About Archive Tags RSS Feed


Entries posted in October 2005

The power of the dark side ...

3 October 2005 21:50

Format Strings

Format string attacks are utterly fascinating.

In the general case they allow you to overwrite arbitary memory addresses with arbitary contents. So whilst your typical l33t hax0r will overwrite a return address to execute shellcode there are many more interesting things you can do.

One fun, albeit very complicated, attack I made was to take advantage of a format string attack in an authentication module - allowing me to NOP out the "invalid password" response. Almost undetectable, and utterly useful.

It is possible to be much more evil than writing basic shellcode with a little creativity.

It isn't often I get this excited about low-level code.

(I think the last time I was this pleased was when I was shown a demo of a game that a prior company had written - we were shown it because it made a nice lunchtime talk, and because it wouldn't run on current versions of Windows; so there was no risk of us wasting time by playing it. A few minutes with a dissassembler later I had a working binary :) )

Just call me +Steve ;)

| No comments


Nessus + security scanning engines ..

7 October 2005 21:50

Security Scanners

After reading that Nessus is becoming non-free [/. link] I spent a while playing with some simple scripting tools.

There are two things you want with a security tester:

  • A good GUI.
  • A good engine.

If you have the right kind of scriptable engine you can do all you security tests via scripts. That's clever. That's sensible. That is hard.

For fun I figured it would be interesting to see what kind of testing you could perform with minimal primitives.

Turns out you can do a fair bit if you only expose HTTP GETs. Suprised? I was…

I wrote a brief C++ interface between LUA and LibCURL which calls the function "test_host( host, port )" on an arbitary number of LUA scripts. This allows simple tests to be made easily:

Trivial scripts. Trivial code. Semi-useful result?

I guess to make it more useful you'd want to have a port scanning tool, along with some more socket primitives (e.g. Send "xxx", look for "yyy" in the results).

The code is available if you wish to play and the LUA interface could be improved fairly easily…

I'm tempted to keep working on it, but I have little experience in writing the kind of tests that are required - and to be honst I guess the more productive thing is for interested parties to fork nessus ..

| No comments


Scanner + CVS

9 October 2005 21:50

"Security Scanner"

No comments on my previous entry about this, but a ton of interesting emails. So I'll mention it again, briefly.

I updated the code, gave it a name, and made a new release - see fortress webpages. ("Fortress" is a silly name inspired by the fact that the provisional name "Steves Simple Security Scanner" had four "S" words. "Four S" sounds like "Fortress". Groan)

Right now I'm trying to get some portscanning code into the scripting engine, so that the scripts can do interesting things.

Again feedback welcome.

CVS Repository

Inspired by the interest in the scanner I figured it was about time I started getting organised and sharing my CVS repositories.

So I registered a domain name (suprised that it is available. This is possibly a clue that my dsylexia has struck …) - CVSRepository.org - and now have a place to put my code.

The site is running a hacked copy of CVS Trac, a nice combination of a CVS viewer + wiki + ticket (bug report) system.

I've submitted a patch to make browsing easier, and made some other simple changes.

Most of the effort in setting up the site was getting wildcard DNS working for both Bind + Apache. Cheers to Broonie for agreeing to run DNS secondary for me.

Now I can drop in new projects and have them work:

All being well the DNS nameservers should be live by the time this entry is visible, and the links will work

| No comments


Voice ...?

11 October 2005 21:50


I wrote a brief introduction to recording screen activity with vnc2swf - a neat tool that creates flash movies of screen activity.

So of course i had to produce a "demo film". With audio.

In my defense my voice sounds bad because I'm sniffly, and if you look at the time in the lower corner of the window you'll see that it is massively early AM.

Enthusiasm rose and then peaked when I got up in the middle of the night to answer the phone.

Bonus points for anybody (who doesn't already know) who can correctly place my accent. I think it is easy, but then again I collect accents from strangers …

| No comments



12 October 2005 21:50

Planet Express

For some time now I've allowed people to make "weblog" entries upon the Debian Administration website.

Once I'd done that it was suggested I setup an installation of PlanetPlanet to aggregate them all. So I did: Planet Debian Administration.

