Problems with calling OpenSCManager()

[ron at skullsecurity.net (Ron)]

Hi all,

This isn't directly related to MSF, but I'm hoping somebody here can
help me out since MSF has implemented this.

I'm trying to implement psexec-like functionality in Lua (as an Nmap
script), but I'm running into an issue. Everything works fine running
against Windows 2000 and Windows 2003, but when I run it against Windows
XP, it fails with error 0x000006e4 (1764 = RPC_S_CANNOT_SUPPORT) when I
call either OpenSCManagerA() or OpenSCManagerW(). I've attached a pcap
of this happening.

As far as I know, my SMB and MSRPC code is solid, and has been tested
pretty significantly. I've compared packetlogs to both MSF and pwdump6,
and have copied the constants used by both. Unfortunately, even when my
packets are practically identical to MSF, my code fails with that error
while MSF works fine against the same target. The biggest difference is
that I use straight up NTLM for authentication, not NTLMSSP, but I find
it unlikely that that's the issue. I also send different fragment sizes,
and things like that.

Have you guys run into this problem? Any clue what I'm doing wrong? I've
been banging my head against this problem for some time now, with no avail.

Thanks!
Ron

-- 
Ron Bowes
http://www.skullsecurity.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: nmap.pcap
Type: application/octet-stream
Size: 4371 bytes
Desc: not available
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20090103/38ebd272/attachment.obj>