" BGCOLOR="#003377" ONMOUSEOVER="NavRollOver(this);" ALIGN="center" ONMOUSEOUT="NavRollOut(this);"><A HREF="http://www.dragonmount.net/index.html" CLASS="topnav-link">Home</A></TD>
<TD WIDTH="75" BGCOLOR="#003377" ONMOUSEOVER="NavRollOver(this);" ALIGN="center" ONMOUSEOUT="NavRollOut(this);"><A HREF="http://www.dragonmount.net/software/index.htm" CLASS="topnav-link">Software</A></TD>
<TD WIDTH="75" BGCOLOR="#003377" ONMOUSEOVER="NavRollOver(this);" ALIGN="center" ONMOUSEOUT="NavRollOut(this);"><A HREF="http://www.dragonmount.net/tradewars/index.htm" CLASS="topnav-link">Tradewars</A></TD>
<TD WIDTH="75" BGCOLOR="#003377" ONMOUSEOVER="NavRollOver(this);" ALIGN="center" ONMOUSEOUT="NavRollOut(this);"><A HREF="http://www.dragonmount.net/security/index.htm" CLASS="topnav-link">Security</A></TD>
<TD WIDTH="75" BGCOLOR="#003377" ONMOUSEOVER="NavRollOver(this);" ALIGN="center" ONMOUSEOUT="NavRollOut(this);"><A HREF="http://www.dragonmount.net/tutorials/index.htm" CLASS="topnav-link">Tutorials</A></TD>
<TD WIDTH="75" BGCOLOR="#003377" ONMOUSEOVER="NavRollOver(this);" ALIGN="center" ONMOUSEOUT="NavRollOut(this);"><A HREF="http://www.dragonmount.net/contact.htm" CLASS="topnav-link">Contact</A></TD>
<TD WIDTH="75" BGCOLOR="#003377" ONMOUSEOVER="NavRollOver(this);" ALIGN="center" ONMOUSEOUT="NavRollOut(this);"><A HREF="http://www.dragonmount.net/privacy_usage.html" CLASS="topnav-link">Privacy</A></TD>
<TD WIDTH="75" BGCOLOR="#003377" ONMOUSEOVER="NavRollOver(this);" ALIGN="center" ONMOUSEOUT="NavRollOut(this);"><A HREF="http://www.dragonmount.net/projects/" CLASS="topnav-link">Projects</A></TD>
<TD WIDTH="95" BGCOLOR="#003377" ONMOUSEOVER="NavRollOver(this);" ALIGN="center" ONMOUSEOUT="NavRollOut(this);"><A HREF="http://www.winsource.org/" CLASS="topnav-link">WinSource.org</A></TD>
<TD BGCOLOR="#003377" ALIGN="right"><A HREF="javascript:history.go(-1)"><IMG SRC="http://www.dragonmount.net/images/back.gif" WIDTH="13" HEIGHT="13" BORDER="0"></A></TD>
</TR>
</TABLE>
<TABLE HEIGHT="16" CELLSPACING="0" BORDER="0" CELLPADDING="0">
<TR>
<TD ROWSPAN="2"><MAP NAME="FPMap0">
<AREA SHAPE="rect" COORDS="7, 3, 163, 87" HREF="http://www.dragonmount.net/"></MAP><IMG SRC="http://www.dragonmount.net/images/leftxmas.jpg" WIDTH="288" HEIGHT="145" USEMAP="http://www.dragonmount.net/software/lookout/help/part1.htm#FPMap0" BORDER="0"></TD>
<TD VALIGN="top" HEIGHT="36"><IMG SRC="http://www.dragonmount.net/images/right.jpg" WIDTH="258" HEIGHT="36" BORDER="0"></TD>
</TR>
<TR>
<TD VALIGN="top"><!-- - The Datacom Ad Network [http://www.datais.com] --->
<CENTER>
<IFRAME WIDTH="468" MARGINHEIGHT="0" SRC="http://ads.datais.com/ads/ad.cgi?Falcon-ad1&lmth=iframe&chnc=true" FRAMEBORDER="no" HEIGHT="60" SCROLLING="no" MARGINWIDTH="0" BORDER="0">
<A HREF="http://ads.datais.com/ads/ad.cgi?Falcon-link1&chnc=true" TARGET="_top"><IMG ALT="Click here to visit our sponsor" SRC="http://ads.datais.com/ads/ad.cgi?Falcon-ad1&chnc=true" BORDER="0"></A><BR>
