Home page logo

metasploit logo Metasploit mailing list archives

Re: Error while framing RPC Packet
From: Sujit Ghosal <thesujit () gmail com>
Date: Wed, 23 Jun 2010 17:53:03 +0530

        Well it seems that is the only option left right now. But as far as
I remember, mIDA will decode the structure for that specific RPC Interface
UUID. It won't tell the way that how the specific UUID will accept various
Opnum values (if Opnum is different in my 3 types of requests) and its stub
in the request. Isn't it? I am going through mIDA once. Lets see if I can
get any hint out of it.

Though, RPC specification is there by Opengroup and HSC, but while it comes
to packet framing its not helping.

- Sujit

On Wed, Jun 23, 2010 at 12:56 PM, Joshua J. Drake <jdrake () metasploit com>wrote:

On Wed, Jun 23, 2010 at 11:06:30AM +0530, Sujit Ghosal wrote:
Hi All,
   I am framing an RPC packet structure for one MSMQ Service UUID:

   The problem I am facing now is while crafting the RPC Packet based on
above UUID. It seems I am making some mess while constructing the packet
the above UUID as I guess that its because of invalid structure for Opnum
0x01. I think I am doing some miscalculations. Btw I was successful to
to the above interface as I got the ACK that the interface has been bound
successfully, but the time I am sending the Opnum to perform my attack
I am not framing the bytes properly. I am coming across with one DCERPC
response as "nca_s_fault_invalid_tag" whose PDU fault value is 1C000006.
I am not able to proceed further. :(

   So I was just wondering, if there is any documentation which can give
some excerpt on how this packet framing should be done for different
i.e. 0x01 or 0x06 or 0x12 with any UUIDs?

I'm not an expert at Windows RPC by any means, but I think maybe what
you're looking for is mIDA. It is a plugin for IDA Pro that can
extract IDL (Interface Descriptor Language?) definitions from
binaries. The general process would be opening the msmq service binary
(exe/dll/whatever) into IDA and running mIDA on it,

If that doesn't help, I recommend stepping through the NDR decoding
routines and paying special attention to the data that is being
decoded. It may point out exactly which part you're messing up.

Hope this helps!

Joshua J. Drake


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]