diff --git a/src/network-services-pentesting/135-pentesting-msrpc.md b/src/network-services-pentesting/135-pentesting-msrpc.md index f14dbb93433..e754f591f4a 100644 --- a/src/network-services-pentesting/135-pentesting-msrpc.md +++ b/src/network-services-pentesting/135-pentesting-msrpc.md @@ -89,6 +89,68 @@ It is possible to execute remote code on a machine, if the credentials of a vali The **rpcdump.exe** from [rpctools](https://resources.oreilly.com/examples/9780596510305/tree/master/tools/rpctools) can interact with this port. +## Automated Fuzzing of MSRPC Interfaces + +MS-RPC interfaces expose a large and often undocumented attack surface. The open-source [MS-RPC-Fuzzer](https://github.com/warpnet/MS-RPC-Fuzzer) PowerShell module builds on James Forshaw’s `NtObjectManager` to *dynamically* create RPC client stubs from the interface metadata that is already present in Windows binaries. Once a stub exists the module can bombard each procedure with mutated inputs and log the outcome, making **reproducible, large-scale fuzzing of RPC endpoints possible without writing a single line of IDL**. + +### 1. Inventory the interfaces + +```powershell +# Import the module (download / git clone first) +Import-Module .\MS-RPC-Fuzzer.psm1 + +# Parse a single binary +Get-RpcServerData -Target "C:\Windows\System32\efssvc.dll" -OutPath .\output + +# Or crawl the whole %SystemRoot%\System32 directory +Get-RpcServerData -OutPath .\output +``` + +`Get-RpcServerData` will extract the UUID, version, binding strings (named-pipe / TCP / HTTP) and **full procedure prototypes** for every interface it encounters and store them in `rpcServerData.json`. + +### 2. Run the fuzzer + +```powershell +'.\output\rpcServerData.json' | + Invoke-RpcFuzzer -OutPath .\output ` + -MinStrLen 100 -MaxStrLen 1000 ` + -MinIntSize 9999 -MaxIntSize 99999 +``` + +Relevant options: + +* `-MinStrLen` / `-MaxStrLen` – size range for generated strings +* `-MinIntSize` / `-MaxIntSize` – value range for mutated integers (useful for overflow testing) +* `-Sorted` – execute procedures in an order that honours **parameter dependencies** so that outputs of one call can serve as inputs of the next (dramatically increases reachable paths) + +The fuzzer implements 2 strategies: + +1. **Default fuzzer** – random primitive values + default instances for complex types +2. **Sorted fuzzer** – dependency-aware ordering (see `docs/Procedure dependency design.md`) + +Every call is written atomically to `log.txt`; after a crash the **last line immediately tells you the offending procedure**. The result of each call is also categorised into three JSON files: + +* `allowed.json` – call succeeded and returned data +* `denied.json` – server responded with *Access Denied* +* `error.json` – any other error / crash + +### 3. Visualise with Neo4j + +```powershell +'.\output\allowed.json' | + Import-DataToNeo4j -Neo4jHost 192.168.56.10:7474 -Neo4jUsername neo4j +``` + +`Import-DataToNeo4j` converts the JSON artefacts into a graph structure where: + +* RPC servers, interfaces and procedures are **nodes** +* Interactions (`ALLOWED`, `DENIED`, `ERROR`) are **relationships** + +Cypher queries can then be used to quickly spot dangerous procedures or to replay the exact chain of calls that preceded a crash. + +⚠️ The fuzzer is *destructive*: expect service crashes and even BSODs – always run it in an isolated VM snapshot. + + ### Automated Interface Enumeration & Dynamic Client Generation (NtObjectManager) PowerShell guru **James Forshaw** exposed most of the Windows RPC internals inside the open–source *NtObjectManager* module. Using it you can turn any RPC server DLL / EXE into a **fully-featured client stub** in seconds – no IDL, MIDL or manual unmarshalling required. @@ -137,8 +199,6 @@ $client.EfsRpcOpenFileRaw([ref]$ctx, "\\\127.0.0.1\test", 0) Authentication (Kerberos / NTLM) and encryption levels (`PacketIntegrity`, `PacketPrivacy`, …) can be supplied directly via the `Connect-RpcClient` cmdlet – ideal for **bypassing Security Descriptors** that protect high-privilege named pipes. ---- - ### Context-Aware RPC Fuzzing (MS-RPC-Fuzzer) Static interface knowledge is great, but what you really want is **coverage-guided fuzzing** that understands *context handles* and complex parameter chains. The open-source **MS-RPC-Fuzzer** project automates exactly that workflow: @@ -163,18 +223,16 @@ A single out-of-bounds write or unexpected exception will be surfaced immediatel > ⚠️ Many RPC services execute in processes running as **NT AUTHORITY\SYSTEM**. Any memory-safety issue here usually translates to local privilege escalation or (when exposed over SMB/135) *remote code execution*. ---- ## References - [Automating MS-RPC vulnerability research (2025, Incendium.rocks)](https://www.incendium.rocks/posts/Automating-MS-RPC-Vulnerability-Research/) - [MS-RPC-Fuzzer – context-aware RPC fuzzer](https://github.com/warpnet/MS-RPC-Fuzzer) - [NtObjectManager PowerShell module](https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools/tree/master/NtObjectManager) - - - [https://www.cyber.airbus.com/the-oxid-resolver-part-1-remote-enumeration-of-network-interfaces-without-any-authentication/](https://www.cyber.airbus.com/the-oxid-resolver-part-1-remote-enumeration-of-network-interfaces-without-any-authentication/) - [https://www.cyber.airbus.com/the-oxid-resolver-part-2-accessing-a-remote-object-inside-dcom/](https://www.cyber.airbus.com/the-oxid-resolver-part-2-accessing-a-remote-object-inside-dcom/) - [https://0xffsec.com/handbook/services/msrpc/](https://0xffsec.com/handbook/services/msrpc/) +- [MS-RPC-Fuzzer (GitHub)](https://github.com/warpnet/MS-RPC-Fuzzer) {{#include ../banners/hacktricks-training.md}}