[framework] DCE/RPC in Metasploit
Krpata, Tyler
tkrpata at bjs.com
Mon Dec 18 09:55:50 CST 2006
Oh...that's much more convenient! Thanks for the input. I replaced the
first bit with this:
NDR.wstring("\\"+Rex::Text.rand_text_alphanumeric(12))
If I'm looking for a certain return code at the end of the
dcerpc.last_response.stub_data, is this an ok way to do it?
if(dcerpc.last_response.stub_data =~ /\x09\x07\x00\x00$/)
> -----Original Message-----
> From: Brian Caswell [mailto:bmc at shmoo.com]
> Sent: Sunday, December 17, 2006 6:39 PM
> To: framework at metasploit.com
> Subject: Re: [framework] DCE/RPC in Metasploit
>
> On Dec 15, 2006, at 5:53 PM, Krpata, Tyler wrote:
> > It's probably partly your code that I, err, "borrowed" then... :)
>
>
> This:
>
> NDR.long(8) + NDR.long(0) + NDR.long(8) +
"\\\x00\\\x00P\x00W\x00N
> \x00E\x00R\x00\x00\x00"
>
> Equiv to:
>
> NDR.wstring("\\\\PWNER")
>
> BTW, this is bad form, its trivial for lame IDS signature writers to
> trigger off of and claim they provide protection.
>
> This:
>
> NDR.long(payload.length/2) + NDR.long(0) +
NDR.long(payload.length/
> 2) + payload
>
> Is equiv to:
>
> NDR.wstring_prebuilt(payload)
>
> The bit you commented "not sure what this does" is for handling the
> "did I exploit the box" conditions for one of the DCERPC exploits.
> You should replace that chunk of code with what the service returns
> on success or failure of your exploit.
>
> Brian
More information about the framework
mailing list