ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
July 17th, 2024 | 10:00am-11:55am SGT (UTC+8) | Online
Wireshark logo

Ethereal-dev: [Ethereal-dev] a problem with dcom protocol

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Asia Slowinska <asia.slowinska@xxxxxxxxx>
Date: Sat, 14 Jan 2006 22:04:04 +0100
Hello,

I've got a network packet, which is for sure a dcom packet, since it
contains a dcom attack (exploit of the rpc dcom buffer overflow
vulnerability). This is the message sent over the TCP protocol.

I need to dissect this. Dissecting ORPCTHIS gives reasonable results,
but... The DCOM/1.0 specification says that the object id field of the
DCE RPC header must contain the IPID. While my packet does not contain
the object id field at all. It has the appropriate flag of dce rpc
header set to zero. Does anyone maybe have an idea what such a packet
could
mean and how could be understood by the dcom? The specification does
not cover it.

Thanks in advance for any hints.
(The specification I have is "Distributed Component Object Model
Protocol -- DCOM/1.0", January 1998.)

Kindest regards,
asia
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube