1 / 6

RPC Auditing Tools &Tekniqz

RPC Auditing Tools &Tekniqz . Aaron Portnoy – TippingPoint Security Research aportnoy@tippingpoint.com | deft@thunkers.net. The Problem. Problems to be solved: Communicating with an RPC Server All you have is an IDL (interface description language file)

libitha
Download Presentation

RPC Auditing Tools &Tekniqz

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. RPC Auditing Tools &Tekniqz Aaron Portnoy – TippingPoint Security Research aportnoy@tippingpoint.com | deft@thunkers.net

  2. The Problem • Problems to be solved: • Communicating with an RPC Server • All you have is an IDL (interface description language file) • Need to code Metasploit module, Impacket script, or full C client • Tests frequently return RPC_X_BAD_STUB_DATA • Embedded structures/unions can get VERY unwieldy • Don’t know what the traffic looks like on the wire • NDR data is often padded in annoying ways • Auditing (be it fuzzing or otherwise) • No way to dynamically update your data • Summary: pain in the ass to audit by hand

  3. For Example • For Example • You must obtain the IDL information • We’ve written scripts to automate this • Here’s an IDL snippet from LSASRV.dll • Once you have the IDL you must code a client long _s_SSCryptUnprotectData ( [out][size_is(*arg_2)] byte ** arg_1, [out] long * arg_2, [in][size_is(arg_4)] byte * arg_3, [in] long arg_4, [in, out][ptr][string] wchar_t ** arg_5, [in][unique][size_is(arg_7)] byte * arg_6, [in] long arg_7, [in, out][ptr] struct struct_1 * arg_8, [in][unique] struct struct_2 * arg_9, [in] long arg_10, [in][unique][size_is(arg_12)] byte * arg_11, [in] long arg_12 ); This sucks.

  4. The Solution • What we’ve done: • Written an IDL lexer and parser • Returns instantiated objects for any IDL on WinXP and Win2k • Allows you to quickly parse any IDL and instantly talk to the RPC Server • Uses Impacket to actually send our packed data • Written an NDR library • Parser returns instantiated NDR opcodes, structs, and unions • Each object has a get_packed() which returns ready-to-send data • Began work on context-aware RPC sessions • Allows deeper auditing • Saves handle information

  5. The Tools • Here’s an excerpt: • An IDL opcode: • The parser’s debug output: /* opcode: 0x4A, address: 0x75799D53 */ long sub_78590C02 ( [in][context_handle] void * arg_1, [in] struct struct_2C * arg_2, [in] /* enum16 */ short arg_3, [in] struct struct_2D * arg_4, [in] char arg_5, [out] struct struct_2E ** arg_6 ); [*] Parsing opcode 0x4A ------------------------ [*] arg_1 [<ndr.ndr_context_handle instance at 0x00B26468>] [*] arg_2 [<ndr.ndr_struct instance at 0x00B264B8>] [<ndr.ndr_short instance at 0x00B26508>] [<ndr.ndr_short instance at 0x00B265D0>] [<ndr.ndr_unique instance at 0x00B265A8>] [<ndr.ndr_unique instance at 0x00B26698>] [*] arg_3 [<ndr.ndr_short instance at 0x00B264E0>] [*] arg_4 [<ndr.ndr_struct instance at 0x00B26710>] [<ndr.ndr_long instance at 0x00B26760>] [<ndr.ndr_unique instance at 0x00B267D8>] [*] arg_5 [<ndr.ndr_char instance at 0x00B26670>] [*] [out] parameter ------------------------ [*] Finished opcode 0x4A

  6. Questions, etc: aportnoy@tippingpoint.com | deft@thunkers.net dvlabs.tippingpoint.com

More Related