DRAZEN_SVC testing

[David Fifield <david () bamsoftware com>]

On Wed, Jun 23, 2010 at 06:52:32PM +0200, Dražen Popović wrote:
> On Tue, 2010-06-22 at 21:14 -0600, David Fifield wrote:
> > Thanks for the detailed status report. Will you post a brief HOWTO for
> > those who would like to try out cli-drazen-svc.nse and DRAZEN_SVC?
>
> I keep the MIDL_BENCH testing environment in my svn directory (URL:
> svn://svn.insecure.org/nmap-exp/drazen) under "var/MIDL_BENCH".
> MIDL_BENCH is actually a Visual Studio 2005 solution, which contains a
> few projects and one of them is DRAZEN_SVC. "cli-drazen-svc.nse" is an
> NSE script made to provide testing for the "ndr.lua" and other stuff.
> Both "ndr.lua" and "cli-drazen-svc" can be found in my svn directory
> under "nmap-msrpc/nselib" and "nmap-msrpc/scripts", respectively.
> So: 
>       * Run the Visual Studio and load the MIDL_BENCH solution.
>       * Within that solution find a DRAZEN_SVC named project, build it
>         and run it.
>       * An empty console will pop up which, once "cli-drazen-svc.nse" is
>         invoked, will contain some output (usually every called RPC
>         procedure simply prints out its arguments).
>       * Invoke the "cli-drazen-svc.nse" with "nmap -sS -p 445
>         --script="cli-drazen-svc" <host_which_runs_the_midl_bench>", and
>         look at the output produced on the server side.
>       * You can (un)comment the RPC function calls within
>         "cli-drazen-svc.nse" as you wish. The code is pretty much self
>         explanatory, when the "ndr.lua" is finished it will become much
>         more documented.

Thanks for the instructions. I got DRAZEN_SVC and the nmap-msrpc branch
built. Visual C++ 2008 wanted to update the .sln and .vcproj files, but
I clicked through that and it worked fine. Here is the output of
DRAZEN_SVC on localhost:

Hello Wolrd
[TestPrimTypesPacking1]
small: -1
usmall: 1
short: -2
ushort: 2
long: -4
ulong: 4
hyper: -8
uhyper: 8
bool: 1
char: 65
byte: 255
[TestPrimTypesPacking2]
small: 1
short: 2
long: 3
s1: 4
hyper: 5
[TestPrimTypesPacking3]
e1: 2

I had to remove "local" from msrpc.call_function. You had to make the
same change, am I right? If so, don't leave things like that in your
working directory, commit them.

What tool are you using to generate the RPC stubs? (Whatever is
generating the code with the "pack the request", "call the function",
"sanity check", etc. comments.) Can you commit it somewhere? I think it
is very cool that you can automatically go from an IDL file like this:

interface drazen_svc
{
        /**Prints out a hello world!
        *@opnum 0x00
        */
        void Hello_World();
        /**Tests the NDR primitives packing.
        *@opnum 0x01
        */
        void TestPrimTypesPacking1(
                [in] small _small,
                [in] unsigned small _usmall,
                [in] short _short,
                [in] unsigned short _ushort,
                [in] long _long,
                [in] unsigned long _ulong,
                [in] hyper _hyper,
                [in] unsigned hyper _uhyper,
                [in] boolean _bool,
                [in] char _char,
                [in] byte _byte
                );
}

And automatically generate Lua code like this:

function DRAZEN_SVC_HelloWorld(smbstate)
        --sanity check
        --pack the request
        local req_blob;
        req_blob = ""
        --call the function
        local status, call_result
        status, call_result = msrpc.call_function(
                smbstate,
                DRAZEN_SVC_Opnums['HelloWorld'],
                req_blob)
        --sanity check
        if(status == false) then
                local error_msg
                error_msg = string.format(
                        "DRAZEN_SVC_HelloWorld: Call function [%d] failed: %s",
                        DRAZEN_SVC_Opnums['HelloWorld'],
                        call_result)
                stdnse.print_debug(DRAZEN_DEBUG_LVL, error_msg)
                return false, call_result
        end
        --dissect the reply
        local rep_blob
        rep_blob = call_result
        return true, rep_blob
end

I was not able to build DNSSERVER_SVC_TEST. I get errors:

1>DNSSERVER_TEST_s.obj : error LNK2001: unresolved external symbol _R_DnssrvUpdateRecord2
1>DNSSERVER_TEST_s.obj : error LNK2001: unresolved external symbol _R_DnssrvEnumRecords2
1>DNSSERVER_TEST_s.obj : error LNK2001: unresolved external symbol _R_DnssrvComplexOperation2
1>DNSSERVER_TEST_s.obj : error LNK2001: unresolved external symbol _R_DnssrvQuery2
1>DNSSERVER_TEST_s.obj : error LNK2001: unresolved external symbol _R_DnssrvUpdateRecord
1>DNSSERVER_TEST_s.obj : error LNK2001: unresolved external symbol _R_DnssrvEnumRecords
1>DNSSERVER_TEST_s.obj : error LNK2001: unresolved external symbol _R_DnssrvComplexOperation
1>DNSSERVER_TEST_s.obj : error LNK2001: unresolved external symbol _R_DnssrvQuery
1>DNSSERVER_TEST_s.obj : error LNK2001: unresolved external symbol _R_DnssrvOperation
1>C:\cygwin\home\david\drazen\var\MIDL_BENCH\Debug\DNSSERVER_SVC_TEST.exe : fatal error LNK1120: 9 unresolved externals

Does DNSSERVER_SVC_TEST build for you? What do I need to do to get it
build?

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/