Nmap Development mailing list archives
Status report #6 of 15
From: Dražen Popović <drazen.popovic () fer hr>
Date: Tue, 08 Jun 2010 14:57:49 +0200
Hi everyone. This has been a very painful and exhausting week. Am afraid that as far as script production no progress has been made, but I'm glad to say that most of the obscurity concerning MSRPC is now cleared up. A few old issues resurfaced and it was crucial to solve them. So... Accomplishments: * Built a test bench for testing RPC services and corresponding client stubs (NDR). This testing environment consists of a virtual machine Windows XP with installed Series Pack 3, MS SDK which contains the tools necessary for building RPC services: "Midl.exe" [1] and compiler/linker "cl.exe" [2]. SDK comes with MS VS 2005. * Compiled a simple test RPC service to test some NDR conversions [3] [4]. * Compiled a test RPC client using Midl and Cl [3][4]. Client communicates with the RPC service using previously generated stubs. Wireshark trace of this clients sessions can be used to determine the correct way to translate the operation arguments into NDR. * Compiled a DNSSERVER MANAGEMENT service in a way that every service operation actually prints its passed arguments. This provided me with a powerful method of debugging NDR issues. * Resolved previous issues concerning RRAS service and a check for MS06-025. * Resolved issues concerning DNSSERVER service NDR. Priorities: * Merge the newly resolved issues into smb-check-ms06_025, test and merge all into smb-check-vulns, msrpc and msrpctypes. * Implement MS07_029 which targets the MS Dns Server Management RPC service. * Start coding the "ndr.lua". This is crucial to avoid code duplication as "msrpctypes.lua" doesn't correctly handle alignment of various types, as well as structure packing. Most of "ndr.lua" will use existing "msrpctypes.lua" code. Notes: As stated before, NDR translations represent the biggest issue in every MSRPC implementation I've seen to this point. It was similar to banging my head against the wall, every RPC procedure I made ended up with an nca_s_fault_ndr (0x000006f7) error also known as RPC_X_BAD_STUB_DATA [], which somewhat clearly defines the problem as bad NDR translation. So for everyone out there fighting NDR, don't forget the ALIGNMENT (every NDR type has one)!!! That seems to cause all the fuzz. As well as structure packing. So what was the solution, SAMBA code which deals with NDR and also PYMSRPC []. References: [1] "Midl - Microsoft IDL compiler", http://msdn.microsoft.com/en-us/library/aa367091%28VS.85%29.aspx [2] "Cl - Microsoft C/C++ compiler/linker", http://msdn.microsoft.com/en-us/library/9s7c9wdw%28v=VS.100%29.aspx [3] "Code Project: MS-RPC Programming Intro", http://www.codeproject.com/KB/IP/rpcintro1.aspx [4] "Microsoft RPC programming guide", O'Reilly [5] "PYMSRPC - Python MS-RPC implementation", http://code.google.com/p/pymsrpc/ Cheers, Dražen. -- Laboratory for Systems and Signals Department of Electronic Systems and Information Processing Faculty of Electrical Engineering and Computing University of Zagreb _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- status report #6 of 15 kirubakaran S (Jun 07)
- <Possible follow-ups>
- status report #6 of 15 alexandru (Jun 07)
- Status Report #6 of 15 ithilgore (Jun 08)
- Status Report #6 of 15 Djalal Harouni (Jun 08)
- Status report #6 of 15 Dražen Popović (Jun 08)
- Re: Status report #6 of 15 David Fifield (Jun 08)
- Re: Status report #6 of 15 Djalal Harouni (Jun 08)
- Re: status report #6 of 15 kirubakaran S (Jun 08)
- Re: status report #6 of 15 David Fifield (Jun 08)
- Re: status report #6 of 15 Felix Wolfsteller (Jun 09)
- Re: status report #6 of 15 David Fifield (Jun 09)
- Re: status report #6 of 15 Felix Wolfsteller (Jun 09)
- Re: status report #6 of 15 kirubakaran S (Jun 09)
- Re: status report #6 of 15 Fyodor (Jun 11)
- Re: status report #6 of 15 kirubakaran S (Jun 11)