dcerpc: add support for http-v1 legacy connect

oiweiwei · oiweiwei · commit b344b831427c · 2025-10-13T20:29:44.000+02:00
diff --git a/dcerpc/binding.go b/dcerpc/binding.go
@@ -437,7 +437,7 @@ func ParseStringBinding(s string) (*StringBinding, error) {
 			url.Endpoint, url.Extra = "", extras
 		}
 		switch url.ProtocolSequence {
-		case ProtocolSequenceIPTCP:
+		case ProtocolSequenceIPTCP, ProtocolSequenceHTTP:
 			// parse the port number.
 			if _, err := strconv.ParseUint(url.Endpoint, 10, 16); err != nil {
 				url.Endpoint, url.Extra = "", extras
diff --git a/dcerpc/conn.go b/dcerpc/conn.go
@@ -420,6 +420,48 @@ func (t *conn) dialConn(ctx context.Context, binding StringBinding) (RawConn, er
 
 		return conn, nil
 
+	case ProtocolSequenceHTTP:
+
+		addr := net.JoinHostPort(binding.NetworkAddress, binding.Endpoint)
+
+		if binding.NetworkAddress == "" || binding.NetworkAddress == "0.0.0.0" {
+			addr = net.JoinHostPort(t.serverAddr, binding.Endpoint)
+		}
+
+		t.logger.Debug().Msgf("dialing http (v1) %s", addr)
+
+		var (
+			conn RawConn
+			err  error
+		)
+
+		if t.settings.Dialer != nil {
+			if conn, err = t.settings.Dialer.DialContext(ctx, "tcp", addr); err != nil {
+				return nil, fmt.Errorf("ncacn_http: custom dialer: %w", err)
+			}
+		} else {
+			if conn, err = net.DialTimeout("tcp", addr, t.settings.Timeout); err != nil {
+				return nil, fmt.Errorf("ncacn_http: %w", err)
+			}
+		}
+
+		tmp := make([]byte, 1024)
+
+		n, err := conn.Read(tmp)
+		if err != nil {
+			conn.Close()
+			return nil, fmt.Errorf("ncacn_http: read http response: %w", err)
+		}
+
+		if string(tmp[:n]) != "ncacn_http/1.0" {
+			conn.Close()
+			return nil, fmt.Errorf("ncacn_http: invalid http response, expected 'ncacn_http/1.0', got '%s'", string(tmp[:n]))
+		}
+
+		t.logger.Debug().Msgf("dialing http %s done", addr)
+
+		return conn, nil
+
 	case ProtocolSequenceNamedPipe:
 
 		t.logger.Debug().Msgf("dialing smb named pipe %s:%d:%s\\%s",
diff --git a/msrpc/well_known/data/well_known_endpoints.tsv b/msrpc/well_known/data/well_known_endpoints.tsv
@@ -325,7 +325,7 @@ F120A684-B926-447F-9DF4-C966CB785648	MS-RAI	Remote Assistance Initiation Protoco
 811109BF-A4E1-11D1-AB54-00A0C91E9B45	MS-RAIW	Remote Administrative Interface: WINS	winsif2	v1.0	ncacn_np:WinsPipe
 45F52C28-7F9F-101A-B52B-08002B2EFABE	MS-RAIW	Remote Administrative Interface: WINS	winsif	v1.0	ncacn_np:WinsPipe
 A35AF600-9CF4-11CD-A076-08002B2BD711	MS-RDPESC	Remote Desktop Protocol: Smart Card Virtual Channel Extension	TypeScardPack	v1.0	
-E1AF8308-5D1F-11C9-91A4-08002B14A0FA	MS-RPCE	Endpoint Mapper Protocol	EndpointMapper	v3.0	ncacn_ip_tcp:135 ncacn_np:epmapper
+E1AF8308-5D1F-11C9-91A4-08002B14A0FA	MS-RPCE	Endpoint Mapper Protocol	EndpointMapper	v3.0	ncacn_ip_tcp:135 ncacn_np:epmapper ncacn_http:593
