Re: Error while framing RPC Packet

[Sujit Ghosal <thesujit () gmail com>]

Joshua,
        Well it seems that is the only option left right now. But as far as
I remember, mIDA will decode the structure for that specific RPC Interface
UUID. It won't tell the way that how the specific UUID will accept various
Opnum values (if Opnum is different in my 3 types of requests) and its stub
in the request. Isn't it? I am going through mIDA once. Lets see if I can
get any hint out of it.

Though, RPC specification is there by Opengroup and HSC, but while it comes
to packet framing its not helping.

- Sujit


On Wed, Jun 23, 2010 at 12:56 PM, Joshua J. Drake <jdrake () metasploit com>wrote:

> On Wed, Jun 23, 2010 at 11:06:30AM +0530, Sujit Ghosal wrote:
> > Hi All,
> >    I am framing an RPC packet structure for one MSMQ Service UUID:
> > 41208ee0-e970-11d1-9b9e-00e02c064c39
> >
> >    The problem I am facing now is while crafting the RPC Packet based on
> the
> > above UUID. It seems I am making some mess while constructing the packet
> for
> > the above UUID as I guess that its because of invalid structure for Opnum
> > 0x01. I think I am doing some miscalculations. Btw I was successful to
> bind
> > to the above interface as I got the ACK that the interface has been bound
> > successfully, but the time I am sending the Opnum to perform my attack
> then
> > I am not framing the bytes properly. I am coming across with one DCERPC
> > response as "nca_s_fault_invalid_tag" whose PDU fault value is 1C000006.
> So
> > I am not able to proceed further. :(
> >
> >    So I was just wondering, if there is any documentation which can give
> > some excerpt on how this packet framing should be done for different
> Opnums
> > i.e. 0x01 or 0x06 or 0x12 with any UUIDs?
>
> I'm not an expert at Windows RPC by any means, but I think maybe what
> you're looking for is mIDA. It is a plugin for IDA Pro that can
> extract IDL (Interface Descriptor Language?) definitions from
> binaries. The general process would be opening the msmq service binary
> (exe/dll/whatever) into IDA and running mIDA on it,
>
> If that doesn't help, I recommend stepping through the NDR decoding
> routines and paying special attention to the data that is being
> decoded. It may point out exactly which part you're messing up.
>
> Hope this helps!
>
> --
> Joshua J. Drake
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework