TIMELINE: 4w) Porting relevant exploit/dos modules from Metasploit framework to NSE. NOTE: Be carefull with the licensing. If suspicious reverse the payload from Wireshark...OpenVAS style :) 5w) Making a parser for IDL files that will generate LUA client stubs. I will make use of PIDL to generate a simpler to parse internal representation of ".idl"s, called ".pidl". This process involves programming the parser (probably), making of LUA stubs and testing them all. NOTE: Possible code redesign which will take some time and some hard work. But all in the purpose of making a good and stable NSE msrpc code base. If such redesign is in order than lots of Rons script will be needing changing. rest) Making other usefull enumeration scripts. Most important script would be smb-epmmap which list the registered interfaces (Endpoint Mapper). Such script would discover services waiting on ports that nmap failed to map (service is given a random port when registering with epmmap) NOTE: The greatest code change will come with the second phase in the timeline. It's probably crucial as it will expand NSE to access not only MSRPC services across SMB pipes but also directly over TCP/IP. 1)MS06_025: --figure out the NDR translation of the SubmitRequest() IDL definition.+ --demystify why can't get any meaningful result from RASRPC procedures.+ --once tested and discussed by nmap-dev MERGE the code with smb-check-vulns, msrpc.lua and msrpctypes.lua. 2)Another simple RRAS DoS -- max 1 day work 3)MS07_029 Check. --managed to crash the service using Query and Query2. TODO: --finish the ms07-029 and ms06-025 checks and merge them into -- smb-check-vulns NOTE: Seems as msrpctypes.lua needs some work. Don't know what was Rons reference while implementing the lib but looking at OpenGroup specification one can notice that msrpctypes lack the support for various pointer types and structure packing. Likely I will find other types not implemented at all or at least not to accurately implemented. That's a big issue in my opinion. NDR packing is the base for the MSRPC mechanism and it must be implemented by following the official specification...which is very hard. From design issues to algorithm description vagueness is a pallete of things to be scared of. RPC is a complicated protocol, so when implementing we must make sure that our base is conformant to specification and is well designed for expanding and automatic generation of RPC code. Why am I writing all this down. Well because IMHO the primary goal of this project is to make a IDL parser which will generate RPC stubs for a given RPC service. I have an idea that could lead to the solution, and that idea involves mimiking the steps that SAMBA developers took while implementing MSRPC. I already crawled across the part of SAMBA code base that deals with NDR packing and understood the logic behind it. My greatest fear is that these changes are really big, and would present a heavy impact on the RPC scripts as they would need auditing. For now the important thing is to implement these scripts for various vulnerabilities which means that they could be reimplemented really quick. Also making of enumeration scripts is really important as it provides me with better knowledge of RPC which in return will result in better code design (IDL parser). TASKS: [1] msrpctypes auditing -- detailed report on both the lib and the scripts that use it. -- test them on MIDL_BENCH. -- Compile an NDR document [2] MIDL_BENCH -- make a stable testing environment. -- used for testing NDR marshalling. -- document it. [3] MSF sploits -- ms06-025, ms07-029 [4] RPC enums -- epmmapper [5] LIDL [6] msrpc -- improve play -- add NCAN_TCP_IP transport DONE: 1) ms06-025 2) ms07-029 3) MIDL_BENCH is stable, added DRAZEN_SVC project which is used for various RPC testing, mainly for NDR packing and unpacking and LIDL. 4) Made a "cli-drazen-svc.nse" script which is used for communicating with DRAZEN_SVC. That will be the "ndr.lua" testing client. NOTE: Hyper doesnt fit in a lua number, return it as a {lo,hi}