Metasploit mailing list archives
Re: Error while framing RPC Packet
From: Sujit Ghosal <thesujit () gmail com>
Date: Wed, 23 Jun 2010 17:53:03 +0530
Joshua, Well it seems that is the only option left right now. But as far as I remember, mIDA will decode the structure for that specific RPC Interface UUID. It won't tell the way that how the specific UUID will accept various Opnum values (if Opnum is different in my 3 types of requests) and its stub in the request. Isn't it? I am going through mIDA once. Lets see if I can get any hint out of it. Though, RPC specification is there by Opengroup and HSC, but while it comes to packet framing its not helping. - Sujit On Wed, Jun 23, 2010 at 12:56 PM, Joshua J. Drake <jdrake () metasploit com>wrote:
On Wed, Jun 23, 2010 at 11:06:30AM +0530, Sujit Ghosal wrote:Hi All, I am framing an RPC packet structure for one MSMQ Service UUID: 41208ee0-e970-11d1-9b9e-00e02c064c39 The problem I am facing now is while crafting the RPC Packet based ontheabove UUID. It seems I am making some mess while constructing the packetforthe above UUID as I guess that its because of invalid structure for Opnum 0x01. I think I am doing some miscalculations. Btw I was successful tobindto the above interface as I got the ACK that the interface has been bound successfully, but the time I am sending the Opnum to perform my attackthenI am not framing the bytes properly. I am coming across with one DCERPC response as "nca_s_fault_invalid_tag" whose PDU fault value is 1C000006.SoI am not able to proceed further. :( So I was just wondering, if there is any documentation which can give some excerpt on how this packet framing should be done for differentOpnumsi.e. 0x01 or 0x06 or 0x12 with any UUIDs?I'm not an expert at Windows RPC by any means, but I think maybe what you're looking for is mIDA. It is a plugin for IDA Pro that can extract IDL (Interface Descriptor Language?) definitions from binaries. The general process would be opening the msmq service binary (exe/dll/whatever) into IDA and running mIDA on it, If that doesn't help, I recommend stepping through the NDR decoding routines and paying special attention to the data that is being decoded. It may point out exactly which part you're messing up. Hope this helps! -- Joshua J. Drake
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- Error while framing RPC Packet Sujit Ghosal (Jun 22)
- Re: Error while framing RPC Packet Joshua J. Drake (Jun 23)
- Re: Error while framing RPC Packet Sujit Ghosal (Jun 23)
- Re: Error while framing RPC Packet Joshua J. Drake (Jun 23)