标题: 对135/UDP的一些说明

以中文2000的msgsvc.dll(5.0.2195.4874)为例进行说明。

net use \10.10.7.44\ipc$ /user:Administrator ifids.exe -p ncacn_np -e \pipe\msgsvc -t 10.10.7.44 ... ... Interface UUID : 17fdd703-1827-4e34-79d4-24a55c53bb37 version 1.0 Interface UUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc version 1.0 ifids.exe -p ncadg_ip_udp -e 1027 -t 10.10.7.44 (同上)

注意两点。一是空会话无权访问\pipe\msgsvc，所以我建立了管理员会话。二是你测试时未必是1027/UDP，需要用其它手段获取这个端口号，比如在服务端执行netstat 查看，或者在客户端用135dump一类的工具获取。

逆向这个版本的msgsvc.dll，同时包含两个接口:

uuid( 17fdd703-1827-4e34-79d4-24a55c53bb37 ), version( 1.0 )

/ * 0x00 0x76812A32 _NetrMessageNameAdd@8 * 0x01 0x76813F2C _NetrMessageNameEnum@20 * 0x02 0x7681416B _NetrMessageNameGetInfo@16 * 0x03 0x768128F6 _NetrMessageNameDel@8 /

uuid( 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc ), version( 1.0 )

/ * 0x00 0x76814725 _NetrSendMessage@12 / long NetrSendMessage ( [in,string] char from, [in,string] char to, [in,string] char *str );

泄露的MS源码中只有前一个接口，没有后一个接口。这次我们只关心后一个接口。测试ncacn_np协议序列(1.cap):

Microsoft Messenger Service, NetrSendMessage Operation: NetrSendMessage (0) Server Max Count: 1 Offset: 0 Actual Count: 1 Server: Client Max Count: 1 Offset: 0 Actual Count: 1 Client: Message Max Count: 2 Offset: 0 Actual Count: 2 Message: \r

00a0 01 00 00 00 00 00 00 00 01 00 .......... 00b0 00 00 00 ff d0 11 01 00 00 00 00 00 00 00 01 00 ................ 00c0 00 00 00 5d 88 8a 02 00 00 00 00 00 00 00 02 00 ...]............ 00d0 00 00 0d 00 ....

Microsoft Messenger Service, NetrSendMessage Operation: NetrSendMessage (0) Return code: STATUS_SUCCESS (0x00000000)

0080 00 00 00 00 ....

Ethereal 0.10.14对此通信进行了解码，只是将from/to的关系搞反了。

测试ncadg_ip_udp协议序列(2.cap):

1 174 Messenger 10.10.7.2 10.10.7.44 3713 1027 NetrSendMessage request 2 142 UDP 10.10.7.44 10.10.7.2 2536 3713 Source port: 2536 Destination port: 3713 3 146 UDP 10.10.7.2 10.10.7.44 3713 2536 Source port: 3713 Destination port: 2536 4 122 DCERPC 10.10.7.44 10.10.7.2 2536 3713 Ack: seq: 0 5 126 Messenger 10.10.7.44 10.10.7.2 1027 3713 NetrSendMessage response 6 122 DCERPC 10.10.7.2 10.10.7.44 3713 1027 Ack: seq: 0 [req: #1]

Frame 1 (174 bytes on wire, 174 bytes captured) Internet Protocol, Src: 10.10.7.2, Dst: 10.10.7.44 User Datagram Protocol, Src Port: 3713, Dst Port: 1027 DCE RPC Request, Seq: 0, Serial: 0, Frag: 0, FragLen: 52, [Resp: #5] Version: 4 Packet type: Request (0) Flags1: 0x08 "No Fack" 0... .... = Reserved: Not set .0.. .... = Broadcast: Not set ..0. .... = Idempotent: Not set ...0 .... = Maybe: Not set .... 1... = No Fack: Set .... .0.. = Fragment: Not set .... ..0. = Last Fragment: Not set .... ...0 = Reserved: Not set Flags2: 0x00 0... .... = Reserved: Not set .0.. .... = Reserved: Not set ..0. .... = Reserved: Not set ...0 .... = Reserved: Not set .... 0... = Reserved: Not set .... .0.. = Reserved: Not set .... ..0. = Cancel Pending: Not set .... ...0 = Reserved: Not set Data Representation: 100000 (Order: Little-endian, Char: ASCII, Float: IEEE) Byte order: Little-endian (1) Character: ASCII (0) Floating-point: IEEE (0) Serial High: 0x00 Object UUID: 00000000-0000-0000-0000-000000000000 Interface: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc Activity: 71aadcbf-bb40-44d4-9632-87084702e1de Server boot time: Unknown (0) Interface Ver: 1 Sequence num: 0 Opnum: 0 Interface Hint: 0xffff Activity Hint: 0xffff Fragment len: 52 Fragment num: 0 Auth proto: None (0) Serial Low: 0x00 Response in frame: 5 Microsoft Messenger Service, NetrSendMessage Operation: NetrSendMessage (0) Server Max Count: 4 Offset: 0 Actual Count: 4 Server: scz Client Max Count: 3 Offset: 0 Actual Count: 3 Client: tt Message Max Count: 8 Offset: 0 Actual Count: 8 Message: who r u

