60 likes | 197 Views
RPC Auditing Tools &Tekniqz . Aaron Portnoy – TippingPoint Security Research aportnoy@tippingpoint.com | deft@thunkers.net. The Problem. Problems to be solved: Communicating with an RPC Server All you have is an IDL (interface description language file)
E N D
RPC Auditing Tools &Tekniqz Aaron Portnoy – TippingPoint Security Research aportnoy@tippingpoint.com | deft@thunkers.net
The Problem • Problems to be solved: • Communicating with an RPC Server • All you have is an IDL (interface description language file) • Need to code Metasploit module, Impacket script, or full C client • Tests frequently return RPC_X_BAD_STUB_DATA • Embedded structures/unions can get VERY unwieldy • Don’t know what the traffic looks like on the wire • NDR data is often padded in annoying ways • Auditing (be it fuzzing or otherwise) • No way to dynamically update your data • Summary: pain in the ass to audit by hand
For Example • For Example • You must obtain the IDL information • We’ve written scripts to automate this • Here’s an IDL snippet from LSASRV.dll • Once you have the IDL you must code a client long _s_SSCryptUnprotectData ( [out][size_is(*arg_2)] byte ** arg_1, [out] long * arg_2, [in][size_is(arg_4)] byte * arg_3, [in] long arg_4, [in, out][ptr][string] wchar_t ** arg_5, [in][unique][size_is(arg_7)] byte * arg_6, [in] long arg_7, [in, out][ptr] struct struct_1 * arg_8, [in][unique] struct struct_2 * arg_9, [in] long arg_10, [in][unique][size_is(arg_12)] byte * arg_11, [in] long arg_12 ); This sucks.
The Solution • What we’ve done: • Written an IDL lexer and parser • Returns instantiated objects for any IDL on WinXP and Win2k • Allows you to quickly parse any IDL and instantly talk to the RPC Server • Uses Impacket to actually send our packed data • Written an NDR library • Parser returns instantiated NDR opcodes, structs, and unions • Each object has a get_packed() which returns ready-to-send data • Began work on context-aware RPC sessions • Allows deeper auditing • Saves handle information
The Tools • Here’s an excerpt: • An IDL opcode: • The parser’s debug output: /* opcode: 0x4A, address: 0x75799D53 */ long sub_78590C02 ( [in][context_handle] void * arg_1, [in] struct struct_2C * arg_2, [in] /* enum16 */ short arg_3, [in] struct struct_2D * arg_4, [in] char arg_5, [out] struct struct_2E ** arg_6 ); [*] Parsing opcode 0x4A ------------------------ [*] arg_1 [<ndr.ndr_context_handle instance at 0x00B26468>] [*] arg_2 [<ndr.ndr_struct instance at 0x00B264B8>] [<ndr.ndr_short instance at 0x00B26508>] [<ndr.ndr_short instance at 0x00B265D0>] [<ndr.ndr_unique instance at 0x00B265A8>] [<ndr.ndr_unique instance at 0x00B26698>] [*] arg_3 [<ndr.ndr_short instance at 0x00B264E0>] [*] arg_4 [<ndr.ndr_struct instance at 0x00B26710>] [<ndr.ndr_long instance at 0x00B26760>] [<ndr.ndr_unique instance at 0x00B267D8>] [*] arg_5 [<ndr.ndr_char instance at 0x00B26670>] [*] [out] parameter ------------------------ [*] Finished opcode 0x4A
Questions, etc: aportnoy@tippingpoint.com | deft@thunkers.net dvlabs.tippingpoint.com