Metasploit mailing list archives
Help Understanding Stub for MS06-040
From: kyle.schatzle at gmail.com (Kyle Schatzle)
Date: Wed, 14 Mar 2007 08:38:38 -0500
Hello, I'm researching RPC vulnerabilities and trying to recreate MS06-040's metasploits exploit for a proof of concept to myself. I understand most of the code, but am missing the main part, creating the stub. Could you point me in the right direction to understand how to build this? ( minus the payload, I can understand (most of) the payload) I thought I could disassemble the netapi32.dll and recreate the IDL file, but was unsuccessful with using mIDA, and unmidl. Does this function relate to the stub below? # /* Function 0x1f at 0x767e912c */ # long function_1f ( # [in] [unique] [string] wchar_t * arg_00, # [in] [string] wchar_t * arg_01, # [out] [size_is(arg_03)] char * arg_02, # [in] [range(0, 64000)] long arg_03, # [in] [string] wchar_t * arg_04, # [in,out] long * arg_05, # [in] long arg_06 # ); # If it doesn't relate, could you point me in the right direction to understand its format? $stub = Pex::NDR::Long(int(rand(0xffffffff))). Pex::NDR::UnicodeConformantVaryingString(''). Pex::NDR::UnicodeConformantVaryingStringPreBuilt($path). Pex::NDR::Long(int(rand(250)+1)). Pex::NDR::UnicodeConformantVaryingStringPreBuilt( "\xeb\x02" . "\x00\x00"). Pex::NDR::Long(int(rand(250)+1)). Pex::NDR::Long(0); Thanks KyleS -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.metasploit.com/pipermail/framework/attachments/20070314/c51e2f24/attachment.htm>
Current thread:
- Help Understanding Stub for MS06-040 Kyle Schatzle (Mar 14)
- Help Understanding Stub for MS06-040 Alexander Sotirov (Mar 14)
- Help Understanding Stub for MS06-040 Nicolas Pouvesle (Mar 14)