0020 04 00 08 00 10 00 ...... 0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0040 00 00 f8 91 7b 5a 00 ff d0 11 a9 b2 00 c0 4f b6 ....{Z........O. 0050 e6 fc bf dc aa 71 40 bb d4 44 96 32 87 08 47 02 [email protected]. 0060 e1 de 00 00 00 00 01 00 00 00 00 00 00 00 00 00 ................ 0070 ff ff ff ff 34 00 00 00 00 00 04 00 00 00 00 00 ....4........... 0080 00 00 04 00 00 00 73 63 7a 00 03 00 00 00 00 00 ......scz....... 0090 00 00 03 00 00 00 74 74 00 00 08 00 00 00 00 00 ......tt........ 00a0 00 00 08 00 00 00 77 68 6f 20 72 20 75 00 ......who r u.

Frame 2 (142 bytes on wire, 142 bytes captured) Internet Protocol, Src: 10.10.7.44, Dst: 10.10.7.2 User Datagram Protocol, Src Port: 2536, Dst Port: 3713 Data (100 bytes)

0020 04 00 20 04 10 00 .. ... 0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0040 00 00 76 22 3a 33 00 00 00 00 0d 00 00 80 9c 00 ..v":3.......... 0050 00 00 68 ea 4f 76 92 a9 3c 45 8e 5f 91 b6 cb 19 ..h.Ov..<E._.... 0060 11 44 00 00 00 00 03 00 00 00 00 00 00 00 01 00 .D.............. 0070 ff ff ff ff 14 00 00 00 00 00 bf dc aa 71 40 bb .............q@. 0080 d4 44 96 32 87 08 47 02 e1 de 02 3c be 41 .D.2..G....<.A

Frame 3 (146 bytes on wire, 146 bytes captured) Internet Protocol, Src: 10.10.7.2, Dst: 10.10.7.44 User Datagram Protocol, Src Port: 3713, Dst Port: 2536 Data (104 bytes)

0020 04 02 08 04 10 00 ...... 0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0040 00 00 76 22 3a 33 00 00 00 00 0d 00 00 80 9c 00 ..v":3.......... 0050 00 00 68 ea 4f 76 92 a9 3c 45 8e 5f 91 b6 cb 19 ..h.Ov..<E..... 0060 11 44 00 00 00 00 03 00 00 00 00 00 00 00 01 00 .D.............. 0070 ff ff ff ff 18 00 00 00 00 00 00 00 00 00 55 82 ..............U. 0080 72 8e a9 05 e7 4d a1 45 d3 e1 55 38 5f 0b 00 00 r....M.E..U8... 0090 00 00 ..

Frame 4 (122 bytes on wire, 122 bytes captured) Internet Protocol, Src: 10.10.7.44, Dst: 10.10.7.2 User Datagram Protocol, Src Port: 2536, Dst Port: 3713 DCE RPC Ack, Seq: 0, Serial: 1, Frag: 1, FragLen: 0 Version: 4 Packet type: Ack (7) Flags1: 0x20 "Idempotent" 0... .... = Reserved: Not set .0.. .... = Broadcast: Not set ..1. .... = Idempotent: Set ...0 .... = Maybe: Not set .... 0... = No Fack: Not set .... .0.. = Fragment: Not set .... ..0. = Last Fragment: Not set .... ...0 = Reserved: Not set Flags2: 0x00 0... .... = Reserved: Not set .0.. .... = Reserved: Not set ..0. .... = Reserved: Not set ...0 .... = Reserved: Not set .... 0... = Reserved: Not set .... .0.. = Reserved: Not set .... ..0. = Cancel Pending: Not set .... ...0 = Reserved: Not set Data Representation: 100000 (Order: Little-endian, Char: ASCII, Float: IEEE) Byte order: Little-endian (1) Character: ASCII (0) Floating-point: IEEE (0) Serial High: 0x00 Object UUID: 00000000-0000-0000-0000-000000000000 Interface: 333a2276-0000-0000-0d00-00809c000000 Activity: 764fea68-a992-453c-8e5f-91b6cb191144 Server boot time: Unknown (0) Interface Ver: 3 Sequence num: 0 Opnum: 1 Interface Hint: 0xffff Activity Hint: 0xffff Fragment len: 0 Fragment num: 1 Auth proto: None (0) Serial Low: 0x01