However this solution was suboptimal:

  1. Users create weblog entries, which have their own XML feed.
  2. Local Planet installation makes a request to http://localhost/ - for each account.
  3. Planet processes the XML entries and outputs the static HTML + feeds.
  4. Repeat from step 2 every hour.

The overhead of processing each of the blog feeds on the server side was a little too high - to the extent that making a hundred odd requests at 7 minutes past the hour was noticable if you were logged in to the server.

So I figured it made sense to skip all this, and just fetch the contents of the weblogs from the local database - where they are all stored anyway.

This immediately speeds things up. Generating the new planet now takes less than a second, total time.

It also means that I can take advantage of my knowlege of the Yawns table structure to list the number of comments upon each entry - or do other similar things.

Since the site is driven by software called "Yawns" (irony is ..) the new software is called "Yawns Planet". There is a CVS repository here.

Start to finish this was about three hours work. But damn I love developing in perl… the hours just flew by :)

| No comments


Searchable Planet

13 October 2005 21:50

The planet is now searchable.

| No comments


Sleep Study

13 October 2005 21:50

Tonight I will mostly be in hospital wired to lots of monitoring machines.

Been a long time coming.

| No comments


Debian Planet Searching?

18 October 2005 21:50

Debian Planet Search?

Would anybody have any objection to planet debian searching?

Obviously this would require that all public entries were archived away somewhere safe …

(Related to previous questions by users about archiving to mailing lists, I guess)

| No comments


Fortress updated.

18 October 2005 21:50


Fortress the simple scanner, or scriptable network system is coming along nicely.

For example the script test-port-identification.lua

--  Detect the ports open a host, and attempt to identify their services.

-- Create a helper function.
function identify_ports( host )

  print( 'Scanning: ' .. host );

  open = portscan( host );

  for i=0,table.getn(open) do
     service = detect_service( host, open[i] );
     print( ' Open port ' .. open[i] .. ' identified as ' .. service );

  print( table.getn(open) .. ' ports open on ' .. host );

-- Now do some scans.
identify_ports( 'localhost' );
identify_ports( 'itchy' );
identify_ports( 'scratchy' );

This produces:

skx@lappy:~/cvs/fortress$ ./fortress tests/test-port-identification.lua
Scanning: localhost
 Open port 22 identified as ssh
 Open port 25 identified as smtp
 Open port 80 identified as www
3 ports open on localhost


I've also added primitives for working with SHA1 and MD5 hashes (both strings and file contents). Once I can get a few more primitives added I'll make a 0.3 release and see if people care.

In other news, nothing much is happening. I'm waiting to hear about the results from my sleep study. I've had verbal results, but they don't count for much and miss important details - hopefully not too much longer as I'm due back at work fairly soon ..

| No comments


Planet Updates

19 October 2005 21:50

I'll stop soon .. honest .. in the mean time two planet-related updates:

| No comments



22 October 2005 21:50

The time is 18:43 and I'm going to bed.

If anybody wishes to make my day they could point to a good set of documentation on the setup and running of a buildd.

Lots of people apparently manage it successfully (Experimental, AMD64, etc) however I'm finding it:

  • Confusing
  • Difficult to visualise.
  • Painful.

The CSS-ification is going well. And all being well tomorrow I'll have blacklisting support for the Planet Debian Searching. If people wish to opt-out of the indexing then that will become trivial.

I still believe that I am correct in believing that content carried upon Planet Debian is liable to be mirrored, but I'm not going to argue.

(Sure an individual server hosting a blog might have a /robots.txt forbidding it - but planet.debian.org doesn't - so it will likely be crawled, archived, whatever.)


Night night, world.

| No comments


Building & Searching

25 October 2005 21:50


Thanks to some useful feedback to people who read my request I now have a working buildd setup.

Wouter pointed to Debian's own documents on the subject which were certainly useful. However they are not sufficiently useful.

For example it's simple enough to understand from reading the supplied recipe how to setup a buildd. This will let you run something like:

sbuild -d stable -v screen_4.0.2-4.1


sbuild -d unstable -v screen_4.0.2-4.1

However this is a far cry from a useful tool. What I wanted was a system to which I could upload a package and have it magically be built …


The Planet search will now correctly honour a server's /robots.txt file if present.

So if your own blog-server contains a robots.txt file forbidding spidering, caching, or archiving then this will not take place - despite the fact that Planet Debian doesn't contain such a file.

