The Message Queuing service (msmq) runs RPC services, listening on the ncacn_ip_tcp transport. By default, the msmq services opens 4 TCP ports [81], including one or several of 2101/tcp, 2103/tcp, 2105/tcp and 2107/tcp.
The mqqm.dll (Windows NT MQ Queue Manager) DLL, loaded in the mqsvc.exe process, contains the following RPC services:
fdb3a030-065f-11d1-bb9b-00a024ea5525 v1.0 76d12b80-3467-11d3-91ff-0090272f9ea3 v1.0 1088a980-eae5-11d0-8d9b-00a02453c337 v1.0 5b5b3580-b0e0-11d1-b92d-0060081e87f0 v1.0 41208ee0-e970-11d1-9b9e-00e02c064c39 v1.0
Table 4.49. qmcomm operations
| Interface | Operation number | Operation name |
|---|---|---|
| fdb3a030-065f-11d1-bb9b-00a024ea5525 v1.0: qmcomm | ||
| 0x00 | QMOpenQueue | |
| 0x01 | QMGetRemoteQueueName | |
| 0x02 | QMOpenRemoteQueue | |
| 0x03 | QMCloseRemoteQueueContext | |
| 0x04 | QMCreateRemoteCursor | |
| 0x05 | QMSendMessageInternal | |
| 0x06 | QMCreateObjectInternal | |
| 0x07 | QMSetObjectSecurityInternal | |
| 0x08 | QMGetObjectSecurityInternal | |
| 0x09 | QMDeleteObject | |
| 0x0a | QMGetObjectProperties | |
| 0x0b | QMSetObjectProperties | |
| 0x0c | QMObjectPathToObjectFormat | |
| 0x0d | QMAttachProcess | |
| 0x0e | QMGetTmWhereabouts | |
| 0x0f | QMEnlistTransation | |
| 0x10 | QMEnlistInternalTransaction | |
| 0x11 | QMCommitTransaction | |
| 0x12 | QMAbortTransaction | |
| 0x13 | QMOpenQueueInternal | |
| 0x14 | ACCloseHandle | |
| 0x15 | ACCreateCursor | |
| 0x16 | ACCloseCursor | |
| 0x17 | ACSetCursorProperties | |
| 0x18 | ACSendMessage | |
| 0x19 | ACReceiveMessage | |
| 0x1a | ACHandleToFormatName | |
| 0x1b | ACPurgeQueue | |
| 0x1c | QMQueryQMRegistryInternal | |
| 0x1d | QMListInternalQueues | |
| 0x1e | QMCorrectOutSequence | |
| 0x1f | QMGetRemoteQMServerPort | |
| 0x20 | QMGetMsmqServiceName | |
| 0x21 | QMCreateDSObjectInternal |
A vulnerability in the QMDeleteObject operation was discovered by Kostya Kortchinsky and fixed by the MS05-017 security bulletin [82] in April 2005.
Table 4.50. qmcomm2 operations
| Interface | Operation number | Operation name |
|---|---|---|
| 76d12b80-3467-11d3-91ff-0090272f9ea3 v1.0: qmcomm2 | ||
| 0x00 | QMSendMessageInternalEx | |
| 0x01 | ACSendMessageEx | |
| 0x02 | ACReceiveMessageEx | |
| 0x03 | ACCreateCursorEx |
Table 4.51. qm2qm operations
| Interface | Operation number | Operation name |
|---|---|---|
| 1088a980-eae5-11d0-8d9b-00a02453c337 v1.0: qm2qm | ||
| 0x00 | RemoteQMStartReceive | |
| 0x01 | RemoteQMEndReceive | |
| 0x02 | RemoteQMOpenQueue | |
| 0x03 | RemoteQMCloseQueue | |
| 0x04 | RemoteQMCloseCursor | |
| 0x05 | RemoteQMCancelReceive | |
| 0x06 | RemoteQMPurgeQueue | |
| 0x07 | RemoteQMGetQMQMServerPort | |
| 0x08 | RemoteQmGetVersion | |
| 0x09 | RemoteQMStartReceive2 | |
| 0x0a | RemoteQMStartReceiveByLookupId |
Table 4.52. qmrepl operations
| Interface | Operation number | Operation name |
|---|---|---|
| 5b5b3580-b0e0-11d1-b92d-0060081e87f0 v1.0: qmrepl | ||
| 0x00 | QMSendReplMsg |
Table 4.53. qmmgmt operations
| Interface | Operation number | Operation name |
|---|---|---|
| 41208ee0-e970-11d1-9b9e-00e02c064c39 v1.0: qmmgmt | ||
| 0x00 | QMMgmtGetInfo | |
| 0x01 | QMMgmtAction |
The msdtcprx.dll (MS DTC OLE Transactions interface proxy) DLL, also loaded in the mqsvc.exe process, also contains one RPC service:
906b0ce0-c70b-1067-b317-00dd010662da v1.0
Table 4.54. IXnRemote operations
| Interface | Operation number | Operation name |
|---|---|---|
| 906b0ce0-c70b-1067-b317-00dd010662da v1.0: IXnRemote | ||
| 0x00 | Poke | |
| 0x01 | BuildContext | |
| 0x02 | NegotiateResources | |
| 0x03 | SendReceive | |
| 0x04 | TearDownContext | |
| 0x05 | BeginTearDown | |
| 0x06 | PokeW | |
| 0x07 | BuildContextW |
This RPC service also runs in the Distributed Transaction Coordinator service process (msdtc.exe), which opens a dynamic port, as well as TCP port 3372 (at least on Windows 2000)