<A HREF="http://www.datais.com/">The Datacom Ad Network</A><BR>
</IFRAME>
</CENTER>
<!-- ----------------------------------------------------></TD>
</TR>
</TABLE>
<BR>
</TD></TR><!-- msnavigation--></TABLE><!-- msnavigation--><TABLE WIDTH="100%" CELLSPACING="0" CELLPADDING="0" BORDER="0"><TR><!-- msnavigation--><TD VALIGN="top">
<TABLE WIDTH="750" CELLSPACING="0" CELLPADDING="0" BORDER="0">
<TR>
<TD WIDTH="115" VALIGN="top" ALIGN="right"><!-- webbot bot="Include" u-include="../nav-lookout.htm" tag="BODY" startspan -->
<P><A HREF="http://www.dragonmount.net/software/lookout/index.htm" CLASS="navlinkb">Lookout Home</A></P>
<P><A HREF="http://www.dragonmount.net/software/lookout/download/index.htm" CLASS="navlinkb">Download</A></P>
<P><A HREF="http://www.dragonmount.net/software/lookout/help/part1.htm" CLASS="navlinkb">Using Lookout</A></P>
<P><A HREF="http://www.dragonmount.net/software/lookout/source.htm" CLASS="navlinkb">Source</A>
<!-- webbot bot="Include" endspan i-checksum="64404" -->
<P> </TD>
<TD WIDTH="17" VALIGN="top" ALIGN="center"><IMG WIDTH="1" SRC="http://www.dragonmount.net/images/orangepixel.gif" HEIGHT="100%" BORDER="0"></TD>
<TD VALIGN="top">
<H1>Using Lookout, Part 1</H1>
<H2>Detecting Buffer Overflows in Servers</H2>
<P>By: Erik Iverson<BR>
<A HREF="mailto:erik@dragonmount.net">erik@dragonmount.net</A></P>
<P>Dragonmount Networks has recently released a freeware, open source
program called Lookout. This tool has two main functions: it can bind to a
port and simply listen for incoming connections, or it can connect to any
open port on a remote machine and start transmitting data. There are two
main purposes for doing these things. The first one is to learn how
different protocols operate. The second is to test buffers and string
parsing on both servers and clients.</P>
<P>Setting up connections can be rather troublesome, because you need to
know how the protocol works. If you connect to an FTP server, you have to
know that the server is probably expecting you to send a USER command. So
you need to know the basics of the protocol. Once you know this, though,
you can start testing for buffer overflows and the like.</P>
<P>Example: A few weeks ago Dragonmount Networks released an advisory on
NetFTPd, an FTP server for Windows. Practically every command implemented
on this server has a buffer overflow, which when used will crash the
server. For the overflow to take place, a string of about 1025 characters
or greater needs to be sent to the server as a parameter to one of the
effected commands.</P>
<P>Unfortunately, most graphical FTP clients do not allow you to enter
strings, so we cannot use these to test for exploits. Also, the DOS
command line FTP client won't let you enter a string longer than a
specified length (approximately 500 characters). So that one won't work.
