DCE/RPC in Metasploit

[tkrpata at bjs.com (Krpata, Tyler)]

Hi all,

I've been trying to learn how to write modules for Metasploit 3. What
I'm trying to do specifically is port an exploit that I wrote for
CVE-2006-5854 (Novell Netware Client print spooler buffer overflow). I'm
having trouble getting the RPC stuff working right, though. I thought I
would basically just copy the structure of some of the SMB modules (like
ms06_040_netapi.rb), and replace values like the UUID, "stub" structure,
and operation number with my own. 

When I run the exploit, I'm receiving a fault response from the server
with status "nca_s_fault_ndr", and I have to admit I'm somewhat clueless
about the MSRPC stuff and I don't know what that means. The one thing I
am noticing is that the MSF stuff seems to want to do a Write AndX smb
command by default, but I think I want to do a Transaction command...I'm
not sure if that's actually my problem or how I would change it.

Does anyone have any ideas? I think I'm probably making some
fundamentally incorrect assumptions. BTW, if I've said anything
blatantly clueless or if there's any prerequisite reading I should be
doing, I'd love to know. 

Thanks, 
Tyler