Metasploit mailing list archives

Previous By Date Next
Previous By Thread Next

Help Understanding Stub for MS06-040

From: asotirov at determina.com (Alexander Sotirov)
Date: Wed, 14 Mar 2007 16:04:20 -0700
Kyle Schatzle wrote:

Does this function relate to the stub below?

If it doesn't relate, could you point me in the right direction to
understand its format?


Here's how the IDL maps to the Pex::NDS functions:

#    [in] [unique] [string] wchar_t * arg_00,
     Pex::NDR::Long(int(rand(0xffffffff))).
     Pex::NDR::UnicodeConformantVaryingString('').
#    [in] [string] wchar_t * arg_01,
     Pex::NDR::UnicodeConformantVaryingStringPreBuilt($path).
#    [out] [size_is(arg_03)] char * arg_02 <- out parameters are not sent in the
request
#    [in] [range(0, 64000)] long arg_03,
     Pex::NDR::Long(int(rand(250)+1)).
#    [in] [string] wchar_t * arg_04,
     Pex::NDR::UnicodeConformantVaryingStringPreBuilt( "\xeb\x02\x00\x00").
#    [in,out] long * arg_05,
     Pex::NDR::Long(int(rand(250)+1)).
#    [in] long arg_06
     Pex::NDR::Long(0);


arg_00 is encoded with a Long followed by UnicodeConformantVaryingString. You
need the long because of the [unique] pointer modifier.

arg_02 is not included in the request, because it's an ouput parameter. It's
sent in the reply from the server.

The rest of the arguments are obvious.

The NDR transfer syntax is documented here:
http://www.opengroup.org/onlinepubs/9629399/chap14.htm

Alex
Previous By Date Next
Previous By Thread Next

Current thread: