Ethereal-dev: [Ethereal-dev] a problem with dcom protocol

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Asia Slowinska <asia.slowinska@xxxxxxxxx>
Date: Sat, 14 Jan 2006 22:04:04 +0100
Hello,

I've got a network packet, which is for sure a dcom packet, since it
contains a dcom attack (exploit of the rpc dcom buffer overflow
vulnerability). This is the message sent over the TCP protocol.

I need to dissect this. Dissecting ORPCTHIS gives reasonable results,
but... The DCOM/1.0 specification says that the object id field of the
DCE RPC header must contain the IPID. While my packet does not contain
the object id field at all. It has the appropriate flag of dce rpc
header set to zero. Does anyone maybe have an idea what such a packet
could
mean and how could be understood by the dcom? The specification does
not cover it.

Thanks in advance for any hints.
(The specification I have is "Distributed Component Object Model
Protocol -- DCOM/1.0", January 1998.)

Kindest regards,
asia