Generating Hex Numbers to brute force rs_iis.c

Hey guys,

In playing with rs_iis.c (ntdll exploit) in our lab, I've been looking for ways to brute force the return address.

I know there's been a shell script (rs_brute.sh) released that already does this, but since I've been playing with PERL lately (and since this shell script did not exist when I began playing with the exploit), I thought I'd take a whack at producing the RET addresses (0x0000-0xffff) in a PERL script. I just wanted to get your input and see if there is and easier way to do this (using PERL, of course). Basically, the goal is as follows:

1. generate Hex Numbers from 0x0000 to 0xffff in the following pattern

• pass the output to rs_iis via system() command?

  So far, I can generate the output and print it to stdout. Any tips on getting the script to run rs_iis once with each address produced by the script? Also, is there a way to produce this output without creating an array like this?

  #!/usr/bin/perl -w
  @HexD =
  ('0','1','2','3','4','5','6','7','8','9','a','b','c','d','e','f');

  for ($i = 0; $i <= 255; $i += 1) {

          printf("$HexD[int($i / 16)]$HexD[$i % 16]", $i);
          printf("$HexD[int($i / 16)]$HexD[$i % 16]\n", $i);
          }
  

  Many thanks,

  -Jeremy

  Do you need help?

  In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

  • application/octet-stream attachment: hex2.pl
  Received on Tue Apr 1 14:28:47 2003