Metasploit mailing list archives

DCE/RPC in Metasploit

From: bmc at shmoo.com (Brian Caswell)
Date: Sun, 17 Dec 2006 18:39:20 -0500

On Dec 15, 2006, at 5:53 PM, Krpata, Tyler wrote:

It's probably partly your code that I, err, "borrowed" then... :)



This:

        NDR.long(8) + NDR.long(0) + NDR.long(8) + "\\\x00\\\x00P\x00W\x00N 
\x00E\x00R\x00\x00\x00"

Equiv to:

        NDR.wstring("\\\\PWNER")

BTW, this is bad form, its trivial for lame IDS signature writers to  
trigger off of and claim they provide protection.

This:

        NDR.long(payload.length/2) + NDR.long(0) + NDR.long(payload.length/ 
2) +  payload

Is equiv to:

        NDR.wstring_prebuilt(payload)

The bit you commented "not sure what this does" is for handling the  
"did I exploit the box" conditions for one of the DCERPC exploits.   
You should replace that chunk of code with what the service returns  
on success or failure of your exploit.

Brian

Current thread:

DCE/RPC in Metasploit Krpata, Tyler (Dec 14)
- DCE/RPC in Metasploit H D Moore (Dec 14)
- DCE/RPC in Metasploit Rhys Kidd (Dec 14)
  - DCE/RPC in Metasploit Michael Wood (Dec 15)
    - DCE/RPC in Metasploit Justin Heath (Dec 15)
- <Possible follow-ups>
- DCE/RPC in Metasploit Krpata, Tyler (Dec 15)
  - DCE/RPC in Metasploit Brian Caswell (Dec 15)
- DCE/RPC in Metasploit Krpata, Tyler (Dec 15)
  - DCE/RPC in Metasploit Brian Caswell (Dec 17)
- DCE/RPC in Metasploit Krpata, Tyler (Dec 18)
  - DCE/RPC in Metasploit H D Moore (Dec 18)
- DCE/RPC in Metasploit Krpata, Tyler (Dec 18)
  - DCE/RPC in Metasploit Rhys Kidd (Dec 18)