 AFA8BD80-7D8A-11C9-BEF4-08002B102989	MS-RPCE	Remote Management Protocol	RemoteManagement	v1.0	ncacn_ip_tcp:135
 71710533-BEBA-4937-8319-B5DBEF9CCC36	MS-RPCE	Transfer Syntax NDR64	TransferNDR64	v1.0	
 8A885D04-1CEB-11C9-9FE8-08002B104860	MS-RPCE	Transfer Syntax NDR	TransferNDR	v2.0	
@@ -762,3 +762,21 @@ E60C73E6-88F9-11CF-9AF1-0020AF6E72F4	RPCSS	Local Object Exporter Service	ILocalO
 0B0A6584-9E0F-11CF-A3CF-00805F68CB1B	RPCSS	Local Endpoint Mapper	localepmp	v1.1	
 1D55B526-C137-46C5-AB79-638F2A68E869	RPCSS	Dbgidl	Dbgidl	v1.0	
 64FE0B7F-9EF5-4553-A7DB-9A1975777554	RPCSS	Fwidl	Fwidl	v1.0	
+4F32ADC8-6052-4A04-8701-293CCF2096F0	MS-DLL	sspisrv.dll: LSA SSPI RPC interface	sspirpc	v1.0	
+D25576E4-00D2-43F7-98F9-B4C0724158F9	MS-DLL	lsasrv.dll: LSA Server 	lsasrv	v1.0	
+00000134-0000-0000-C000-000000000046	MS-DCOM	The OID Rundown Interface	IRundown	v0.0	
+18F70770-8E64-11CF-9AF1-0020AF6E72F4	MS-DCOM	combase.dll: Microsoft COM for Windows	combase	v0.0	
+A2C45F7C-7D32-46AD-96F5-ADAFB486BE74	MS-DLL	Sens.dll: System Event Notification Service (SENS)	servicechannel	v1.0	
+93149CA2-973B-11D1-8C39-00C04FB984F9	MS-DLL	SceSvc	SceSvc	v0.0	
+F50A28CF-5C9C-4F7E-9D80-E25E16E18C59	MS-WMI	Internal_IWbemServices	Internal_IWbemServices	v0.0	
+1BE41572-91DD-11D1-AEB2-00C04FB68820	MS-WMI	IWbemProviderInit	IWbemProviderInit	v0.0	
+6919DD07-1637-4611-A8A7-C16FAC5B2D53	MS-WMI	Internal_IWbemProviderInit	Internal_IWbemProviderInit	v0.0	
+FEC1B0AC-5808-4033-A915-C0185934581E	MS-WMI	_IWmiProviderSite	_IWmiProviderSite	v0.0	
+E245105B-B06E-11D0-AD61-00C04FD8FDFF	MS-WMI	IWbemEventProvider	IWbemEventProvider	v0.0	
+FD450835-CF1B-4C87-9FD2-5E0D42FDE081	MS-WMI	Internal_IWbemEventProvider	Internal_IWbemEventProvider	v0.0	
+580ACAF8-FA1C-11D0-AD72-00C04FD8FDFF	MS-WMI	IWbemEventProviderQuerySink	IWbemEventProviderQuerySink	v0.0	
+8A0DC377-A9D3-41CB-BD69-AE1FDAF2DC68	MS-WMI	Internal_IWbemEventProviderQuerySink	Internal_IWbemEventProviderQuerySink	v0.0	
+631F7D96-D993-11D2-B339-00105A1F4AAF	MS-WMI	IWbemEventProviderSecurity	IWbemEventProviderSecurity	v0.0	
+DF2373F5-EFB2-475C-AD58-3102D61967D4	MS-WMI	Internal_IWbemEventProviderSecurity	Internal_IWbemEventProviderSecurity	v0.0	
+00000132-0000-0000-C000-000000000046	MS-DCOM	ILocalSystemActivator	ILocalSystemActivator	v0.0	
+2A82BB21-E44F-4791-9AA1-DFAE788E2F43	MS-DLL	UBPM.dll: Unified Background Process Manager	UBPM	v1.0	
diff --git a/msrpc/well_known/well_known_endpoints.go b/msrpc/well_known/well_known_endpoints.go
@@ -769,6 +769,24 @@ var (
 	RPCSSLocalepmp                                    = uuid.UUID{TimeLow: 0xb0a6584, TimeMid: 0x9e0f, TimeHiAndVersion: 0x11cf, ClockSeqHiAndReserved: 0xa3, ClockSeqLow: 0xcf, Node: [6]uint8{0x0, 0x80, 0x5f, 0x68, 0xcb, 0x1b}}
 	RPCSSDbgidl                                       = uuid.UUID{TimeLow: 0x1d55b526, TimeMid: 0xc137, TimeHiAndVersion: 0x46c5, ClockSeqHiAndReserved: 0xab, ClockSeqLow: 0x79, Node: [6]uint8{0x63, 0x8f, 0x2a, 0x68, 0xe8, 0x69}}
