Metasploit mailing list archives
DCE/RPC in Metasploit
From: hdm at metasploit.com (H D Moore)
Date: Thu, 14 Dec 2006 15:00:43 -0600
On Thursday 14 December 2006 14:54, Krpata, Tyler wrote:
When I run the exploit, I'm receiving a fault response from the server with status "nca_s_fault_ndr", and I have to admit I'm somewhat clueless about the MSRPC stuff and I don't know what that means.
That error means your stub data was wrong and the NDR parser threw an error. You will need to examine the IDL (or reverse it with unmidl, etc) and create the proper stub data for that operation.
The one thing I am noticing is that the MSF stuff seems to want to do a Write AndX smb command by default, but I think I want to do a Transaction command...I'm not sure if that's actually my problem or how I would change it.
There are a few different ways to do DCERPC calls, you can use WriteAndX/ReadAndX or NTTrans/ReadAndX interchangably. We use WriteAndX by default now to enable some SMB segmentation evasion.
Does anyone have any ideas? I think I'm probably making some fundamentally incorrect assumptions. BTW, if I've said anything blatantly clueless or if there's any prerequisite reading I should be doing, I'd love to know.
There are no great resources for learning about DCERPC in the context of exploit development -- I think the training courses offered by CanSecWest and Black Hat are about as close as you can get right now. -HD
Current thread:
- DCE/RPC in Metasploit Krpata, Tyler (Dec 14)
- DCE/RPC in Metasploit H D Moore (Dec 14)
- DCE/RPC in Metasploit Rhys Kidd (Dec 14)
- DCE/RPC in Metasploit Michael Wood (Dec 15)
- DCE/RPC in Metasploit Justin Heath (Dec 15)
- DCE/RPC in Metasploit Michael Wood (Dec 15)
- <Possible follow-ups>
- DCE/RPC in Metasploit Krpata, Tyler (Dec 15)
- DCE/RPC in Metasploit Brian Caswell (Dec 15)
- DCE/RPC in Metasploit Krpata, Tyler (Dec 15)
- DCE/RPC in Metasploit Brian Caswell (Dec 17)
- DCE/RPC in Metasploit Krpata, Tyler (Dec 18)
- DCE/RPC in Metasploit H D Moore (Dec 18)
- DCE/RPC in Metasploit Krpata, Tyler (Dec 18)
(Thread continues...)