Home page logo
/

metasploit logo Metasploit mailing list archives

Help Understanding Stub for MS06-040
From: asotirov at determina.com (Alexander Sotirov)
Date: Wed, 14 Mar 2007 16:04:20 -0700

Kyle Schatzle wrote:
Does this function relate to the stub below?

If it doesn't relate, could you point me in the right direction to
understand its format?

Here's how the IDL maps to the Pex::NDS functions:

#    [in] [unique] [string] wchar_t * arg_00,
     Pex::NDR::Long(int(rand(0xffffffff))).
     Pex::NDR::UnicodeConformantVaryingString('').
#    [in] [string] wchar_t * arg_01,
     Pex::NDR::UnicodeConformantVaryingStringPreBuilt($path).
#    [out] [size_is(arg_03)] char * arg_02 <- out parameters are not sent in the
request
#    [in] [range(0, 64000)] long arg_03,
     Pex::NDR::Long(int(rand(250)+1)).
#    [in] [string] wchar_t * arg_04,
     Pex::NDR::UnicodeConformantVaryingStringPreBuilt( "\xeb\x02\x00\x00").
#    [in,out] long * arg_05,
     Pex::NDR::Long(int(rand(250)+1)).
#    [in] long arg_06
     Pex::NDR::Long(0);


arg_00 is encoded with a Long followed by UnicodeConformantVaryingString. You
need the long because of the [unique] pointer modifier.

arg_02 is not included in the request, because it's an ouput parameter. It's
sent in the reply from the server.

The rest of the arguments are obvious.

The NDR transfer syntax is documented here:
http://www.opengroup.org/onlinepubs/9629399/chap14.htm

Alex



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]