0020 04 07 20 00 10 00 .. ... 0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0040 00 00 76 22 3a 33 00 00 00 00 0d 00 00 80 9c 00 ..v":3.......... 0050 00 00 68 ea 4f 76 92 a9 3c 45 8e 5f 91 b6 cb 19 ..h.Ov..<E._.... 0060 11 44 00 00 00 00 03 00 00 00 00 00 00 00 01 00 .D.............. 0070 ff ff ff ff 00 00 01 00 00 01 ..........

Frame 5 (126 bytes on wire, 126 bytes captured) Internet Protocol, Src: 10.10.7.44, Dst: 10.10.7.2 User Datagram Protocol, Src Port: 1027, Dst Port: 3713 DCE RPC Response, Seq: 0, Serial: 0, Frag: 0, FragLen: 4, [Req: #1] Version: 4 Packet type: Response (2) Flags1: 0x08 "No Fack" 0... .... = Reserved: Not set .0.. .... = Broadcast: Not set ..0. .... = Idempotent: Not set ...0 .... = Maybe: Not set .... 1... = No Fack: Set .... .0.. = Fragment: Not set .... ..0. = Last Fragment: Not set .... ...0 = Reserved: Not set Flags2: 0x00 0... .... = Reserved: Not set .0.. .... = Reserved: Not set ..0. .... = Reserved: Not set ...0 .... = Reserved: Not set .... 0... = Reserved: Not set .... .0.. = Reserved: Not set .... ..0. = Cancel Pending: Not set .... ...0 = Reserved: Not set Data Representation: 100000 (Order: Little-endian, Char: ASCII, Float: IEEE) Byte order: Little-endian (1) Character: ASCII (0) Floating-point: IEEE (0) Serial High: 0x00 Object UUID: 00000000-0000-0000-0000-000000000000 Interface: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc Activity: 71aadcbf-bb40-44d4-9632-87084702e1de Server boot time: Dec 14, 2004 09:04:02.000000000 Interface Ver: 1 Sequence num: 0 Opnum: 0 Interface Hint: 0xffff Activity Hint: 0x0036 Fragment len: 4 Fragment num: 0 Auth proto: None (0) Serial Low: 0x00 Request in frame: 1 Microsoft Messenger Service, NetrSendMessage Operation: NetrSendMessage (0) Return code: STATUS_SUCCESS (0x00000000)

0020 04 02 08 00 10 00 ...... 0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0040 00 00 f8 91 7b 5a 00 ff d0 11 a9 b2 00 c0 4f b6 ....{Z........O. 0050 e6 fc bf dc aa 71 40 bb d4 44 96 32 87 08 47 02 [email protected]. 0060 e1 de 02 3c be 41 01 00 00 00 00 00 00 00 00 00 ...<.A.......... 0070 ff ff 36 00 04 00 00 00 00 00 00 00 00 00 ..6...........

