[framework] DCE/RPC in Metasploit

Brian Caswell bmc at shmoo.com
Sun Dec 17 17:39:20 CST 2006


On Dec 15, 2006, at 5:53 PM, Krpata, Tyler wrote:
> It's probably partly your code that I, err, "borrowed" then... :)


This:

	NDR.long(8) + NDR.long(0) + NDR.long(8) + "\\\x00\\\x00P\x00W\x00N 
\x00E\x00R\x00\x00\x00"

Equiv to:

	NDR.wstring("\\\\PWNER")

BTW, this is bad form, its trivial for lame IDS signature writers to  
trigger off of and claim they provide protection.

This:

  	NDR.long(payload.length/2) + NDR.long(0) + NDR.long(payload.length/ 
2) +  payload

Is equiv to:

	NDR.wstring_prebuilt(payload)

The bit you commented "not sure what this does" is for handling the  
"did I exploit the box" conditions for one of the DCERPC exploits.   
You should replace that chunk of code with what the service returns  
on success or failure of your exploit.

Brian



More information about the framework mailing list