Merge pull request #1132 from HackTricks-wiki/update_MS-RPC_Fuzzer_20250715_182932

carlospolop · web-flow · commit b15acd6380c9 · 2025-07-18T00:01:41.000+02:00
MS-RPC Fuzzer
diff --git a/src/network-services-pentesting/135-pentesting-msrpc.md b/src/network-services-pentesting/135-pentesting-msrpc.md
@@ -89,6 +89,68 @@ It is possible to execute remote code on a machine, if the credentials of a vali
 
 The **rpcdump.exe** from [rpctools](https://resources.oreilly.com/examples/9780596510305/tree/master/tools/rpctools) can interact with this port.
 
+## Automated Fuzzing of MSRPC Interfaces
+
+MS-RPC interfaces expose a large and often undocumented attack surface. The open-source [MS-RPC-Fuzzer](https://github.com/warpnet/MS-RPC-Fuzzer) PowerShell module builds on James Forshaw’s `NtObjectManager` to *dynamically* create RPC client stubs from the interface metadata that is already present in Windows binaries. Once a stub exists the module can bombard each procedure with mutated inputs and log the outcome, making **reproducible, large-scale fuzzing of RPC endpoints possible without writing a single line of IDL**.
+
+### 1. Inventory the interfaces
+
+```powershell
+# Import the module (download / git clone first)
+Import-Module .\MS-RPC-Fuzzer.psm1
+
+# Parse a single binary
+Get-RpcServerData -Target "C:\Windows\System32\efssvc.dll" -OutPath .\output
+
+# Or crawl the whole %SystemRoot%\System32 directory
+Get-RpcServerData -OutPath .\output
+```
+
+`Get-RpcServerData` will extract the UUID, version, binding strings (named-pipe / TCP / HTTP) and **full procedure prototypes** for every interface it encounters and store them in `rpcServerData.json`.
+
+### 2. Run the fuzzer
+
+```powershell
+'.\output\rpcServerData.json' |
+    Invoke-RpcFuzzer -OutPath .\output `
+                     -MinStrLen 100  -MaxStrLen 1000 `
+                     -MinIntSize 9999 -MaxIntSize 99999
+```
+
+Relevant options:
+
+* `-MinStrLen` / `-MaxStrLen` – size range for generated strings
+* `-MinIntSize` / `-MaxIntSize` – value range for mutated integers (useful for overflow testing)
+* `-Sorted` – execute procedures in an order that honours **parameter dependencies** so that outputs of one call can serve as inputs of the next (dramatically increases reachable paths)
+
+The fuzzer implements 2 strategies:
+
+1. **Default fuzzer** – random primitive values + default instances for complex types
+2. **Sorted fuzzer**  – dependency-aware ordering (see `docs/Procedure dependency design.md`)
+
+Every call is written atomically to `log.txt`; after a crash the **last line immediately tells you the offending procedure**. The result of each call is also categorised into three JSON files:
+
+* `allowed.json` – call succeeded and returned data
+* `denied.json`  – server responded with *Access Denied*
+* `error.json`   – any other error / crash
+
+### 3. Visualise with Neo4j
+
+```powershell
+'.\output\allowed.json' |
+    Import-DataToNeo4j -Neo4jHost 192.168.56.10:7474 -Neo4jUsername neo4j
+```
+
+`Import-DataToNeo4j` converts the JSON artefacts into a graph structure where:
+
+* RPC servers, interfaces and procedures are **nodes**
+* Interactions (`ALLOWED`, `DENIED`, `ERROR`) are **relationships**
+
+Cypher queries can then be used to quickly spot dangerous procedures or to replay the exact chain of calls that preceded a crash.
+
+⚠️  The fuzzer is *destructive*: expect service crashes and even BSODs – always run it in an isolated VM snapshot.
+
+
 ### Automated Interface Enumeration & Dynamic Client Generation (NtObjectManager)
 
 PowerShell guru **James Forshaw** exposed most of the Windows RPC internals inside the open–source *NtObjectManager* module.  Using it you can turn any RPC server DLL / EXE into a **fully-featured client stub** in seconds – no IDL, MIDL or manual unmarshalling required.
@@ -137,8 +199,6 @@ $client.EfsRpcOpenFileRaw([ref]$ctx, "\\\127.0.0.1\test", 0)
 
 Authentication (Kerberos / NTLM) and encryption levels (`PacketIntegrity`, `PacketPrivacy`, …) can be supplied directly via the `Connect-RpcClient` cmdlet – ideal for **bypassing Security Descriptors** that protect high-privilege named pipes.
 
----
-
 ### Context-Aware RPC Fuzzing (MS-RPC-Fuzzer)
 
 Static interface knowledge is great, but what you really want is **coverage-guided fuzzing** that understands *context handles* and complex parameter chains.  The open-source **MS-RPC-Fuzzer** project automates exactly that workflow:
@@ -163,18 +223,16 @@ A single out-of-bounds write or unexpected exception will be surfaced immediatel
 
 > ⚠️  Many RPC services execute in processes running as **NT AUTHORITY\SYSTEM**.  Any memory-safety issue here usually translates to local privilege escalation or (when exposed over SMB/135) *remote code execution*.
 
----
 
 ## References
 
 - [Automating MS-RPC vulnerability research (2025, Incendium.rocks)](https://www.incendium.rocks/posts/Automating-MS-RPC-Vulnerability-Research/)
 - [MS-RPC-Fuzzer – context-aware RPC fuzzer](https://github.com/warpnet/MS-RPC-Fuzzer)
 - [NtObjectManager PowerShell module](https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools/tree/master/NtObjectManager)
-
-
 - [https://www.cyber.airbus.com/the-oxid-resolver-part-1-remote-enumeration-of-network-interfaces-without-any-authentication/](https://www.cyber.airbus.com/the-oxid-resolver-part-1-remote-enumeration-of-network-interfaces-without-any-authentication/)
 - [https://www.cyber.airbus.com/the-oxid-resolver-part-2-accessing-a-remote-object-inside-dcom/](https://www.cyber.airbus.com/the-oxid-resolver-part-2-accessing-a-remote-object-inside-dcom/)
 - [https://0xffsec.com/handbook/services/msrpc/](https://0xffsec.com/handbook/services/msrpc/)
+- [MS-RPC-Fuzzer (GitHub)](https://github.com/warpnet/MS-RPC-Fuzzer)
 
 {{#include ../banners/hacktricks-training.md}}
 