Frame 6 (122 bytes on wire, 122 bytes captured) Internet Protocol, Src: 10.10.7.2, Dst: 10.10.7.44 User Datagram Protocol, Src Port: 3713, Dst Port: 1027 DCE RPC Ack, Seq: 0, Serial: 1, Frag: 1, FragLen: 0, [Req: #1] Version: 4 Packet type: Ack (7) Flags1: 0x00 0... .... = Reserved: Not set .0.. .... = Broadcast: Not set ..0. .... = Idempotent: Not set ...0 .... = Maybe: Not set .... 0... = No Fack: Not set .... .0.. = Fragment: Not set .... ..0. = Last Fragment: Not set .... ...0 = Reserved: Not set Flags2: 0x00 0... .... = Reserved: Not set .0.. .... = Reserved: Not set ..0. .... = Reserved: Not set ...0 .... = Reserved: Not set .... 0... = Reserved: Not set .... .0.. = Reserved: Not set .... ..0. = Cancel Pending: Not set .... ...0 = Reserved: Not set Data Representation: 100000 (Order: Little-endian, Char: ASCII, Float: IEEE) Byte order: Little-endian (1) Character: ASCII (0) Floating-point: IEEE (0) Serial High: 0x00 Object UUID: 00000000-0000-0000-0000-000000000000 Interface: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc Activity: 71aadcbf-bb40-44d4-9632-87084702e1de Server boot time: Unknown (0) Interface Ver: 1 Sequence num: 0 Opnum: 0 Interface Hint: 0xffff Activity Hint: 0x0036 Fragment len: 0 Fragment num: 1 Auth proto: None (0) Serial Low: 0x01 Request in frame: 1

0020 04 07 00 00 10 00 ...... 0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0040 00 00 f8 91 7b 5a 00 ff d0 11 a9 b2 00 c0 4f b6 ....{Z........O. 0050 e6 fc bf dc aa 71 40 bb d4 44 96 32 87 08 47 02 [email protected]. 0060 e1 de 00 00 00 00 01 00 00 00 00 00 00 00 00 00 ................ 0070 ff ff 36 00 00 00 01 00 00 01 ..6.......

这次不讨论Messenger服务本身，也不讨论"net send"相关命令，关心的是135/UDP上的RPC通信。

135/TCP上跑的是DCE/RPC V5，135/UDP上跑的是DCE/RPC V4。V4的RPC头固定是80字节，解码时与V5明显不同。让过V4的RPC头，接下来就是IDL文件相关的RPC数据区，这部分与V5完全相同。Ethereal 0.10.14真是烂啊，以前有个版本可以对2、3号报文解码的，现在居然不解了，真是见鬼，它们对应conv_who_are_you2()。而Sniffer Pro 4.70.564错误解码如下:

CL/DCE RPC: ----- Connectionless MS DCE/RPC Header ----- CL/DCE RPC: CL/DCE RPC: RPC Version = 4 CL/DCE RPC: PDU Type = 0 (Request) CL/DCE RPC: flags1 = 20 CL/DCE RPC: 0... .... = Reserved CL/DCE RPC: .0.. .... = NOT Broadcast Request CL/DCE RPC: ..1. .... = Idempotent Request CL/DCE RPC: ...0 .... = NOT Maybe Request CL/DCE RPC: .... 0... = FACK required CL/DCE RPC: .... .0.. = PDU is NOT fragment CL/DCE RPC: .... ..0. = PDU is NOT last fragment CL/DCE RPC: .... ...0 = Reserved CL/DCE RPC: flags2 = 04 CL/DCE RPC: 0... .... = Reserved CL/DCE RPC: .0.. .... = Reserved CL/DCE RPC: ..0. .... = Reserved CL/DCE RPC: ...0 .... = Reserved CL/DCE RPC: .... 0... = Reserved CL/DCE RPC: .... .1.. = Reserved CL/DCE RPC: .... ..0. = Cancel not Pending at the call end CL/DCE RPC: .... ...0 = Reserved CL/DCE RPC: Data Representation Format Label = 100000 CL/DCE RPC: Serial Number (High Byte) = 0 CL/DCE RPC: OID = 00000000-0000-0000-0000-000000000000 CL/DCE RPC: IID = 333A2276-0000-0000-0D00-00809C000000 CL/DCE RPC: AID = 764FEA68-A992-453C-8E5F-91B6CB191144 CL/DCE RPC: Server Boot Time = 0 CL/DCE RPC: I/F Version = 3 CL/DCE RPC: Sequence number = 0 CL/DCE RPC: Operation Number (Method) = 1 CL/DCE RPC: Interface hint = 65535 CL/DCE RPC: Activity hint = 65535 CL/DCE RPC: Packet Body Length = 20 CL/DCE RPC: Fragment Number = 0 CL/DCE RPC: Authentication protocol ID = 0 CL/DCE RPC: Serial Number (Low Byte) = 0 CL/DCE RPC: DCOM: ----- MS RPC Application Header ----- DCOM: DCOM: RPC IID = Conversation Mgr DCOM: *** Conversation Manager Interface *** DCOM: Handle = 71aadcbf DCOM: UUID = 44D4BB40-3296-0887-4702-E1DE023CBE41 ADDR HEX 0020: 04 00 20 04 10 00 0030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0040: 00 00 76 22 3a 33 00 00 00 00 0d 00 00 80 9c 00 0050: 00 00 68 ea 4f 76 92 a9 3c 45 8e 5f 91 b6 cb 19 0060: 11 44 00 00 00 00 03 00 00 00 00 00 00 00 01 00 0070: ff ff ff ff 14 00 00 00 00 00 bf dc aa 71 40 bb 0080: d4 44 96 32 87 08 47 02 e1 de 02 3c be 41

