[framework] DCE/RPC in Metasploit
Krpata, Tyler
tkrpata at bjs.com
Mon Dec 18 10:20:25 CST 2006
Actually never mind that, it turns out I can just send
NDR.wstring("\x00") instead of including a string.
> -----Original Message-----
> From: Krpata, Tyler
> Sent: Monday, December 18, 2006 10:56 AM
> To: framework at metasploit.com
> Subject: RE: [framework] DCE/RPC in Metasploit
>
> Oh...that's much more convenient! Thanks for the input. I replaced the
> first bit with this:
> NDR.wstring("\\"+Rex::Text.rand_text_alphanumeric(12))
>
> If I'm looking for a certain return code at the end of the
> dcerpc.last_response.stub_data, is this an ok way to do it?
> if(dcerpc.last_response.stub_data =~ /\x09\x07\x00\x00$/)
>
> > -----Original Message-----
> > From: Brian Caswell [mailto:bmc at shmoo.com]
> > Sent: Sunday, December 17, 2006 6:39 PM
> > To: framework at metasploit.com
> > Subject: Re: [framework] DCE/RPC in Metasploit
> >
> > On Dec 15, 2006, at 5:53 PM, Krpata, Tyler wrote:
> > > It's probably partly your code that I, err, "borrowed" then... :)
> >
> >
> > This:
> >
> > NDR.long(8) + NDR.long(0) + NDR.long(8) +
> "\\\x00\\\x00P\x00W\x00N
> > \x00E\x00R\x00\x00\x00"
> >
> > Equiv to:
> >
> > NDR.wstring("\\\\PWNER")
> >
> > BTW, this is bad form, its trivial for lame IDS signature writers to
> > trigger off of and claim they provide protection.
> >
> > This:
> >
> > NDR.long(payload.length/2) + NDR.long(0) +
> NDR.long(payload.length/
> > 2) + payload
> >
> > Is equiv to:
> >
> > NDR.wstring_prebuilt(payload)
> >
> > The bit you commented "not sure what this does" is for handling the
> > "did I exploit the box" conditions for one of the DCERPC exploits.
> > You should replace that chunk of code with what the service returns
> > on success or failure of your exploit.
> >
> > Brian
>
>
More information about the framework
mailing list