Module: Msf::Exploit::Remote::DCERPC_LSA

Included in:
DCERPC
Defined in:
lib/msf/core/exploit/dcerpc_lsa.rb

Overview

This module provides service-specific methods for the DCERPC exploit mixin

Constant Summary collapse

NDR =
Rex::Encoder::NDR

Instance Method Summary collapse

Instance Method Details

#lsa_open_policy(dcerpc, server = "\\") ⇒ Object


13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
# File 'lib/msf/core/exploit/dcerpc_lsa.rb', line 13

def lsa_open_policy(dcerpc, server="\\")
  stubdata =
    # Server
    NDR.uwstring(server) +
    # Object Attributes
      NDR.long(24) + # SIZE
      NDR.long(0)  + # LSPTR
      NDR.long(0)  + # NAME
      NDR.long(0)  + # ATTRS
      NDR.long(0)  + # SEC DES
        # LSA QOS PTR
        NDR.long(1)  + # Referent
        NDR.long(12) + # Length
        NDR.long(2)  + # Impersonation
        NDR.long(1)  + # Context Tracking
        NDR.long(0)  + # Effective Only
    # Access Mask
    NDR.long(0x02000000)

  res = dcerpc.call(6, stubdata)

  dcerpc.last_response.stub_data[0,20]
end