CL/DCE RPC: ----- Connectionless MS DCE/RPC Header ----- CL/DCE RPC: CL/DCE RPC: RPC Version = 4 CL/DCE RPC: PDU Type = 2 (Response) CL/DCE RPC: flags1 = 08 CL/DCE RPC: 0... .... = Reserved CL/DCE RPC: .0.. .... = NOT Broadcast Request CL/DCE RPC: ..0. .... = NOT Idempotent Request CL/DCE RPC: ...0 .... = NOT Maybe Request CL/DCE RPC: .... 1... = No FACK required CL/DCE RPC: .... .0.. = PDU is NOT fragment CL/DCE RPC: .... ..0. = PDU is NOT last fragment CL/DCE RPC: .... ...0 = Reserved CL/DCE RPC: flags2 = 04 CL/DCE RPC: 0... .... = Reserved CL/DCE RPC: .0.. .... = Reserved CL/DCE RPC: ..0. .... = Reserved CL/DCE RPC: ...0 .... = Reserved CL/DCE RPC: .... 0... = Reserved CL/DCE RPC: .... .1.. = Reserved CL/DCE RPC: .... ..0. = Cancel not Pending at the call end CL/DCE RPC: .... ...0 = Reserved CL/DCE RPC: Data Representation Format Label = 100000 CL/DCE RPC: Serial Number (High Byte) = 0 CL/DCE RPC: OID = 00000000-0000-0000-0000-000000000000 CL/DCE RPC: IID = 333A2276-0000-0000-0D00-00809C000000 CL/DCE RPC: AID = 764FEA68-A992-453C-8E5F-91B6CB191144 CL/DCE RPC: Server Boot Time = 0 CL/DCE RPC: I/F Version = 3 CL/DCE RPC: Sequence number = 0 CL/DCE RPC: Operation Number (Method) = 1 CL/DCE RPC: Interface hint = 65535 CL/DCE RPC: Activity hint = 65535 CL/DCE RPC: Packet Body Length = 24 CL/DCE RPC: Fragment Number = 0 CL/DCE RPC: Authentication protocol ID = 0 CL/DCE RPC: Serial Number (Low Byte) = 0 CL/DCE RPC: DCOM: ----- MS RPC Application Header ----- DCOM: DCOM: RPC IID = Conversation Mgr DCOM: *** Conversation Manager Interface *** DCOM: Data = 000000005582728EA905E74DA145D3E155385F0B00000000 ADDR HEX 0020: 04 02 08 04 10 00 0030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0040: 00 00 76 22 3a 33 00 00 00 00 0d 00 00 80 9c 00 0050: 00 00 68 ea 4f 76 92 a9 3c 45 8e 5f 91 b6 cb 19 0060: 11 44 00 00 00 00 03 00 00 00 00 00 00 00 01 00 0070: ff ff ff ff 18 00 00 00 00 00 00 00 00 00 55 82 0080: 72 8e a9 05 e7 4d a1 45 d3 e1 55 38 5f 0b 00 00 0090: 00 00

rpcrt4.dll自己实现了这两个接口:

MGMT afa8bd80-7d8a-11c9-bef4-08002b102989 1.0 CONV 333a2276-0000-0000-0d00-00809c000000 3.0

[ 2]介绍了conv_who_are_you2与non-idempotent、Activity的关系，手工解码如下:

0xBF, 0xDC, 0xAA, 0x71, 0x40, 0xBB, 0xD4, 0x44, // +0x000 actuid: 71aadcbf-bb40-44d4-9632-87084702e1de 0x96, 0x32, 0x87, 0x08, 0x47, 0x02, 0xE1, 0xDE, 0x02, 0x3C, 0xBE, 0x41 // +0x010 boot_time: Dec 14, 2004 09:04:02.000000000