Note that several fine blogging systems will respond to /robots.txt with error pages, such as Blosxom which gives this delightful page in response to a request:

Error: I'm afraid this is the first I've heard of a "txt" flavoured Blosxom. Try dropping the "/+txt" bit from the end of the URL.

| No comments


Supporting Free Software?

25 October 2005 21:50

PJ@groklaw on SuSE 10.0:

You can download for the cost of your blank CDs, or you can purchase it for $59.95 if you are in the US, and you can buy online. I will probably do both, after reading the two reviews. I can't wait, so I'll download it, and then I will buy also, so that I can support wonderful FOSS software and because you get extras, like documentation in a book, which is good if you ever can't get online.

I've seen this argument before "Buy distribution of GNU/Linux and support free software programmers". The only problem I have with it is that it is incorrect.

Buying GNU/Linux distributions helps the vendors who created it, certainly, and may indirectly help pay for some free software in the sense that the vendors might ship free software they wrote (e.g. SuSE's Yast{2]).

However plonking down real cash-money for a boxed set of SuSE gives no money to the people who created MySQL, no money to the people who created Firefox, no money to the people who created Emacs, Vim, Bash, and Catan/Pioneers, etc.

So supporting free software distributors? Great! But to reward actual free software programmers? Go buy them a wishlist item, give them some cash, throw them a postcard, send them an email…

Or not. As the case may be.

| No comments


Lua Rocks.

27 October 2005 21:50

Now what else can I embed a Lua script intepreter into?

| No comments


GNUMP3d + apt

28 October 2005 21:50

Security Updates

A new version of GNUMP3d is out. This is primarily a security update.

Install it now if you use it publically.

(Local mirror in case you're running from source and the gnump3d.org site hasn't updated yet)

Apt Updates

I've updated my personal APT repository. This now uses reprepro to create/update/manage it.

The reprepro tool is utterly wonderful. (Although I used the backported Sarge version, rather than the older one). Expect an article on the Debian Administration website shortly.

Now I have an "incoming" directory I can upload new package builds to, and have them magically migrate into the relevent section.

The other significant change is that now I can host packages with Arch: All, as well as i386. This is useful as I distribute several perl scripts/libraries which were previously unavailable to non-x86 users.

Talking of which I still have to finish my review of The Debian System written by Martin Kraft - I've been sitting on that for too long. (Summary: Great Book, buy it if you can't get one donated to review ;) ).

| No comments


Lua Webserver

29 October 2005 21:50


A toy webserver written in lua: httpd.lua - using a small shared library to implement bind(), accept(), connect(), read(), write(), and close().

Well it killed an hour or two, and could be useful. Possibly. Maybe?

I think I'm falling in love - Lua is the new perl.

Update: Now supporting virtual hosts, binary files, and sending appropriate MIME types.

| No comments


Advogato + Syndication

30 October 2005 21:50


Randomly clicking around Advogato today I accidently tried to login.

Rather than seeing "Person not Found" which is all I've seen since my account(s) were removed I now get "incorrect password".

It looks like my primary, and replacement accounts at Advogato are back.

At the time those accounts were removed I setup this blog so that I could still remain syndicated upon Planet Debian.

It would be nice to have the Advogato account(s) back, but I could live without them. (Indeed mailing Raph at his acm.org address bounced so I may will have to)


For my own notes. This blog appears at:


Of course my daily life goes entirely elsewhere - but that contains rudeness, angst, & etc. As you would expect from LiveJournal ;)

| No comments


Lua annoyance

31 October 2005 21:50

Lua Directory Handling

Arrrgggghhhhh!!!! OK maybe lua is not love.

I just realised that Lua has no concept of directory handling (opendir, readdir, etc). Indeed it isn't possible to tell whether something is a directory or a file.

So I added some more primitives to the Lua socket extension library. Most usefully a readdir call.

This means the sample webserver can now serve directory contents if index.html isn't found. It can also now fall back to serving a "default virtual host" if the requested one doesn't exist.

The webserver code is now very stable and complete. The only omission is CGI handling, but I'm not going to bother unless prompted strongly.

I've added some simple examples to the documentation and I think things are looking good. The Debian package has been downloaded a few times, but no real feedback - feel free to share, don't be shy!

| No comments