Metasploit mailing list archives
Help Understanding Stub for MS06-040
From: asotirov at determina.com (Alexander Sotirov)
Date: Wed, 14 Mar 2007 16:04:20 -0700
Kyle Schatzle wrote:
Does this function relate to the stub below? If it doesn't relate, could you point me in the right direction to understand its format?
Here's how the IDL maps to the Pex::NDS functions: # [in] [unique] [string] wchar_t * arg_00, Pex::NDR::Long(int(rand(0xffffffff))). Pex::NDR::UnicodeConformantVaryingString(''). # [in] [string] wchar_t * arg_01, Pex::NDR::UnicodeConformantVaryingStringPreBuilt($path). # [out] [size_is(arg_03)] char * arg_02 <- out parameters are not sent in the request # [in] [range(0, 64000)] long arg_03, Pex::NDR::Long(int(rand(250)+1)). # [in] [string] wchar_t * arg_04, Pex::NDR::UnicodeConformantVaryingStringPreBuilt( "\xeb\x02\x00\x00"). # [in,out] long * arg_05, Pex::NDR::Long(int(rand(250)+1)). # [in] long arg_06 Pex::NDR::Long(0); arg_00 is encoded with a Long followed by UnicodeConformantVaryingString. You need the long because of the [unique] pointer modifier. arg_02 is not included in the request, because it's an ouput parameter. It's sent in the reply from the server. The rest of the arguments are obvious. The NDR transfer syntax is documented here: http://www.opengroup.org/onlinepubs/9629399/chap14.htm Alex
Current thread:
- Help Understanding Stub for MS06-040 Kyle Schatzle (Mar 14)
- Help Understanding Stub for MS06-040 Alexander Sotirov (Mar 14)
- Help Understanding Stub for MS06-040 Nicolas Pouvesle (Mar 14)