Skip to content

Automating MS-RPC vulnerability research #1133

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jul 16, 2025
Merged

Automating MS-RPC vulnerability research #1133

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
81 changes: 81 additions & 0 deletions src/network-services-pentesting/135-pentesting-msrpc.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -89,8 +89,89 @@ It is possible to execute remote code on a machine, if the credentials of a vali

The **rpcdump.exe** from [rpctools](https://resources.oreilly.com/examples/9780596510305/tree/master/tools/rpctools) can interact with this port.

### Automated Interface Enumeration & Dynamic Client Generation (NtObjectManager)

PowerShell guru **James Forshaw** exposed most of the Windows RPC internals inside the open–source *NtObjectManager* module. Using it you can turn any RPC server DLL / EXE into a **fully-featured client stub** in seconds – no IDL, MIDL or manual unmarshalling required.

```powershell
# Install the module once
Install-Module NtObjectManager -Force

# Parse every RPC interface exported by the target binary
$rpcinterfaces = Get-RpcServer "C:\Windows\System32\efssvc.dll"
$rpcinterfaces | Format-Table Name,Uuid,Version,Procedures

# Inspect a single procedure (opnum 0)
$rpcinterfaces[0].Procedures[0] | Format-List *
```

Typical output exposes parameter types exactly as they appear in **MIDL** (e.g. `FC_C_WSTRING`, `FC_LONG`, `FC_BIND_CONTEXT`).

Once you know the interface you can **generate a ready-to-compile C# client**:

```powershell
# Reverse the MS-EFSR (EfsRpc*) interface into C#
Format-RpcClient $rpcinterfaces[0] -Namespace MS_EFSR -OutputPath .\MS_EFSR.cs
```

Inside the produced stub you will find methods such as:

```csharp
public int EfsRpcOpenFileRaw(out Marshal.NdrContextHandle ctx, string FileName, int Flags) {
// marshals parameters & calls opnum 0
}
```

The PowerShell helper `Get-RpcClient` can create an **interactive client object** so you can call the procedure immediately:

```powershell
$client = Get-RpcClient $rpcinterfaces[0]
Connect-RpcClient $client -stringbinding 'ncacn_np:127.0.0.1[\\pipe\\efsrpc]' `
-AuthenticationLevel PacketPrivacy `
-AuthenticationType WinNT # NTLM auth

# Invoke the procedure → returns an authenticated context handle
$ctx = New-Object Marshal.NdrContextHandle
$client.EfsRpcOpenFileRaw([ref]$ctx, "\\\127.0.0.1\test", 0)
```

Authentication (Kerberos / NTLM) and encryption levels (`PacketIntegrity`, `PacketPrivacy`, …) can be supplied directly via the `Connect-RpcClient` cmdlet – ideal for **bypassing Security Descriptors** that protect high-privilege named pipes.

---

### Context-Aware RPC Fuzzing (MS-RPC-Fuzzer)

Static interface knowledge is great, but what you really want is **coverage-guided fuzzing** that understands *context handles* and complex parameter chains. The open-source **MS-RPC-Fuzzer** project automates exactly that workflow:

1. Enumerate every interface/procedure exported by the target binary (`Get-RpcServer`).
2. Generate dynamic clients for each interface (`Format-RpcClient`).
3. Randomise input parameters (wide strings length, integer ranges, enums) while respecting the original **NDR type**.
4. Track *context handles* returned by one call to feed follow-up procedures automatically.
5. Fire high-volume calls against the chosen transport (ALPC, TCP, HTTP or named pipe).
6. Log exit statuses / faults / timeouts and export a **Neo4j** import file to visualise *interface → procedure → parameter* relationships and crash clusters.

Example run (named–pipe target):

```powershell
Invoke-MSRPCFuzzer -Pipe "\\.\pipe\efsrpc" -Auth NTLM `
-MinLen 1 -MaxLen 0x400 `
-Iterations 100000 `
-OutDir .\results
```

A single out-of-bounds write or unexpected exception will be surfaced immediately with the exact opnum + fuzzed payload that triggered it – perfect starting point for a stable proof-of-concept exploit.

> ⚠️ Many RPC services execute in processes running as **NT AUTHORITY\SYSTEM**. Any memory-safety issue here usually translates to local privilege escalation or (when exposed over SMB/135) *remote code execution*.

---

## References

- [Automating MS-RPC vulnerability research (2025, Incendium.rocks)](https://www.incendium.rocks/posts/Automating-MS-RPC-Vulnerability-Research/)
- [MS-RPC-Fuzzer – context-aware RPC fuzzer](https://github.com/warpnet/MS-RPC-Fuzzer)
- [NtObjectManager PowerShell module](https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools/tree/master/NtObjectManager)


- [https://www.cyber.airbus.com/the-oxid-resolver-part-1-remote-enumeration-of-network-interfaces-without-any-authentication/](https://www.cyber.airbus.com/the-oxid-resolver-part-1-remote-enumeration-of-network-interfaces-without-any-authentication/)
- [https://www.cyber.airbus.com/the-oxid-resolver-part-2-accessing-a-remote-object-inside-dcom/](https://www.cyber.airbus.com/the-oxid-resolver-part-2-accessing-a-remote-object-inside-dcom/)
- [https://0xffsec.com/handbook/services/msrpc/](https://0xffsec.com/handbook/services/msrpc/)
Expand Down