☆ BOOTPARAMPROC_WHOAMI相关通信报文

攻击者调用远程过程BOOTPARAMPROC_WHOAMI，指定一个有效的client_address，那么
响应报文中将包含domain_name，这使得攻击者很容易获取NIS口令文件。

--------------------------------------------------------------------------
User Datagram Protocol, Src Port: 34062, Dst Port: 33866
Remote Procedure Call, Type:Call XID:0x0632c9a4
    XID: 0x632c9a4 (103991716)
    Message Type: Call (0)
    RPC Version: 2
    Program: BOOTPARAMS (100026)
    Program Version: 1
    Procedure: WHOAMI (1)
    Credentials
        Flavor: AUTH_NULL (0)
        Length: 0
    Verifier
        Flavor: AUTH_NULL (0)
        Length: 0
Boot Parameters
    Program Version: 1
    V1 Procedure: WHOAMI (1)
    Address Type: IPv4-ADDR (1)
    Client Address: 10.10.7.2 (10.10.7.2)

0020                                06 32 c9 a4 00 00             .2....
0030  00 00 00 00 00 02 00 01 86 ba 00 00 00 01 00 00   ................
0040  00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0050  00 00 00 00 00 01 00 00 00 0a 00 00 00 0a 00 00   ................
0060  00 07 00 00 00 02                                 ......

User Datagram Protocol, Src Port: 33866, Dst Port: 34062
Remote Procedure Call, Type:Reply XID:0x0632c9a4
    XID: 0x632c9a4 (103991716)
    Message Type: Reply (1)
    Program: BOOTPARAMS (100026)
    Program Version: 1
    Procedure: WHOAMI (1)
    Reply State: accepted (0)
    Verifier
        Flavor: AUTH_NULL (0)
        Length: 0
    Accept State: RPC executed successfully (0)
Boot Parameters
    Program Version: 1
    V1 Procedure: WHOAMI (1)
    Client Host: scz
        length: 3
        contents: scz
        fill bytes: opaque data
    Client Domain: nonexist
        length: 8
        contents: nonexist
    Address Type: IPv4-ADDR (1)
    Router Address: 10.10.7.254 (10.10.7.254)

0020                                06 32 c9 a4 00 00             .2....
0030  00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0040  00 00 00 00 00 03 73 63 7a 00 00 00 00 08 6e 6f   ......scz.....no
0050  6e 65 78 69 73 74 00 00 00 01 00 00 00 0a 00 00   nexist..........
0060  00 0a 00 00 00 07 ff ff ff fe                     ..........
--------------------------------------------------------------------------

对照ONC/Sun RPC与DCE/MS RPC在序列化/反序列化时的异同，总的来说，精神实质是
相同的，细节处理上不同。ONC/Sun RPC老老实实地使用网络字节序，参看RFC 1057。

struct  ip_addr_t
{
    char    net;
    char    host;
    char    lh;
    char    impno;
};

Client Address、Router Address字段均是ip_addr_t型数据，每个char被序列化成4
个字节，由于char是有符号类型，在扩展时用符号位进行扩展，于是254被扩展成
0xFFFFFFFE。

const MAX_MACHINE_NAME  = 255;

typedef string  bp_machine_name_t<MAX_MACHINE_NAME>;

string类型被序列化成4字节长度域(length字段)加数据域(contents字段)。数据域
之后的字段要求对齐在四字节边界上，因此有可能出现fill bytes字段，这与DCE/MS
RPC类似。