RPC Auditing Tools - PowerPoint PPT Presentation

1 / 6
About This Presentation
Title:

RPC Auditing Tools

Description:

All you have is an IDL (interface description language file) ... Summary: pain in the ass to audit by hand. For Example. For Example ... – PowerPoint PPT presentation

Number of Views:66
Avg rating:3.0/5.0
Slides: 7
Provided by: eli9
Category:
Tags: rpc | ass | auditing | tools

less

Transcript and Presenter's Notes

Title: RPC Auditing Tools


1
RPC Auditing Tools Tekniqz
  • Aaron Portnoy TippingPoint Security Research
  • aportnoy_at_tippingpoint.com deft_at_thunkers.net

2
The Problem
  • Problems to be solved
  • Communicating with an RPC Server
  • All you have is an IDL (interface description
    language file)
  • Need to code Metasploit module, Impacket script,
    or full C client
  • Tests frequently return RPC_X_BAD_STUB_DATA
  • Embedded structures/unions can get VERY unwieldy
  • Dont know what the traffic looks like on the
    wire
  • NDR data is often padded in annoying ways
  • Auditing (be it fuzzing or otherwise)
  • No way to dynamically update your data
  • Summary pain in the ass to audit by hand

3
For Example
  • For Example
  • You must obtain the IDL information
  • Weve written scripts to automate this
  • Heres an IDL snippet from LSASRV.dll
  • Once you have the IDL you must code a client

long _s_SSCryptUnprotectData (
outsize_is(arg_2) byte arg_1, out long
arg_2, insize_is(arg_4) byte arg_3,
in long arg_4, in, outptrstring wchar_t
arg_5, inuniquesize_is(arg_7) byte
arg_6, in long arg_7, in, outptr struct
struct_1 arg_8, inunique struct struct_2
arg_9, in long arg_10, inuniquesize_is(ar
g_12) byte arg_11, in long arg_12 )
This sucks.
4
The Solution
  • What weve done
  • Written an IDL lexer and parser
  • Returns instantiated objects for any IDL on WinXP
    and Win2k
  • Allows you to quickly parse any IDL and instantly
    talk to the RPC Server
  • Uses Impacket to actually send our packed data
  • Written an NDR library
  • Parser returns instantiated NDR opcodes, structs,
    and unions
  • Each object has a get_packed() which returns
    ready-to-send data
  • Began work on context-aware RPC sessions
  • Allows deeper auditing
  • Saves handle information

5
The Tools
  • Heres an excerpt
  • An IDL opcode
  • The parsers debug output

/ opcode 0x4A, address 0x75799D53 / long
sub_78590C02 ( incontext_handle void
arg_1, in struct struct_2C arg_2, in /
enum16 / short arg_3, in struct struct_2D
arg_4, in char arg_5, out struct struct_2E
arg_6 ) Parsing opcode
0x4A ------------------------ arg_1
ltndr.ndr_context_handle instance at
0x00B26468gt arg_2 ltndr.ndr_struct instance
at 0x00B264B8gt ltndr.ndr_short instance
at 0x00B26508gt ltndr.ndr_short instance
at 0x00B265D0gt ltndr.ndr_unique instance
at 0x00B265A8gt ltndr.ndr_unique instance
at 0x00B26698gt arg_3 ltndr.ndr_short
instance at 0x00B264E0gt arg_4
ltndr.ndr_struct instance at 0x00B26710gt
ltndr.ndr_long instance at 0x00B26760gt
ltndr.ndr_unique instance at 0x00B267D8gt
arg_5 ltndr.ndr_char instance at 0x00B26670gt
out parameter ------------------------
Finished opcode 0x4A
6
Questions, etc aportnoy_at_tippingpoint.com
deft_at_thunkers.net
  • dvlabs.tippingpoint.com
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "RPC Auditing Tools" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!