 	RPCSSFwidl                                        = uuid.UUID{TimeLow: 0x64fe0b7f, TimeMid: 0x9ef5, TimeHiAndVersion: 0x4553, ClockSeqHiAndReserved: 0xa7, ClockSeqLow: 0xdb, Node: [6]uint8{0x9a, 0x19, 0x75, 0x77, 0x75, 0x54}}
+	MSDLLSspirpc                                      = uuid.UUID{TimeLow: 0x4f32adc8, TimeMid: 0x6052, TimeHiAndVersion: 0x4a04, ClockSeqHiAndReserved: 0x87, ClockSeqLow: 0x1, Node: [6]uint8{0x29, 0x3c, 0xcf, 0x20, 0x96, 0xf0}}
+	MSDLLLsasrv                                       = uuid.UUID{TimeLow: 0xd25576e4, TimeMid: 0xd2, TimeHiAndVersion: 0x43f7, ClockSeqHiAndReserved: 0x98, ClockSeqLow: 0xf9, Node: [6]uint8{0xb4, 0xc0, 0x72, 0x41, 0x58, 0xf9}}
+	MSDCOMIRundown                                    = uuid.UUID{TimeLow: 0x134, TimeMid: 0x0, TimeHiAndVersion: 0x0, ClockSeqHiAndReserved: 0xc0, ClockSeqLow: 0x0, Node: [6]uint8{0x0, 0x0, 0x0, 0x0, 0x0, 0x46}}
+	MSDCOMCombase                                     = uuid.UUID{TimeLow: 0x18f70770, TimeMid: 0x8e64, TimeHiAndVersion: 0x11cf, ClockSeqHiAndReserved: 0x9a, ClockSeqLow: 0xf1, Node: [6]uint8{0x0, 0x20, 0xaf, 0x6e, 0x72, 0xf4}}
+	MSDLLServicechannel                               = uuid.UUID{TimeLow: 0xa2c45f7c, TimeMid: 0x7d32, TimeHiAndVersion: 0x46ad, ClockSeqHiAndReserved: 0x96, ClockSeqLow: 0xf5, Node: [6]uint8{0xad, 0xaf, 0xb4, 0x86, 0xbe, 0x74}}
+	MSDLLSceSvc                                       = uuid.UUID{TimeLow: 0x93149ca2, TimeMid: 0x973b, TimeHiAndVersion: 0x11d1, ClockSeqHiAndReserved: 0x8c, ClockSeqLow: 0x39, Node: [6]uint8{0x0, 0xc0, 0x4f, 0xb9, 0x84, 0xf9}}
+	MSWMIInternal_IWbemServices                       = uuid.UUID{TimeLow: 0xf50a28cf, TimeMid: 0x5c9c, TimeHiAndVersion: 0x4f7e, ClockSeqHiAndReserved: 0x9d, ClockSeqLow: 0x80, Node: [6]uint8{0xe2, 0x5e, 0x16, 0xe1, 0x8c, 0x59}}
+	MSWMIIWbemProviderInit                            = uuid.UUID{TimeLow: 0x1be41572, TimeMid: 0x91dd, TimeHiAndVersion: 0x11d1, ClockSeqHiAndReserved: 0xae, ClockSeqLow: 0xb2, Node: [6]uint8{0x0, 0xc0, 0x4f, 0xb6, 0x88, 0x20}}
+	MSWMIInternal_IWbemProviderInit                   = uuid.UUID{TimeLow: 0x6919dd07, TimeMid: 0x1637, TimeHiAndVersion: 0x4611, ClockSeqHiAndReserved: 0xa8, ClockSeqLow: 0xa7, Node: [6]uint8{0xc1, 0x6f, 0xac, 0x5b, 0x2d, 0x53}}
+	MSWMI_IWmiProviderSite                            = uuid.UUID{TimeLow: 0xfec1b0ac, TimeMid: 0x5808, TimeHiAndVersion: 0x4033, ClockSeqHiAndReserved: 0xa9, ClockSeqLow: 0x15, Node: [6]uint8{0xc0, 0x18, 0x59, 0x34, 0x58, 0x1e}}
+	MSWMIIWbemEventProvider                           = uuid.UUID{TimeLow: 0xe245105b, TimeMid: 0xb06e, TimeHiAndVersion: 0x11d0, ClockSeqHiAndReserved: 0xad, ClockSeqLow: 0x61, Node: [6]uint8{0x0, 0xc0, 0x4f, 0xd8, 0xfd, 0xff}}
