
	<A HREF="http://ads.datais.com/ads/ad.cgi?Falcon-link1&chnc=true" TARGET="_top"><IMG ALT="Click here to visit our sponsor" SRC="http://ads.datais.com/ads/ad.cgi?Falcon-ad1&chnc=true" BORDER="0"></A><BR> <A HREF="http://www.datais.com/">The Datacom Ad Network</A><BR>

Using Lookout

Source

Using Lookout, Part 1

Detecting Buffer Overflows in Servers

By: Erik Iverson
erik@dragonmount.net

Dragonmount Networks has recently released a freeware, open source program called Lookout. This tool has two main functions: it can bind to a port and simply listen for incoming connections, or it can connect to any open port on a remote machine and start transmitting data. There are two main purposes for doing these things. The first one is to learn how different protocols operate. The second is to test buffers and string parsing on both servers and clients.

Setting up connections can be rather troublesome, because you need to know how the protocol works. If you connect to an FTP server, you have to know that the server is probably expecting you to send a USER command. So you need to know the basics of the protocol. Once you know this, though, you can start testing for buffer overflows and the like.

Example: A few weeks ago Dragonmount Networks released an advisory on NetFTPd, an FTP server for Windows. Practically every command implemented on this server has a buffer overflow, which when used will crash the server. For the overflow to take place, a string of about 1025 characters or greater needs to be sent to the server as a parameter to one of the effected commands.

Unfortunately, most graphical FTP clients do not allow you to enter strings, so we cannot use these to test for exploits. Also, the DOS command line FTP client won't let you enter a string longer than a specified length (approximately 500 characters). So that one won't work. Lookout makes this testing easy, however.

All you have you have to do is type in the IP address and port number (probably 21 in this case) and hit the "Connect" button. You'll be told when the connection was successful. You do have to know something about the FTP protocol, but not much. The first thing to type in would be "USER <username>". The parameter, <username>, is any valid username for the server. If anonymous access were allowed, "anonymous" would be a good username. Let's pretend it is. In Lookout, we type "USER anonymous" and send the data. Next, the FTP server tells us it wants a password. Knowing what we know about the FTP protocol, we send a PASS <password> command, where <password> is the user's password. Now we are "logged in" to the FTP server.

So in the NetFTPd example, there were many commands that could crash the server when a long string was passed along with them. DIR was one of them. Now "DIR" isn't actually part of the FTP protocol, but to provide a common way of looking at listings, the server recognizes "DIR" and responds with an appropriate action, that of listing files in a directory structure. Enough about that though, we have buffers to overflow.

Testing the buffer is as easy as this using Lookout. Simply type "DIR" in the "send this text" box; then, instead of typing a string 1025 characters long, you simply check the "followed by" check box. In the edit box to the right, you can put pretty much anything. "A" works, so does "x". Remember, all we want to do is send enough characters; it makes no difference what they are. Then, in the "repeated" edit box, put in 1025. Note that due to some memory difficulties on my part, I don't know if the actual amount is 1025. Try that and see if the server crashes. If it doesn't, the amount must be greater. Simply type in a number greater than 1025; 2000 should do the trick. So would 10,000. One nuance about Lookout, however, is that once you start sending especially long character strings like 10,000 or even 30,000, the program takes a short bit to send them all. Just relax while this happens, everything is going to be ok. Most buffer overflows I have witnessed have been well below 30,000 characters and most are well below 10,000. But I digress.

So now I'm sure you have crashed the NetFTPd server. This works with many commands, not just DIR. A good approach to finding buffer overflows is finding what commands the server supports. Usually, sending a HELP command to the server will return a list of commands that the server supports. You can do this by typing HELP in the "send this text" edit box in Lookout; don't forget to turn off the "followed by" checkbox (unless you are testing the HELP command for overflows :) ).

Now that you have the list, keep trying commands with variable length strings until something interesting happens. The server might become unresponsive, crash, or even bring down the operating system. This all depends on a lot of factors, so experiment. This is an especially useful tool if you are coding your own server; make sure to test each command to verify that evil things don't happen. If you don't, somebody else is will.

So give it a shot. Download some servers of different kinds. Install them on your machine, and use Lookout to give them a run through. A lot of times, people go through this train of thought when installing servers on their network or workstations. "Well, server x doesn't have any advisories for it in the Bugtraq database, so it must be secure." Wrong! Do not assume this; there may very well be exploits circulating for it this moment. Take a few moments to make sure the servers you trust your data with are protected against basic attacks such as buffer overflows. With tools like Lookout, it won't take long and you'll have that extra assurance.

Top of page