Generating Hex Numbers to brute force rs_iis.c

["Jeremy Junginger" <jj () act com>]

Hey guys,

In playing with rs_iis.c (ntdll exploit) in our lab, I've been looking
for ways to brute force the return address.

I know there's been a shell script (rs_brute.sh) released that already
does this, but since I've been playing with PERL lately (and since this
shell script did not exist when I began playing with the exploit), I
thought I'd take a whack at producing the RET addresses (0x0000-0xffff)
in a PERL script.  I just wanted to get your input and see if there is
and easier way to do this (using PERL, of course).  Basically, the goal
is as follows:

1) generate Hex Numbers from 0x0000 to 0xffff in the following pattern
(0x0000 0x0101 0x0202...0xfdfd 0xfefe 0xffff)
2) pass the output to rs_iis via system() command?

So far, I can generate the output and print it to stdout.  Any tips on
getting the script to run rs_iis once with each address produced by the
script?  Also, is there a way to produce this output without creating an
array like this?

#!/usr/bin/perl -w
@HexD =
('0','1','2','3','4','5','6','7','8','9','a','b','c','d','e','f');

for ($i = 0; $i <= 255; $i += 1) {
        printf("$HexD[int($i / 16)]$HexD[$i % 16]", $i);
        printf("$HexD[int($i / 16)]$HexD[$i % 16]\n", $i);
        }

Many thanks,

-Jeremy

Attachment: hex2.pl
Description: hex2.pl