[jcifs] Creating DCE/RPC Requests

christofer.dutz at c-ware.de christofer.dutz at c-ware.de
Mon Jan 9 10:01:50 MST 2012 

Ok,

after a more detailed comparison it seems there are more major differences as PsExec seems to communicate on port 135 and JCIFS on port 445.
Currently it's pretty frustrating to not have ANY documentation at all available on JCIFS's usage, JARAPAC and MIDLC. 

Think I'll go back to implementing the communication on a raw TCP level as it seems easier to do this than to fix the available tools or to reverse engineer how to use them 
(especially to fix MIDLC and JARAPAC prior to using them ... especially JARAPACs build seems to be totally screwed). Using JCIFS for the file transfer and connecting to 
Windows Named-Pipes seems to work fine, but the DCERPC stuff seems to be a nightmare.

Is there any resources available, giving me a small start on how to connect to svcctl? I sort of wasted the 5th day now trying to figure this out on my own.

Chris


[ C h r i s t o f e r  D u t z ]
 
C-Ware IT-Service
Inhaber
Dipl. Inf. Christofer Dutz
Karlstraße. 104, 64285 Darmstadt
 
fon:  0 61 51 / 27315 - 61
fax:  0 61 51 / 27315 - 64
mobil:  0171 / 7 444 2 33
email:  christofer.dutz at c-ware.de

http://www.c-ware.de
 
UStId-Nr. DE195700962




-----Ursprüngliche Nachricht-----
Von: jcifs-bounces at lists.samba.org [mailto:jcifs-bounces at lists.samba.org] Im Auftrag von christofer.dutz at c-ware.de
Gesendet: Montag, 9. Januar 2012 14:45
An: jcifs at lists.samba.org
Betreff: Re: [jcifs] Creating DCE/RPC Requests

Hi Mike,

I compared the Wireshark dumps and actually found a difference.
In the PsExec call to bind to the svcctl pipe two Ctx Items are sent and in the JCIFS version only one is sent.
PsExec:
- Item 1:
    - Interface: 367abb81-9844-35f1-ad32-98f038001003 
    - Interface Ver: 2 
    - Interface Ver minor: 0
    - Transfer Syntax: 8a885d04-1ceb-11c9-9fe8-08002b104860 Version 2
- Item 2:
    - Interface: 367abb81-9844-35f1-ad32-98f038001003 
    - Interface Ver: 2 
    - Interface Ver minor: 0
    - Transfer Syntax: 6cb71c2c-9812-4540-0300-000000000000 Version 1

In the JCIFS version only item one is sent, but that one is identical. So I guess that the remote host is expecting to receive this two-item binding request.
Unfortunately I can't figure out how to make JCIFS send such a binding request.

Help is greatly appreciated here.

Chris



[ C h r i s t o f e r  D u t z ]
 
C-Ware IT-Service
Inhaber
Dipl. Inf. Christofer Dutz
Karlstraße. 104, 64285 Darmstadt
 
fon:  0 61 51 / 27315 - 61
fax:  0 61 51 / 27315 - 64
mobil:  0171 / 7 444 2 33
email:  christofer.dutz at c-ware.de

http://www.c-ware.de
 
UStId-Nr. DE195700962




-----Ursprüngliche Nachricht-----
Von: Michael B Allen [mailto:ioplex at gmail.com]
Gesendet: Donnerstag, 5. Januar 2012 09:17
An: christofer.dutz at c-ware.de
Cc: jcifs at lists.samba.org
Betreff: Re: [jcifs] Creating DCE/RPC Requests

On Wed, Jan 4, 2012 at 2:04 AM, christofer.dutz at c-ware.de <christofer.dutz at c-ware.de> wrote:
> Hi,
>
>
>
> I am currently digging into using the DCE/RPC parts of JCIFS. 
> Unfortunately I am running into problems.
>
> Iused midlc (Version 0.6.1) To generate a JCIFS compatible stub for 
> the svcctl Service and am now trying to call it. Unfortunately I am 
> getting
> "jcifs.dcerpc.DcerpcException: DCERPC_FAULT_PROTO_ERROR"
>
>
>
> Here comes my code:
>
>
>
>             rpc.policy_handle scHandle = new rpc.policy_handle();
>
>             SvcCtl.OpenSCManager openSCManagerRpc = new 
> SvcCtl.OpenSCManager(host, null, 0x0001 | 0x0002, scHandle);
>
>
>
>             // Connection-oriented DCE/RPC over SMB named pipes.
>
>             DcerpcHandle handle = DcerpcHandle.getHandle("ncacn_np:" + 
> host
> + "[\\PIPE\\svcctl]",
>
>
> ConcurrentNtlmAuthenticator.getInstance().getNtlmPasswordAuthenticatio
> n());
>
>             try {
>
>                 handle.sendrecv(openSCManagerRpc);           ßThe 
> Exception is thrown when executing this line.
>
>                 if (openSCManagerRpc.retval != 0) {
>
>                     throw new SmbException(openSCManagerRpc.retval,
> true);
>
>                 }
>
>             } catch(Exception e) {
>
>                 e.printStackTrace();
>
>             } finally {
>
>                 try {
>
>                     handle.close();
>
>                 } catch(IOException ioe) {
>
>                     ioe.printStackTrace();
>
>                 }
>
>             }
>
>
>
> So what am I doing wrong? I would be really glad if you could help me 
> get started, as Googling doesn't seem to get me very far (There seems 
> to be almost no information on this available)

Hi Chris,

The IDL is probably wrong. Look at Samba IDL. There is a lot of IDL available in Microsoft documentation now too. Note that midlc only understands a small critical subset of MIDL. In practice you really need to get two captures and compare them side-by-side to verify that the NDR segments are encoded in an identical way. This is true even if you get it to actually work.

Mike

--
Michael B Allen
Java Active Directory Integration
http://www.ioplex.com/

More information about the jCIFS mailing list