Status report #6 of 15

[Dražen Popović <drazen.popovic () fer hr>]

Hi everyone.
This has been a very painful and exhausting week. Am afraid that as far
as script production no progress has been made, but I'm glad to say that
most of the obscurity concerning MSRPC is now cleared up. A few old
issues resurfaced and it was crucial to solve them. So...

Accomplishments:
      * Built a test bench for testing RPC services and corresponding
        client stubs (NDR). This testing environment consists of a
        virtual machine Windows XP with installed Series Pack 3, MS SDK
        which contains the tools necessary for building RPC services:
        "Midl.exe" [1] and compiler/linker "cl.exe" [2]. SDK comes with
        MS VS 2005.
      * Compiled a simple test RPC service to test some NDR conversions
        [3] [4].
      * Compiled a test RPC client using Midl and Cl [3][4]. Client
        communicates with the RPC service using previously generated
        stubs. Wireshark trace of this clients sessions can be used to
        determine the correct way to translate the operation arguments
        into NDR.
      * Compiled a DNSSERVER MANAGEMENT service in a way that every
        service operation actually prints its passed arguments. This
        provided me with a powerful method of debugging NDR issues.
      * Resolved previous issues concerning RRAS service and a check for
        MS06-025.
      * Resolved issues concerning DNSSERVER service NDR.

Priorities:
      * Merge the newly resolved issues into smb-check-ms06_025, test
        and merge all into smb-check-vulns, msrpc and msrpctypes.
      * Implement MS07_029 which targets the MS Dns Server Management
        RPC service.
      * Start coding the "ndr.lua". This is crucial to avoid code
        duplication as "msrpctypes.lua"  doesn't correctly handle
        alignment of various types, as well as structure packing. Most
        of "ndr.lua" will use existing "msrpctypes.lua" code.

Notes:
As stated before, NDR translations represent the biggest issue in every
MSRPC implementation I've seen to this point. It was similar to banging
my head against the wall, every RPC procedure I made ended up with an
nca_s_fault_ndr (0x000006f7) error also known as RPC_X_BAD_STUB_DATA [],
which somewhat clearly defines the problem as bad NDR translation. So
for everyone out there fighting NDR, don't forget the ALIGNMENT (every
NDR type has one)!!! That seems to cause all the fuzz. As well as
structure packing.
So what was the solution, SAMBA code which deals with NDR and also
PYMSRPC [].


References:
[1] "Midl - Microsoft IDL compiler",
http://msdn.microsoft.com/en-us/library/aa367091%28VS.85%29.aspx
[2] "Cl - Microsoft C/C++ compiler/linker",
http://msdn.microsoft.com/en-us/library/9s7c9wdw%28v=VS.100%29.aspx
[3] "Code Project: MS-RPC Programming Intro",
http://www.codeproject.com/KB/IP/rpcintro1.aspx
[4] "Microsoft RPC programming guide", O'Reilly
[5] "PYMSRPC - Python MS-RPC implementation",
http://code.google.com/p/pymsrpc/

Cheers,
Dražen.

-- 
Laboratory for Systems and Signals
Department of Electronic Systems and Information Processing
Faculty of Electrical Engineering and Computing
University of Zagreb
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/