HD Moore
c0a0507fdf
git-svn-id: file:///home/svn/framework3/trunk@7319 4d416f70-5f16-0410-b530-b9f4589650da
39 lines
735 B
Ruby
39 lines
735 B
Ruby
module Msf
|
|
|
|
###
|
|
#
|
|
# This module provides service-specific methods for the DCERPC exploit mixin
|
|
#
|
|
###
|
|
module Exploit::Remote::DCERPC_LSA
|
|
|
|
NDR = Rex::Encoder::NDR
|
|
|
|
def lsa_open_policy(dcerpc, server="\\")
|
|
stubdata =
|
|
# Server
|
|
NDR.uwstring(server) +
|
|
# Object Attributes
|
|
NDR.long(24) + # SIZE
|
|
NDR.long(0) + # LSPTR
|
|
NDR.long(0) + # NAME
|
|
NDR.long(0) + # ATTRS
|
|
NDR.long(0) + # SEC DES
|
|
# LSA QOS PTR
|
|
NDR.long(1) + # Referent
|
|
NDR.long(12) + # Length
|
|
NDR.long(2) + # Impersonation
|
|
NDR.long(1) + # Context Tracking
|
|
NDR.long(0) + # Effective Only
|
|
# Access Mask
|
|
NDR.long(0x02000000)
|
|
|
|
res = dcerpc.call(6, stubdata)
|
|
|
|
dcerpc.last_response.stub_data[0,20]
|
|
end
|
|
|
|
end
|
|
end
|
|
|