On Wed, Jun 23, 2010 at 11:06:30AM +0530, Sujit Ghosal wrote:
I am framing an RPC packet structure for one MSMQ Service UUID:
The problem I am facing now is while crafting the RPC Packet based on
above UUID. It seems I am making some mess while constructing the packet
the above UUID as I guess that its because of invalid structure for Opnum
0x01. I think I am doing some miscalculations. Btw I was successful to
to the above interface as I got the ACK that the interface has been bound
successfully, but the time I am sending the Opnum to perform my attack
I am not framing the bytes properly. I am coming across with one DCERPC
response as "nca_s_fault_invalid_tag" whose PDU fault value is 1C000006.
I am not able to proceed further. :(
So I was just wondering, if there is any documentation which can give
some excerpt on how this packet framing should be done for different
i.e. 0x01 or 0x06 or 0x12 with any UUIDs?
I'm not an expert at Windows RPC by any means, but I think maybe what
you're looking for is mIDA. It is a plugin for IDA Pro that can
extract IDL (Interface Descriptor Language?) definitions from
binaries. The general process would be opening the msmq service binary
(exe/dll/whatever) into IDA and running mIDA on it,
If that doesn't help, I recommend stepping through the NDR decoding
routines and paying special attention to the data that is being
decoded. It may point out exactly which part you're messing up.
Hope this helps!
Joshua J. Drake