rpc auditing tools tekniqz n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
RPC Auditing Tools &Tekniqz PowerPoint Presentation
Download Presentation
RPC Auditing Tools &Tekniqz

Loading in 2 Seconds...

play fullscreen
1 / 6

RPC Auditing Tools &Tekniqz - PowerPoint PPT Presentation


  • 107 Views
  • Uploaded on

RPC Auditing Tools &Tekniqz . Aaron Portnoy – TippingPoint Security Research aportnoy@tippingpoint.com | deft@thunkers.net. The Problem. Problems to be solved: Communicating with an RPC Server All you have is an IDL (interface description language file)

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'RPC Auditing Tools &Tekniqz' - libitha


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
rpc auditing tools tekniqz

RPC Auditing Tools &Tekniqz

Aaron Portnoy – TippingPoint Security Research

aportnoy@tippingpoint.com | deft@thunkers.net

the problem
The Problem
  • Problems to be solved:
    • Communicating with an RPC Server
      • All you have is an IDL (interface description language file)
        • Need to code Metasploit module, Impacket script, or full C client
        • Tests frequently return RPC_X_BAD_STUB_DATA
        • Embedded structures/unions can get VERY unwieldy
      • Don’t know what the traffic looks like on the wire
        • NDR data is often padded in annoying ways
    • Auditing (be it fuzzing or otherwise)
      • No way to dynamically update your data
    • Summary: pain in the ass to audit by hand
for example
For Example
  • For Example
    • You must obtain the IDL information
      • We’ve written scripts to automate this
    • Here’s an IDL snippet from LSASRV.dll
      • Once you have the IDL you must code a client

long _s_SSCryptUnprotectData (

[out][size_is(*arg_2)] byte ** arg_1,

[out] long * arg_2,

[in][size_is(arg_4)] byte * arg_3,

[in] long arg_4,

[in, out][ptr][string] wchar_t ** arg_5,

[in][unique][size_is(arg_7)] byte * arg_6,

[in] long arg_7,

[in, out][ptr] struct struct_1 * arg_8,

[in][unique] struct struct_2 * arg_9,

[in] long arg_10,

[in][unique][size_is(arg_12)] byte * arg_11,

[in] long arg_12

);

This sucks.

the solution
The Solution
  • What we’ve done:
    • Written an IDL lexer and parser
      • Returns instantiated objects for any IDL on WinXP and Win2k
        • Allows you to quickly parse any IDL and instantly talk to the RPC Server
        • Uses Impacket to actually send our packed data
    • Written an NDR library
      • Parser returns instantiated NDR opcodes, structs, and unions
      • Each object has a get_packed() which returns ready-to-send data
    • Began work on context-aware RPC sessions
      • Allows deeper auditing
      • Saves handle information
the tools
The Tools
  • Here’s an excerpt:
    • An IDL opcode:
    • The parser’s debug output:

/* opcode: 0x4A, address: 0x75799D53 */

long sub_78590C02 (

[in][context_handle] void * arg_1,

[in] struct struct_2C * arg_2,

[in] /* enum16 */ short arg_3,

[in] struct struct_2D * arg_4,

[in] char arg_5,

[out] struct struct_2E ** arg_6

);

[*] Parsing opcode 0x4A

------------------------

[*] arg_1 [<ndr.ndr_context_handle instance at 0x00B26468>]

[*] arg_2 [<ndr.ndr_struct instance at 0x00B264B8>]

[<ndr.ndr_short instance at 0x00B26508>]

[<ndr.ndr_short instance at 0x00B265D0>]

[<ndr.ndr_unique instance at 0x00B265A8>]

[<ndr.ndr_unique instance at 0x00B26698>]

[*] arg_3 [<ndr.ndr_short instance at 0x00B264E0>]

[*] arg_4 [<ndr.ndr_struct instance at 0x00B26710>]

[<ndr.ndr_long instance at 0x00B26760>]

[<ndr.ndr_unique instance at 0x00B267D8>]

[*] arg_5 [<ndr.ndr_char instance at 0x00B26670>]

[*] [out] parameter

------------------------

[*] Finished opcode 0x4A

questions etc aportnoy@tippingpoint com deft@thunkers net

Questions, etc: aportnoy@tippingpoint.com | deft@thunkers.net

dvlabs.tippingpoint.com