4.5.3.1 Client Request Buffer

A complete ROP request buffer for the RopQueryRows ROP ([MS-OXCROPS] section 2.2.5.4) is a 7-byte sequence formatted as follows:

 0000: 15 00 00 00 01 32 00

The first 3 bytes are the RopId, LogonID, and InputHandleIndex fields, as described in [MS-OXCROPS] section 2.2.5.4.1.

  
 0000: 15 00 00

RopId: 0x15 (RopQueryRows)

LogonID: 0x00

InputHandleIndex: 0x00. The handle of the table to query.

The final 4 bytes of the ROP request buffer are the QueryRowsFlags, ForwardRead, and RowCount fields described in section 2.2.2.5.1.

  
 0003: 00 01 32 00

QueryRowsFlags: 0x00. Advance the table cursor.

ForwardRead: 0x01. Read the table forward.

RowCount: 0x0032. Return a maximum of 50 rows.

Additional resources