0x00, 0x00, 0x00, 0x00, // +0x000 seq: 0x55, 0x82, 0x72, 0x8E, 0xA9, 0x05, 0xE7, 0x4D, // +0x004 cas_uuid: 8e728255-05a9-4de7-a145-d3e155385f0b 0xA1, 0x45, 0xD3, 0xE1, 0x55, 0x38, 0x5F, 0x0B, 0x00, 0x00, 0x00, 0x00 // +0x014 st:

[ 1]第一次引起我对idempotent(幂等)的注意。继续测试(3.cap):

Frame 1 (168 bytes on wire, 168 bytes captured) User Datagram Protocol, Src Port: 3760, Dst Port: 1027 DCE RPC Request, Seq: 0, Serial: 0, Frag: 0, FragLen: 46, [Resp: #2] Version: 4 Packet type: Request (0) Flags1: 0x28 "Idempotent" "No Fack" 0... .... = Reserved: Not set .0.. .... = Broadcast: Not set ..1. .... = Idempotent: Set ...0 .... = Maybe: Not set .... 1... = No Fack: Set .... .0.. = Fragment: Not set .... ..0. = Last Fragment: Not set .... ...0 = Reserved: Not set Flags2: 0x00 0... .... = Reserved: Not set .0.. .... = Reserved: Not set ..0. .... = Reserved: Not set ...0 .... = Reserved: Not set .... 0... = Reserved: Not set .... .0.. = Reserved: Not set .... ..0. = Cancel Pending: Not set .... ...0 = Reserved: Not set Data Representation: 100000 (Order: Little-endian, Char: ASCII, Float: IEEE) Byte order: Little-endian (1) Character: ASCII (0) Floating-point: IEEE (0) Serial High: 0x00 Object UUID: 00000000-0000-0000-0000-000000000000 Interface: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc Activity: 26cc9c3c-4425-4e45-aed4-32a35c4c1b20 Server boot time: Unknown (0) Interface Ver: 1 Sequence num: 0 Opnum: 0 Interface Hint: 0xffff Activity Hint: 0xffff Fragment len: 46 Fragment num: 0 Auth proto: None (0) Serial Low: 0x00 Response in frame: 2 Microsoft Messenger Service, NetrSendMessage Operation: NetrSendMessage (0) Server Max Count: 1 Offset: 0 Actual Count: 1 Server: Client Max Count: 1 Offset: 0 Actual Count: 1 Client: Message Max Count: 2 Offset: 0 Actual Count: 2 Message: \r

0020 04 00 28 00 10 00 ..(... 0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0040 00 00 f8 91 7b 5a 00 ff d0 11 a9 b2 00 c0 4f b6 ....{Z........O. 0050 e6 fc 3c 9c cc 26 25 44 45 4e ae d4 32 a3 5c 4c ..<..&%DEN..2.\L 0060 1b 20 00 00 00 00 01 00 00 00 00 00 00 00 00 00 . .............. 0070 ff ff ff ff 2e 00 00 00 00 00 01 00 00 00 00 00 ................ 0080 00 00 01 00 00 00 00 00 00 00 01 00 00 00 00 00 ................ 0090 00 00 01 00 00 00 00 00 00 00 02 00 00 00 00 00 ................ 00a0 00 00 02 00 00 00 0d 00 ........

Frame 2 (126 bytes on wire, 126 bytes captured) User Datagram Protocol, Src Port: 1027, Dst Port: 3760 DCE RPC Response, Seq: 0, Serial: 0, Frag: 0, FragLen: 4, [Req: #1] Version: 4 Packet type: Response (2) Flags1: 0x08 "No Fack" 0... .... = Reserved: Not set .0.. .... = Broadcast: Not set ..0. .... = Idempotent: Not set ...0 .... = Maybe: Not set .... 1... = No Fack: Set .... .0.. = Fragment: Not set .... ..0. = Last Fragment: Not set .... ...0 = Reserved: Not set Flags2: 0x00 0... .... = Reserved: Not set .0.. .... = Reserved: Not set ..0. .... = Reserved: Not set ...0 .... = Reserved: Not set .... 0... = Reserved: Not set .... .0.. = Reserved: Not set .... ..0. = Cancel Pending: Not set .... ...0 = Reserved: Not set Data Representation: 100000 (Order: Little-endian, Char: ASCII, Float: IEEE) Byte order: Little-endian (1) Character: ASCII (0) Floating-point: IEEE (0) Serial High: 0x00 Object UUID: 00000000-0000-0000-0000-000000000000 Interface: 00000000-0000-0000-0000-000000000000 Activity: 26cc9c3c-4425-4e45-aed4-32a35c4c1b20 Server boot time: Dec 14, 2004 09:04:02.000000000 Interface Ver: 0 Sequence num: 0 Opnum: 0 Interface Hint: 0xffff Activity Hint: 0x004b Fragment len: 4 Fragment num: 0 Auth proto: None (0) Serial Low: 0x00 Request in frame: 1 Time from request: 0.001369000 seconds Microsoft Messenger Service, NetrSendMessage Operation: NetrSendMessage (0) Return code: STATUS_SUCCESS (0x00000000)

