Sign In
Create Account
Follow Us on Twitter
Subscribe on Youtube
I need to write little program that will remotely fingerprint a Windows language. I found nice method to do it in Kostya Kortchinsky paper Macro-Reliability in Win32 Exploitsbut i have no idea how to use it in pratice. In this paper on page 18 autor wrote:
------------------------------------------------------------------------------------------------------------------
MSRPC Localization using Shares
* Works by matching "remark" unicode field of a SHARE_INFO_1 structure returnet by the NetShareEnum() API
- Interface 4b324fc8-1670-01d3-1278-5a47bf6ee188 v3.0, opnum 15 in services.exe (2000)
- Endpoints on ncacn_np, ncadg_ip_udp (old SP)
-------------------------------------------------------------------------------------------------------------------
At the beginning I wanted to write this program in C but i think that it will be very very difficult because i found helpfull libraries to do it (like: impacket), designed only for Python (which i almost don`t know :rolleyes:) I would be very grateful for any help
greetings
x51
1 reply to this topic
Back to top|
|
|
#2
Posted 02 September 2010 - 12:09 PM
x51
-
- Members
-
- 3 posts
Newbie
Helpful can be source from metasploit - smb.rb. I wrote this (but it don`t work right ;)) :
from impacket.dcerpc import transport
from impacket import uuid
from impacket.structure import Structure
#class PNP_QueryResConfList(Structure):
# alignment = 4
# structure = (
# ('treeRoot', 'w'),
# ('resourceType','<L=0xffff'),
# ('resourceLen1','<L-resource'),
# ('resource', ':'),
# ('resourceLen2','<L-resource'),
# ('unknown_1', '<L=4'),
# ('unknown_2', '<L=0'),
# ('unknown_3', '<L=0'),
# )
stringbinding = "ncacn_np:%(host)s[\\pipe\\%(pipe)s]"
stringbinding %= {
'host': '192.168.1.101',
'pipe': 'browser',
'port': 445, # this is not used for this bindingstring
}
print "Using stringbinding: %r" % stringbinding
# default port for SMB is 445
trans = transport.DCERPCTransportFactory(stringbinding)
print trans.connect()
dce = trans.DCERPC_class(trans)
dce.bind(uuid.uuidtup_to_bin(('4b324fc8-1670-01d3-1278-5a47bf6ee188','3.0')))
# get PNP_QueryResConfList from other example
#query = PNP_QueryResConfList()
#query['treeRoot'] = "ROOT\\ROOT\\ROOT\x00".encode('utf_16_le')
#query['resource'] = '\x00'*8+'\x00\x01\x00\x00'+'A'*256
dce.call(0xc1, "A"*1000)
#aw_answer = dce.recv()
print "%s" % dce.recv()
from impacket.dcerpc import transport
from impacket import uuid
from impacket.structure import Structure
#class PNP_QueryResConfList(Structure):
# alignment = 4
# structure = (
# ('treeRoot', 'w'),
# ('resourceType','<L=0xffff'),
# ('resourceLen1','<L-resource'),
# ('resource', ':'),
# ('resourceLen2','<L-resource'),
# ('unknown_1', '<L=4'),
# ('unknown_2', '<L=0'),
# ('unknown_3', '<L=0'),
# )
stringbinding = "ncacn_np:%(host)s[\\pipe\\%(pipe)s]"
stringbinding %= {
'host': '192.168.1.101',
'pipe': 'browser',
'port': 445, # this is not used for this bindingstring
}
print "Using stringbinding: %r" % stringbinding
# default port for SMB is 445
trans = transport.DCERPCTransportFactory(stringbinding)
print trans.connect()
dce = trans.DCERPC_class(trans)
dce.bind(uuid.uuidtup_to_bin(('4b324fc8-1670-01d3-1278-5a47bf6ee188','3.0')))
# get PNP_QueryResConfList from other example
#query = PNP_QueryResConfList()
#query['treeRoot'] = "ROOT\\ROOT\\ROOT\x00".encode('utf_16_le')
#query['resource'] = '\x00'*8+'\x00\x01\x00\x00'+'A'*256
dce.call(0xc1, "A"*1000)
#aw_answer = dce.recv()
print "%s" % dce.recv()