+	MSWMIInternal_IWbemEventProvider                  = uuid.UUID{TimeLow: 0xfd450835, TimeMid: 0xcf1b, TimeHiAndVersion: 0x4c87, ClockSeqHiAndReserved: 0x9f, ClockSeqLow: 0xd2, Node: [6]uint8{0x5e, 0xd, 0x42, 0xfd, 0xe0, 0x81}}
+	MSWMIIWbemEventProviderQuerySink                  = uuid.UUID{TimeLow: 0x580acaf8, TimeMid: 0xfa1c, TimeHiAndVersion: 0x11d0, ClockSeqHiAndReserved: 0xad, ClockSeqLow: 0x72, Node: [6]uint8{0x0, 0xc0, 0x4f, 0xd8, 0xfd, 0xff}}
+	MSWMIInternal_IWbemEventProviderQuerySink         = uuid.UUID{TimeLow: 0x8a0dc377, TimeMid: 0xa9d3, TimeHiAndVersion: 0x41cb, ClockSeqHiAndReserved: 0xbd, ClockSeqLow: 0x69, Node: [6]uint8{0xae, 0x1f, 0xda, 0xf2, 0xdc, 0x68}}
+	MSWMIIWbemEventProviderSecurity                   = uuid.UUID{TimeLow: 0x631f7d96, TimeMid: 0xd993, TimeHiAndVersion: 0x11d2, ClockSeqHiAndReserved: 0xb3, ClockSeqLow: 0x39, Node: [6]uint8{0x0, 0x10, 0x5a, 0x1f, 0x4a, 0xaf}}
+	MSWMIInternal_IWbemEventProviderSecurity          = uuid.UUID{TimeLow: 0xdf2373f5, TimeMid: 0xefb2, TimeHiAndVersion: 0x475c, ClockSeqHiAndReserved: 0xad, ClockSeqLow: 0x58, Node: [6]uint8{0x31, 0x2, 0xd6, 0x19, 0x67, 0xd4}}
+	MSDCOMILocalSystemActivator                       = uuid.UUID{TimeLow: 0x132, TimeMid: 0x0, TimeHiAndVersion: 0x0, ClockSeqHiAndReserved: 0xc0, ClockSeqLow: 0x0, Node: [6]uint8{0x0, 0x0, 0x0, 0x0, 0x0, 0x46}}
+	MSDLLUBPM                                         = uuid.UUID{TimeLow: 0x2a82bb21, TimeMid: 0xe44f, TimeHiAndVersion: 0x4791, ClockSeqHiAndReserved: 0x9a, ClockSeqLow: 0xa1, Node: [6]uint8{0xdf, 0xae, 0x78, 0x8e, 0x2f, 0x43}}
 )
 
 type UUID uuid.UUID
@@ -2303,6 +2321,42 @@ func (u UUID) Describe() string {
 		return "RPCSS: Dbgidl: Dbgidl"
 	case RPCSSFwidl:
 		return "RPCSS: Fwidl: Fwidl"
+	case MSDLLSspirpc:
+		return "MS-DLL: sspisrv.dll: LSA SSPI RPC interface: sspirpc"
+	case MSDLLLsasrv:
+		return "MS-DLL: lsasrv.dll: LSA Server : lsasrv"
+	case MSDCOMIRundown:
+		return "MS-DCOM: The OID Rundown Interface: IRundown"
+	case MSDCOMCombase:
+		return "MS-DCOM: combase.dll: Microsoft COM for Windows: combase"
+	case MSDLLServicechannel:
+		return "MS-DLL: Sens.dll: System Event Notification Service (SENS): servicechannel"
+	case MSDLLSceSvc:
+		return "MS-DLL: SceSvc: SceSvc"
+	case MSWMIInternal_IWbemServices:
+		return "MS-WMI: Internal_IWbemServices: Internal_IWbemServices"
+	case MSWMIIWbemProviderInit:
+		return "MS-WMI: IWbemProviderInit: IWbemProviderInit"
+	case MSWMIInternal_IWbemProviderInit:
+		return "MS-WMI: Internal_IWbemProviderInit: Internal_IWbemProviderInit"
+	case MSWMI_IWmiProviderSite:
+		return "MS-WMI: _IWmiProviderSite: _IWmiProviderSite"
+	case MSWMIIWbemEventProvider:
+		return "MS-WMI: IWbemEventProvider: IWbemEventProvider"
+	case MSWMIInternal_IWbemEventProvider:
+		return "MS-WMI: Internal_IWbemEventProvider: Internal_IWbemEventProvider"
+	case MSWMIIWbemEventProviderQuerySink:
