Service named "CA BrightStor Message Engine" (Process Name: msgeng.exe) registers a RPC interface which is listening on TCP port 6504, following is some related information:
UUID : 506b1890-14c8-11d1-bbc3-00805fa6962e
Version : 1.0
Listen Port : 6504

Remarkably, we can access this interface anonymously via "ncacn_ip_tcp". The following is the IDL of the function of opnum 0x10A:

First, the first parameter (victim's computer name) should equal to the real computer name. Second, when we change the string "aaa.exe" such as "../aaa.exe", it will bypass the current directory, if the program has been installed by default, transferring the following string will reach the "cmd.exe" and add an user with "CCC"/"ZZZ"(username/password) on the affected system:
../../../../../../../..//winnt//system32//cmd.exe /c \"net user CCC ZZZ /add\" ||