DCE/RPC in Metasploit

[hdm at metasploit.com (H D Moore)]

On Thursday 14 December 2006 14:54, Krpata, Tyler wrote:
> When I run the exploit, I'm receiving a fault response from the server
> with status "nca_s_fault_ndr", and I have to admit I'm somewhat
> clueless about the MSRPC stuff and I don't know what that means. 

That error means your stub data was wrong and the NDR parser threw an 
error. You will need to examine the IDL (or reverse it with unmidl, etc) 
and create the proper stub data for that operation.

> The 
> one thing I am noticing is that the MSF stuff seems to want to do a
> Write AndX smb command by default, but I think I want to do a
> Transaction command...I'm not sure if that's actually my problem or how
> I would change it.

There are a few different ways to do DCERPC calls, you can use 
WriteAndX/ReadAndX or NTTrans/ReadAndX interchangably. We use WriteAndX 
by default now to enable some SMB segmentation evasion.

> Does anyone have any ideas? I think I'm probably making some
> fundamentally incorrect assumptions. BTW, if I've said anything
> blatantly clueless or if there's any prerequisite reading I should be
> doing, I'd love to know.

There are no great resources for learning about DCERPC in the context of 
exploit development -- I think the training courses offered by CanSecWest 
and Black Hat are about as close as you can get right now.

-HD