+		return "MS-WMI: IWbemEventProviderQuerySink: IWbemEventProviderQuerySink"
+	case MSWMIInternal_IWbemEventProviderQuerySink:
+		return "MS-WMI: Internal_IWbemEventProviderQuerySink: Internal_IWbemEventProviderQuerySink"
+	case MSWMIIWbemEventProviderSecurity:
+		return "MS-WMI: IWbemEventProviderSecurity: IWbemEventProviderSecurity"
+	case MSWMIInternal_IWbemEventProviderSecurity:
+		return "MS-WMI: Internal_IWbemEventProviderSecurity: Internal_IWbemEventProviderSecurity"
+	case MSDCOMILocalSystemActivator:
+		return "MS-DCOM: ILocalSystemActivator: ILocalSystemActivator"
+	case MSDLLUBPM:
+		return "MS-DLL: UBPM.dll: Unified Background Process Manager: UBPM"
 	}
 	return ""
 }
@@ -2362,7 +2416,7 @@ func (u UUID) WellKnownEndpoint() []string {
 	case MSRAIWWinsif:
 		return []string{"ncacn_np:WinsPipe"}
 	case MSRPCEEndpointMapper:
-		return []string{"ncacn_ip_tcp:135", "ncacn_np:epmapper"}
+		return []string{"ncacn_ip_tcp:135", "ncacn_np:epmapper", "ncacn_http:593"}
 	case MSRPCERemoteManagement:
 		return []string{"ncacn_ip_tcp:135"}
 	case MSRPCLLocToLoc:
@@ -3956,6 +4010,42 @@ func (u UUID) Name() string {
 		return "Dbgidl"
 	case RPCSSFwidl:
 		return "Fwidl"
+	case MSDLLSspirpc:
+		return "sspirpc"
+	case MSDLLLsasrv:
+		return "lsasrv"
+	case MSDCOMIRundown:
+		return "IRundown"
+	case MSDCOMCombase:
+		return "combase"
+	case MSDLLServicechannel:
+		return "servicechannel"
+	case MSDLLSceSvc:
+		return "SceSvc"
+	case MSWMIInternal_IWbemServices:
+		return "Internal_IWbemServices"
+	case MSWMIIWbemProviderInit:
+		return "IWbemProviderInit"
+	case MSWMIInternal_IWbemProviderInit:
+		return "Internal_IWbemProviderInit"
+	case MSWMI_IWmiProviderSite:
+		return "_IWmiProviderSite"
+	case MSWMIIWbemEventProvider:
+		return "IWbemEventProvider"
+	case MSWMIInternal_IWbemEventProvider:
+		return "Internal_IWbemEventProvider"
+	case MSWMIIWbemEventProviderQuerySink:
+		return "IWbemEventProviderQuerySink"
+	case MSWMIInternal_IWbemEventProviderQuerySink:
+		return "Internal_IWbemEventProviderQuerySink"
+	case MSWMIIWbemEventProviderSecurity:
+		return "IWbemEventProviderSecurity"
+	case MSWMIInternal_IWbemEventProviderSecurity:
+		return "Internal_IWbemEventProviderSecurity"
+	case MSDCOMILocalSystemActivator:
+		return "ILocalSystemActivator"
+	case MSDLLUBPM:
+		return "UBPM"
 	}
 	return ""
 }

Original file line number	Diff line number	Diff line change
`@@ -437,7 +437,7 @@ func ParseStringBinding(s string) (*StringBinding, error) {`
`437`	`437`	`url.Endpoint, url.Extra = "", extras`
`438`	`438`	`}`
`439`	`439`	`switch url.ProtocolSequence {`
`440`		`- case ProtocolSequenceIPTCP:`
	`440`	`+ case ProtocolSequenceIPTCP, ProtocolSequenceHTTP:`
`441`	`441`	`// parse the port number.`
`442`	`442`	`if _, err := strconv.ParseUint(url.Endpoint, 10, 16); err != nil {`
`443`	`443`	`url.Endpoint, url.Extra = "", extras`