标题: 对135/UDP的一些说明以中文2000的msgsvc.dll(5.0.2195.4874)为例进行说明。 > net use \\10.10.7.44\ipc$ /user:Administrator > ifids.exe -p ncacn_np -e \pipe\msgsvc -t 10.10.7.44 ... ... Interface UUID : 17fdd703-1827-4e34-79d4-24a55c53bb37 version 1.0 Interface UUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc version 1.0 > ifids.exe -p ncadg_ip_udp -e 1027 -t 10.10.7.44 (同上) 注意两点。一是空会话无权访问\pipe\msgsvc，所以我建立了管理员会话。二是你测试时未必是1027/UDP，需要用其它手段获取这个端口号，比如在服务端执行netstat 查看，或者在客户端用135dump一类的工具获取。逆向这个版本的msgsvc.dll，同时包含两个接口: -------------------------------------------------------------------------- uuid( 17fdd703-1827-4e34-79d4-24a55c53bb37 ), version( 1.0 ) /* * 0x00 0x76812A32 _NetrMessageNameAdd@8 * 0x01 0x76813F2C _NetrMessageNameEnum@20 * 0x02 0x7681416B _NetrMessageNameGetInfo@16 * 0x03 0x768128F6 _NetrMessageNameDel@8 */ -------------------------------------------------------------------------- uuid( 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc ), version( 1.0 ) /* * 0x00 0x76814725 _NetrSendMessage@12 */ long NetrSendMessage ( [in,string] char *from, [in,string] char *to, [in,string] char *str ); -------------------------------------------------------------------------- 泄露的MS源码中只有前一个接口，没有后一个接口。这次我们只关心后一个接口。测试ncacn_np协议序列(1.cap): -------------------------------------------------------------------------- Microsoft Messenger Service, NetrSendMessage Operation: NetrSendMessage (0) Server Max Count: 1 Offset: 0 Actual Count: 1 Server: Client Max Count: 1 Offset: 0 Actual Count: 1 Client: Message Max Count: 2 Offset: 0 Actual Count: 2 Message: \r 00a0 01 00 00 00 00 00 00 00 01 00 .......... 00b0 00 00 00 ff d0 11 01 00 00 00 00 00 00 00 01 00 ................ 00c0 00 00 00 5d 88 8a 02 00 00 00 00 00 00 00 02 00 ...]............ 00d0 00 00 0d 00 .... Microsoft Messenger Service, NetrSendMessage Operation: NetrSendMessage (0) Return code: STATUS_SUCCESS (0x00000000) 0080 00 00 00 00 .... -------------------------------------------------------------------------- Ethereal 0.10.14对此通信进行了解码，只是将from/to的关系搞反了。测试ncadg_ip_udp协议序列(2.cap): -------------------------------------------------------------------------- 1 174 Messenger 10.10.7.2 10.10.7.44 3713 1027 NetrSendMessage request 2 142 UDP 10.10.7.44 10.10.7.2 2536 3713 Source port: 2536 Destination port: 3713 3 146 UDP 10.10.7.2 10.10.7.44 3713 2536 Source port: 3713 Destination port: 2536 4 122 DCERPC 10.10.7.44 10.10.7.2 2536 3713 Ack: seq: 0 5 126 Messenger 10.10.7.44 10.10.7.2 1027 3713 NetrSendMessage response 6 122 DCERPC 10.10.7.2 10.10.7.44 3713 1027 Ack: seq: 0 [req: #1] Frame 1 (174 bytes on wire, 174 bytes captured) Internet Protocol, Src: 10.10.7.2, Dst: 10.10.7.44 User Datagram Protocol, Src Port: 3713, Dst Port: 1027 DCE RPC Request, Seq: 0, Serial: 0, Frag: 0, FragLen: 52, [Resp: #5] Version: 4 Packet type: Request (0) Flags1: 0x08 "No Fack" 0... .... = Reserved: Not set .0.. .... = Broadcast: Not set ..0. .... = Idempotent: Not set ...0 .... = Maybe: Not set .... 1... = No Fack: Set .... .0.. = Fragment: Not set .... ..0. = Last Fragment: Not set .... ...0 = Reserved: Not set Flags2: 0x00 0... .... = Reserved: Not set .0.. .... = Reserved: Not set ..0. .... = Reserved: Not set ...0 .... = Reserved: Not set .... 0... = Reserved: Not set .... .0.. = Reserved: Not set .... ..0. = Cancel Pending: Not set .... ...0 = Reserved: Not set Data Representation: 100000 (Order: Little-endian, Char: ASCII, Float: IEEE) Byte order: Little-endian (1) Character: ASCII (0) Floating-point: IEEE (0) Serial High: 0x00 Object UUID: 00000000-0000-0000-0000-000000000000 Interface: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc Activity: 71aadcbf-bb40-44d4-9632-87084702e1de Server boot time: Unknown (0) Interface Ver: 1 Sequence num: 0 Opnum: 0 Interface Hint: 0xffff Activity Hint: 0xffff Fragment len: 52 Fragment num: 0 Auth proto: None (0) Serial Low: 0x00 Response in frame: 5 Microsoft Messenger Service, NetrSendMessage Operation: NetrSendMessage (0) Server Max Count: 4 Offset: 0 Actual Count: 4 Server: scz Client Max Count: 3 Offset: 0 Actual Count: 3 Client: tt Message Max Count: 8 Offset: 0 Actual Count: 8 Message: who r u 0020 04 00 08 00 10 00 ...... 0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0040 00 00 f8 91 7b 5a 00 ff d0 11 a9 b2 00 c0 4f b6 ....{Z........O. 0050 e6 fc bf dc aa 71 40 bb d4 44 96 32 87 08 47 02 .....q@..D.2..G. 0060 e1 de 00 00 00 00 01 00 00 00 00 00 00 00 00 00 ................ 0070 ff ff ff ff 34 00 00 00 00 00 04 00 00 00 00 00 ....4........... 0080 00 00 04 00 00 00 73 63 7a 00 03 00 00 00 00 00 ......scz....... 0090 00 00 03 00 00 00 74 74 00 00 08 00 00 00 00 00 ......tt........ 00a0 00 00 08 00 00 00 77 68 6f 20 72 20 75 00 ......who r u. Frame 2 (142 bytes on wire, 142 bytes captured) Internet Protocol, Src: 10.10.7.44, Dst: 10.10.7.2 User Datagram Protocol, Src Port: 2536, Dst Port: 3713 Data (100 bytes) 0020 04 00 20 04 10 00 .. ... 0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0040 00 00 76 22 3a 33 00 00 00 00 0d 00 00 80 9c 00 ..v":3.......... 0050 00 00 68 ea 4f 76 92 a9 3c 45 8e 5f 91 b6 cb 19 ..h.Ov..