DCE/RPC connect_and_bind and ndr64=false failed

[smaugerfr]

Hi @gpotter2, you sent me code in the issue #4900
Executing it, results to an Exception.

Following is the output:

┃ Connecting to 192.168.100.100 on port 445 via <DCERPC_Transport.NCACN_NP: 15>...
└ Connected from ('192.168.100.1', 53376)
Traceback (most recent call last):
  File "/home/smauger/sandbox/scapy/test_dce3.py", line 23, in <module>
    client.connect_and_bind("192.168.100.100", find_dcerpc_interface("lsarpc"))
    ~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/smauger/sandbox/scapy/scapy/layers/msrpce/rpcclient.py", line 760, in connect_and_bind
    self.connect(
    ~~~~~~~~~~~~^
        host=host,
        ^^^^^^^^^^
    ...<3 lines>...
        smb_kwargs=smb_kwargs,
        ^^^^^^^^^^^^^^^^^^^^^^
    )
    ^
  File "/home/smauger/sandbox/scapy/scapy/layers/msrpce/rpcclient.py", line 194, in connect
    endpoints = get_endpoint(
        host,
    ...<4 lines>...
        smb_kwargs=smb_kwargs,
    )
  File "/home/smauger/sandbox/scapy/scapy/layers/msrpce/rpcclient.py", line 954, in get_endpoint
    client.connect(ip, endpoint=endpoint, smb_kwargs=smb_kwargs)
    ~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/smauger/sandbox/scapy/scapy/layers/msrpce/rpcclient.py", line 239, in connect
    self.open_smbpipe(endpoint)
    ~~~~~~~~~~~~~~~~~^^^^^^^^^^
  File "/home/smauger/sandbox/scapy/scapy/layers/msrpce/rpcclient.py", line 731, in open_smbpipe
    self.ipc_tid = self.smbrpcsock.tree_connect("IPC$")
                   ^^^^^^^^^^^^^^^
AttributeError: 'DCERPC_Client' object has no attribute 'smbrpcsock'

I then try to follow the DCE/RPC scapy example in (https://scapy.readthedocs.io/en/latest/layers/dcerpc.html#client)

replacing connect_and_bind by :

client.connect("192.168.100.100")
client.open_smbpipe("lsarpc")
client.bind(find_dcerpc_interface("lsarpc"))

Doing this permits to open an smbpipe and call DCE/RPC interface procedures.

However, I get an ACCESS_DENIED on all LsarEnumerateAccountsWithUserRight request with the PolicyHandle returned by LsarOpenPolicy2 request (LSAD_MAXIMUM_ALLOWED).
Looking at Wireshark, I see that the packet LsarOpenPolicy2, and all others LsarEnumerateAccountsWithUserRight are misbuilt (built with ndr64, while my the client is ndr64=false)
I then precise on each NDRPacket, ndr64=false, and it works. I don't know why but i must to that.

Forcing open_smbpipe("lsarpc") and ndr64=False on each packet, I was able to execute [MS-LSAD] requests.

[gpotter2]

Sorry, I didn't realise I was using #4921. Both of those things are changed in that PR (default NDR64 to the value of the client + the pipe)