0020 04 02 08 00 10 00 ...... 0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0050 00 00 3c 9c cc 26 25 44 45 4e ae d4 32 a3 5c 4c ..<..&%DEN..2.\L 0060 1b 20 02 3c be 41 00 00 00 00 00 00 00 00 00 00 . .<.A.......... 0070 ff ff 4b 00 04 00 00 00 00 00 00 00 00 00 ..K...........

Frame 3 (122 bytes on wire, 122 bytes captured) User Datagram Protocol, Src Port: 3760, Dst Port: 1027 DCE RPC Ack, Seq: 0, Serial: 1, Frag: 1, FragLen: 0, [Req: #1] Version: 4 Packet type: Ack (7) Flags1: 0x20 "Idempotent" 0... .... = Reserved: Not set .0.. .... = Broadcast: Not set ..1. .... = Idempotent: Set ...0 .... = Maybe: Not set .... 0... = No Fack: Not set .... .0.. = Fragment: Not set .... ..0. = Last Fragment: Not set .... ...0 = Reserved: Not set Flags2: 0x00 0... .... = Reserved: Not set .0.. .... = Reserved: Not set ..0. .... = Reserved: Not set ...0 .... = Reserved: Not set .... 0... = Reserved: Not set .... .0.. = Reserved: Not set .... ..0. = Cancel Pending: Not set .... ...0 = Reserved: Not set Data Representation: 100000 (Order: Little-endian, Char: ASCII, Float: IEEE) Byte order: Little-endian (1) Character: ASCII (0) Floating-point: IEEE (0) Serial High: 0x00 Object UUID: 00000000-0000-0000-0000-000000000000 Interface: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc Activity: 26cc9c3c-4425-4e45-aed4-32a35c4c1b20 Server boot time: Unknown (0) Interface Ver: 1 Sequence num: 0 Opnum: 0 Interface Hint: 0xffff Activity Hint: 0x004b Fragment len: 0 Fragment num: 1 Auth proto: None (0) Serial Low: 0x01 Request in frame: 1 Time from request: 0.002021000 seconds

0020 04 07 20 00 10 00 .. ... 0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0040 00 00 f8 91 7b 5a 00 ff d0 11 a9 b2 00 c0 4f b6 ....{Z........O. 0050 e6 fc 3c 9c cc 26 25 44 45 4e ae d4 32 a3 5c 4c ..<..&%DEN..2.\L 0060 1b 20 00 00 00 00 01 00 00 00 00 00 00 00 00 00 . .............. 0070 ff ff 4b 00 00 00 01 00 00 01 ..K.......

没有了conv_who_are_you2()相关的三个报文，但仍有一个Ack(7)报文。其实可以更狠些，反正不关心、不需要响应报文。

注意，135/UDP上没有Bind(11)操作，参[ 3]。接口UUID直接在V4 Request(0)的RPC 头部Interface字段指定。

☆ 参考资源

[ 1] Messenger Service abuse via Microsoft RPC - Jeremy Hewlett [2003] http://www.giac.com/practical/GCIH/Jeremy_Hewlett_GCIH.pdf

 [Full-Disclosure] Re: Windows Messenger Popup Spam - advisory amended (followup for those interested) [2003-07-01]
 http://lists.grok.org.uk/pipermail/full-disclosure/2003-July/006152.html

[ 2] http://www.opengroup.org/onlinepubs/9629399/apdxp.htm

[ 3] http://www.opengroup.org/onlinepubs/9629399/chap12.htm

[ 4] [CORE-2003-12-05] DCE RPC Vulnerabilities New Attack Vectors Analysis - [2003-12-10] http://www.coresecurity.com/common/showdoc.php?idx=393&idxseccion=10