BOOTPARAMPROC_WHOAMI相关通信报文
攻击者调用远程过程BOOTPARAMPROC_WHOAMI,指定一个有效的client_address,那么 响应报文中将包含domain_name,这使得攻击者很容易获取NIS口令文件。
User Datagram Protocol, Src Port: 34062, Dst Port: 33866 Remote Procedure Call, Type:Call XID:0x0632c9a4 XID: 0x632c9a4 (103991716) Message Type: Call (0) RPC Version: 2 Program: BOOTPARAMS (100026) Program Version: 1 Procedure: WHOAMI (1) Credentials Flavor: AUTH_NULL (0) Length: 0 Verifier Flavor: AUTH_NULL (0) Length: 0 Boot Parameters Program Version: 1 V1 Procedure: WHOAMI (1) Address Type: IPv4-ADDR (1) Client Address: 10.10.7.2 (10.10.7.2)
0020 06 32 c9 a4 00 00 .2.... 0030 00 00 00 00 00 02 00 01 86 ba 00 00 00 01 00 00 ................ 0040 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0050 00 00 00 00 00 01 00 00 00 0a 00 00 00 0a 00 00 ................ 0060 00 07 00 00 00 02 ......
User Datagram Protocol, Src Port: 33866, Dst Port: 34062 Remote Procedure Call, Type:Reply XID:0x0632c9a4 XID: 0x632c9a4 (103991716) Message Type: Reply (1) Program: BOOTPARAMS (100026) Program Version: 1 Procedure: WHOAMI (1) Reply State: accepted (0) Verifier Flavor: AUTH_NULL (0) Length: 0 Accept State: RPC executed successfully (0) Boot Parameters Program Version: 1 V1 Procedure: WHOAMI (1) Client Host: scz length: 3 contents: scz fill bytes: opaque data Client Domain: nonexist length: 8 contents: nonexist Address Type: IPv4-ADDR (1) Router Address: 10.10.7.254 (10.10.7.254)
0020 06 32 c9 a4 00 00 .2.... 0030 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0040 00 00 00 00 00 03 73 63 7a 00 00 00 00 08 6e 6f ......scz.....no 0050 6e 65 78 69 73 74 00 00 00 01 00 00 00 0a 00 00 nexist.......... 0060 00 0a 00 00 00 07 ff ff ff fe ..........
对照ONC/Sun RPC与DCE/MS RPC在序列化/反序列化时的异同,总的来说,精神实质是 相同的,细节处理上不同。ONC/Sun RPC老老实实地使用网络字节序,参看RFC 1057。
struct ip_addr_t { char net; char host; char lh; char impno; };
Client Address、Router Address字段均是ip_addr_t型数据,每个char被序列化成4 个字节,由于char是有符号类型,在扩展时用符号位进行扩展,于是254被扩展成 0xFFFFFFFE。
const MAX_MACHINE_NAME = 255;
typedef string bp_machine_name_t
string类型被序列化成4字节长度域(length字段)加数据域(contents字段)。数据域 之后的字段要求对齐在四字节边界上,因此有可能出现fill bytes字段,这与DCE/MS RPC类似。