Lookout makes this testing easy, however.</P>
<P>All you have you have to do is type in the IP address and port number
(probably 21 in this case) and hit the "Connect" button. You'll
be told when the connection was successful. You do have to know something
about the FTP protocol, but not much. The first thing to type in would be
"USER <username>". The parameter, <username>, is any
valid username for the server. If anonymous access were allowed,
"anonymous" would be a good username. Let's pretend it is. In
Lookout, we type "USER anonymous" and send the data. Next, the
FTP server tells us it wants a password. Knowing what we know about the
FTP protocol, we send a PASS <password> command, where
<password> is the user's password. Now we are "logged in"
to the FTP server.</P>
<P>So in the NetFTPd example, there were many commands that could crash
the server when a long string was passed along with them. DIR was one of
them. Now "DIR" isn't actually part of the FTP protocol, but to
provide a common way of looking at listings, the server recognizes
"DIR" and responds with an appropriate action, that of listing
files in a directory structure. Enough about that though, we have buffers
to overflow.</P>
<P>Testing the buffer is as easy as this using Lookout. Simply type
"DIR" in the "send this text" box; then, instead of
typing a string 1025 characters long, you simply check the "followed
by" check box. In the edit box to the right, you can put pretty much
anything. "A" works, so does "x". Remember, all we
want to do is send enough characters; it makes no difference what they
are. Then, in the "repeated" edit box, put in 1025. Note that
due to some memory difficulties on my part, I don't know if the actual
amount is 1025. Try that and see if the server crashes. If it doesn't, the
amount must be greater. Simply type in a number greater than 1025; 2000
should do the trick. So would 10,000. One nuance about Lookout, however,
is that once you start sending especially long character strings like
10,000 or even 30,000, the program takes a short bit to send them all.
Just relax while this happens, everything is going to be ok. Most buffer
overflows I have witnessed have been well below 30,000 characters and most
are well below 10,000. But I digress.</P>
<P>So now I'm sure you have crashed the NetFTPd server. This works with
many commands, not just DIR. A good approach to finding buffer overflows
is finding what commands the server supports. Usually, sending a HELP
command to the server will return a list of commands that the server
supports. You can do this by typing HELP in the "send this text"
edit box in Lookout; don't forget to turn off the "followed by"
checkbox (unless you are testing the HELP command for overflows :) ).</P>
<P>Now that you have the list, keep trying commands with variable length
strings until something interesting happens. The server might become
unresponsive, crash, or even bring down the operating system. This all
depends on a lot of factors, so experiment. This is an especially useful
tool if you are coding your own server; make sure to test each command to
verify that evil things don't happen. If you don't, somebody else is will.</P>
<P>So give it a shot. Download some servers of different kinds. Install
them on your machine, and use Lookout to give them a run through. A lot of
times, people go through this train of thought when installing servers on
their network or workstations. "Well, server x doesn't have any
advisories for it in the Bugtraq database, so it must be secure."
Wrong! Do not assume this; there may very well be exploits circulating for
it this moment. Take a few moments to make sure the servers you trust your
data with are protected against basic attacks such as buffer overflows.
With tools like Lookout, it won't take long and you'll have that extra
assurance.</P>
<P><BR>
</TD>
</TR>
</TABLE>
<!-- msnavigation--></TD></TR><!-- msnavigation--></TABLE><!-- msnavigation--><TABLE WIDTH="100%" CELLSPACING="0" CELLPADDING="0" BORDER="0"><TR><TD>
<TABLE WIDTH="750" CELLSPACING="0" CELLPADDING="0" BORDER="0">
<TR>
<TD WIDTH="25"></TD>
<TD WIDTH="718">
<P CLASS="footertext" ALIGN="left"><A HREF="http://www.dragonmount.net/software/lookout/help/part1.htm#top" CLASS="goto">Top of page</A></P>
<P CLASS="footertext" ALIGN="center">This page was last modified Monday, December 13, 1999<BR>
Copyright 1999 Dragonmount Networks. All rights reserved.<BR>
<A HREF="http://www.dragonmount.net/privacy_usage.html" CLASS="navlink">Privacy and Usage Policy</A>.
Questions or comments? <A HREF="http://www.dragonmount.net/contact.htm" CLASS="navlink">Contact us</A>.<BR>
</TD>
</TR>
</TABLE>
<P>
</TD></TR><!-- msnavigation--></TABLE></BODY>
</HTML>
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed