DCE/RPC: respect the association group for call_id

gpotter2 · gpotter2 · commit 662a27c129fc · 2026-03-11T12:55:20.000+01:00
diff --git a/scapy/layers/dcerpc.py b/scapy/layers/dcerpc.py
@@ -180,6 +180,8 @@
 }
 DCE_RPC_INTERFACES_NAMES = {}
 DCE_RPC_INTERFACES_NAMES_rev = {}
+COM_INTERFACES_NAMES = {}
+COM_INTERFACES_NAMES_rev = {}
 
 
 class DCERPC_Transport(IntEnum):
@@ -1350,6 +1352,8 @@ def register_com_interface(name, uuid, opnums):
     # bind for build
     for opnum, operations in opnums.items():
         bind_top_down(DceRpc5Request, operations.request, opnum=opnum)
+    COM_INTERFACES_NAMES[uuid] = name
+    COM_INTERFACES_NAMES_rev[name.lower()] = uuid
 
 
 def find_com_interface(name) -> ComInterface:
@@ -2824,6 +2828,7 @@ def __init__(self, *args, **kwargs):
         self.sent_cont_ids = []
         self.cont_id = 0  # Currently selected context
         self.auth_context_id = 0  # Currently selected authentication context
+        self.assoc_group_id = 0  # Currently selected association group
         self.map_callid_opnum = {}
         self.frags = collections.defaultdict(lambda: b"")
         self.sniffsspcontexts = {}  # Unfinished contexts for passive
@@ -2869,6 +2874,8 @@ def _up_pkt(self, pkt):
                     finally:
                         self.sent_cont_ids = []
 
+                    self.assoc_group_id = pkt.assoc_group_id
+
                     # Endianness
                     self.ndrendian = {0: "big", 1: "little"}[pkt[DceRpc5].endian]
 
@@ -2878,18 +2885,20 @@ def _up_pkt(self, pkt):
         elif DceRpc5Request in pkt:
             # request => match opnum with callID
             opnum = pkt.opnum
+            uid = (self.assoc_group_id, pkt.call_id)
             if self.rpc_bind_is_com:
-                self.map_callid_opnum[pkt.call_id] = (
+                self.map_callid_opnum[uid] = (
                     opnum,
                     pkt[DceRpc5Request].payload.payload,
                 )
             else:
-                self.map_callid_opnum[pkt.call_id] = opnum, pkt[DceRpc5Request].payload
+                self.map_callid_opnum[uid] = opnum, pkt[DceRpc5Request].payload
         elif DceRpc5Response in pkt:
             # response => get opnum from table
+            uid = (self.assoc_group_id, pkt.call_id)
             try:
-                opnum, opts["request_packet"] = self.map_callid_opnum[pkt.call_id]
-                del self.map_callid_opnum[pkt.call_id]
+                opnum, opts["request_packet"] = self.map_callid_opnum[uid]
+                del self.map_callid_opnum[uid]
             except KeyError:
                 log_runtime.info("Unknown call_id %s in DCE/RPC session" % pkt.call_id)
         # Bind / Alter request/response specific
@@ -2912,7 +2921,7 @@ def _defragment(self, pkt, body=None):
         """
         Function to defragment DCE/RPC packets.
         """
-        uid = pkt.call_id
+        uid = (self.assoc_group_id, pkt.call_id)
         if pkt.pfc_flags.PFC_FIRST_FRAG and pkt.pfc_flags.PFC_LAST_FRAG:
             # Not fragmented
             return body
diff --git a/scapy/layers/msrpce/msdcom.py b/scapy/layers/msrpce/msdcom.py
@@ -30,13 +30,16 @@
     PadField,
     StrLenField,
     StrNullFieldUtf16,
+    UUIDEnumField,
     UUIDField,
     XShortField,
     XStrFixedLenField,
 )
 from scapy.volatile import RandUUID
 
 from scapy.layers.dcerpc import (
+    COM_INTERFACES_NAMES_rev,
+    COM_INTERFACES_NAMES,
     ComInterface,
     DCE_C_AUTHN_LEVEL,
     DCE_RPC_PROTOCOL_IDENTIFIERS,
@@ -445,7 +448,15 @@ class OBJREF(Packet):
     fields_desc = [
         XStrFixedLenField("signature", b"MEOW", length=4),  # :3
         LEIntField("flags", 0x04),
-        UUIDField("iid", IID_IActivationPropertiesIn, uuid_fmt=UUIDField.FORMAT_LE),
+        UUIDEnumField(
+            "iid",
+            IID_IActivationPropertiesIn,
+            (
+                COM_INTERFACES_NAMES.get,
+                lambda x: COM_INTERFACES_NAMES_rev.get(x.lower()),
+            ),
+            uuid_fmt=UUIDField.FORMAT_LE,
+        ),
     ]
 
 
diff --git a/scapy/layers/msrpce/rpcclient.py b/scapy/layers/msrpce/rpcclient.py
@@ -7,6 +7,7 @@
 DCE/RPC client as per [MS-RPCE]
 """
 
+import collections
 import uuid
 import socket
 
@@ -101,7 +102,7 @@ def __init__(
         ), "transport must be from DCERPC_Transport"
 
         # Counters
-        self.call_id = 0
+        self.call_ids = collections.defaultdict(lambda: 0)  # by assoc_group_id
         self.next_cont_id = 0  # next available context id
         self.next_auth_contex_id = 0  # next available auth context id
 
@@ -271,10 +272,10 @@ def sr1(self, pkt, **kwargs):
 
         The DCE/RPC header is added automatically.
         """
-        self.call_id += 1
+        self.call_ids[self.session.assoc_group_id] += 1
         pkt = (
             DceRpc5(
-                call_id=self.call_id,
+                call_id=self.call_ids[self.session.assoc_group_id],
                 pfc_flags="PFC_FIRST_FRAG+PFC_LAST_FRAG",
                 endian=self.ndrendian,
                 auth_verifier=kwargs.pop("auth_verifier", None),
@@ -295,10 +296,10 @@ def send(self, pkt, **kwargs):
 
         The DCE/RPC header is added automatically.
         """
-        self.call_id += 1
+        self.call_ids[self.session.assoc_group_id] += 1
         pkt = (
             DceRpc5(
-                call_id=self.call_id,
+                call_id=self.call_ids[self.session.assoc_group_id],
                 pfc_flags="PFC_FIRST_FRAG+PFC_LAST_FRAG",
                 endian=self.ndrendian,
                 auth_verifier=kwargs.pop("auth_verifier", None),
@@ -655,7 +656,6 @@ def _bind(
             and respcls in resp
             and self._check_bind_context(interface, resp.results)
         ):
-            self.call_id = 0  # reset call id
             port = resp.sec_addr.port_spec.decode()
             ndr = self.session.ndr64 and "NDR64" or "NDR32"
             self.ndr64 = self.session.ndr64
