Skip to content

Commit b15acd6

Browse files
authored
Merge pull request #1132 from HackTricks-wiki/update_MS-RPC_Fuzzer_20250715_182932
MS-RPC Fuzzer
2 parents 61a2105 + 6726b38 commit b15acd6

File tree

1 file changed

+63
-5
lines changed

1 file changed

+63
-5
lines changed

src/network-services-pentesting/135-pentesting-msrpc.md

Lines changed: 63 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -89,6 +89,68 @@ It is possible to execute remote code on a machine, if the credentials of a vali
8989

9090
The **rpcdump.exe** from [rpctools](https://resources.oreilly.com/examples/9780596510305/tree/master/tools/rpctools) can interact with this port.
9191

92+
## Automated Fuzzing of MSRPC Interfaces
93+
94+
MS-RPC interfaces expose a large and often undocumented attack surface. The open-source [MS-RPC-Fuzzer](https://github.com/warpnet/MS-RPC-Fuzzer) PowerShell module builds on James Forshaw’s `NtObjectManager` to *dynamically* create RPC client stubs from the interface metadata that is already present in Windows binaries. Once a stub exists the module can bombard each procedure with mutated inputs and log the outcome, making **reproducible, large-scale fuzzing of RPC endpoints possible without writing a single line of IDL**.
95+
96+
### 1. Inventory the interfaces
97+
98+
```powershell
99+
# Import the module (download / git clone first)
100+
Import-Module .\MS-RPC-Fuzzer.psm1
101+
102+
# Parse a single binary
103+
Get-RpcServerData -Target "C:\Windows\System32\efssvc.dll" -OutPath .\output
104+
105+
# Or crawl the whole %SystemRoot%\System32 directory
106+
Get-RpcServerData -OutPath .\output
107+
```
108+
109+
`Get-RpcServerData` will extract the UUID, version, binding strings (named-pipe / TCP / HTTP) and **full procedure prototypes** for every interface it encounters and store them in `rpcServerData.json`.
110+
111+
### 2. Run the fuzzer
112+
113+
```powershell
114+
'.\output\rpcServerData.json' |
115+
Invoke-RpcFuzzer -OutPath .\output `
116+
-MinStrLen 100 -MaxStrLen 1000 `
117+
-MinIntSize 9999 -MaxIntSize 99999
118+
```
119+
120+
Relevant options:
121+
122+
* `-MinStrLen` / `-MaxStrLen` – size range for generated strings
123+
* `-MinIntSize` / `-MaxIntSize` – value range for mutated integers (useful for overflow testing)
124+
* `-Sorted` – execute procedures in an order that honours **parameter dependencies** so that outputs of one call can serve as inputs of the next (dramatically increases reachable paths)
125+
126+
The fuzzer implements 2 strategies:
127+
128+
1. **Default fuzzer** – random primitive values + default instances for complex types
129+
2. **Sorted fuzzer** – dependency-aware ordering (see `docs/Procedure dependency design.md`)
130+
131+
Every call is written atomically to `log.txt`; after a crash the **last line immediately tells you the offending procedure**. The result of each call is also categorised into three JSON files:
132+
133+
* `allowed.json` – call succeeded and returned data
134+
* `denied.json` – server responded with *Access Denied*
135+
* `error.json` – any other error / crash
136+
137+
### 3. Visualise with Neo4j
138+
139+
```powershell
140+
'.\output\allowed.json' |
141+
Import-DataToNeo4j -Neo4jHost 192.168.56.10:7474 -Neo4jUsername neo4j
142+
```
143+
144+
`Import-DataToNeo4j` converts the JSON artefacts into a graph structure where:
145+
146+
* RPC servers, interfaces and procedures are **nodes**
147+
* Interactions (`ALLOWED`, `DENIED`, `ERROR`) are **relationships**
148+
149+
Cypher queries can then be used to quickly spot dangerous procedures or to replay the exact chain of calls that preceded a crash.
150+
151+
⚠️ The fuzzer is *destructive*: expect service crashes and even BSODs – always run it in an isolated VM snapshot.
152+
153+
92154
### Automated Interface Enumeration & Dynamic Client Generation (NtObjectManager)
93155

94156
PowerShell guru **James Forshaw** exposed most of the Windows RPC internals inside the open–source *NtObjectManager* module. Using it you can turn any RPC server DLL / EXE into a **fully-featured client stub** in seconds – no IDL, MIDL or manual unmarshalling required.
@@ -137,8 +199,6 @@ $client.EfsRpcOpenFileRaw([ref]$ctx, "\\\127.0.0.1\test", 0)
137199

138200
Authentication (Kerberos / NTLM) and encryption levels (`PacketIntegrity`, `PacketPrivacy`, …) can be supplied directly via the `Connect-RpcClient` cmdlet – ideal for **bypassing Security Descriptors** that protect high-privilege named pipes.
139201

140-
---
141-
142202
### Context-Aware RPC Fuzzing (MS-RPC-Fuzzer)
143203

144204
Static interface knowledge is great, but what you really want is **coverage-guided fuzzing** that understands *context handles* and complex parameter chains. The open-source **MS-RPC-Fuzzer** project automates exactly that workflow:
@@ -163,18 +223,16 @@ A single out-of-bounds write or unexpected exception will be surfaced immediatel
163223

164224
> ⚠️ Many RPC services execute in processes running as **NT AUTHORITY\SYSTEM**. Any memory-safety issue here usually translates to local privilege escalation or (when exposed over SMB/135) *remote code execution*.
165225
166-
---
167226

168227
## References
169228

170229
- [Automating MS-RPC vulnerability research (2025, Incendium.rocks)](https://www.incendium.rocks/posts/Automating-MS-RPC-Vulnerability-Research/)
171230
- [MS-RPC-Fuzzer – context-aware RPC fuzzer](https://github.com/warpnet/MS-RPC-Fuzzer)
172231
- [NtObjectManager PowerShell module](https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools/tree/master/NtObjectManager)
173-
174-
175232
- [https://www.cyber.airbus.com/the-oxid-resolver-part-1-remote-enumeration-of-network-interfaces-without-any-authentication/](https://www.cyber.airbus.com/the-oxid-resolver-part-1-remote-enumeration-of-network-interfaces-without-any-authentication/)
176233
- [https://www.cyber.airbus.com/the-oxid-resolver-part-2-accessing-a-remote-object-inside-dcom/](https://www.cyber.airbus.com/the-oxid-resolver-part-2-accessing-a-remote-object-inside-dcom/)
177234
- [https://0xffsec.com/handbook/services/msrpc/](https://0xffsec.com/handbook/services/msrpc/)
235+
- [MS-RPC-Fuzzer (GitHub)](https://github.com/warpnet/MS-RPC-Fuzzer)
178236

179237
{{#include ../banners/hacktricks-training.md}}
180238

0 commit comments

Comments
 (0)