Embed Size (px)
DESCRIPTION
For Example –You must obtain the IDL information We’ve written scripts to automate this –Here’s an IDL snippet from LSASRV.dll Once you have the IDL you must code a client long _s_SSCryptUnprotectData ( [out][size_is(*arg_2)] byte ** arg_1, [out] long * arg_2, [in][size_is(arg_4)] byte * arg_3, [in] long arg_4, [in, out][ptr][string] wchar_t ** arg_5, [in][unique][size_is(arg_7)] byte * arg_6, [in] long arg_7, [in, out][ptr] struct struct_1 * arg_8, [in][unique] struct struct_2 * arg_9, [in] long arg_10, [in][unique][size_is(arg_12)] byte * arg_11, [in] long arg_12 ); This sucks.
Citation preview
RPC Auditing Tools &Tekniqz Aaron Portnoy – TippingPoint Security [email protected] | [email protected]
The Problem
• Problems to be solved:– Communicating with an RPC Server
• All you have is an IDL (interface description language file)– Need to code Metasploit module, Impacket script, or full C client– Tests frequently return RPC_X_BAD_STUB_DATA– Embedded structures/unions can get VERY unwieldy
• Don’t know what the traffic looks like on the wire– NDR data is often padded in annoying ways
– Auditing (be it fuzzing or otherwise)• No way to dynamically update your data
– Summary: pain in the ass to audit by hand
For Example
• For Example– You must obtain the IDL information
• We’ve written scripts to automate this– Here’s an IDL snippet from LSASRV.dll
• Once you have the IDL you must code a clientlong _s_SSCryptUnprotectData ( [out][size_is(*arg_2)] byte ** arg_1, [out] long * arg_2, [in][size_is(arg_4)] byte * arg_3, [in] long arg_4, [in, out][ptr][string] wchar_t ** arg_5, [in][unique][size_is(arg_7)] byte * arg_6, [in] long arg_7, [in, out][ptr] struct struct_1 * arg_8, [in][unique] struct struct_2 * arg_9, [in] long arg_10, [in][unique][size_is(arg_12)] byte * arg_11, [in] long arg_12);
This sucks.
The Solution
• What we’ve done:– Written an IDL lexer and parser
• Returns instantiated objects for any IDL on WinXP and Win2k– Allows you to quickly parse any IDL and instantly talk to the RPC Server– Uses Impacket to actually send our packed data
– Written an NDR library• Parser returns instantiated NDR opcodes, structs, and unions • Each object has a get_packed() which returns ready-to-send
data– Began work on context-aware RPC sessions
• Allows deeper auditing• Saves handle information
The Tools
• Here’s an excerpt:– An IDL opcode:
– The parser’s debug output:
/* opcode: 0x4A, address: 0x75799D53 */
long sub_78590C02 ( [in][context_handle] void * arg_1, [in] struct struct_2C * arg_2, [in] /* enum16 */ short arg_3, [in] struct struct_2D * arg_4, [in] char arg_5, [out] struct struct_2E ** arg_6);
[*] Parsing opcode 0x4A------------------------[*] arg_1 [<ndr.ndr_context_handle instance at 0x00B26468>][*] arg_2 [<ndr.ndr_struct instance at 0x00B264B8>] [<ndr.ndr_short instance at 0x00B26508>] [<ndr.ndr_short instance at 0x00B265D0>] [<ndr.ndr_unique instance at 0x00B265A8>] [<ndr.ndr_unique instance at 0x00B26698>][*] arg_3 [<ndr.ndr_short instance at 0x00B264E0>][*] arg_4 [<ndr.ndr_struct instance at 0x00B26710>] [<ndr.ndr_long instance at 0x00B26760>] [<ndr.ndr_unique instance at 0x00B267D8>][*] arg_5 [<ndr.ndr_char instance at 0x00B26670>][*] [out] parameter------------------------[*] Finished opcode 0x4A
![Trend Micro TIPPINGPOINT SECURITY … micro tippingpoint ® security ... tippingpoint security management system advanced policy ... sms_tippingpoint_160601us] sms technical](https://img.pdfslide.us/doc/110x75/5ac3d5097f8b9aa0518cd632/trend-micro-tippingpoint-security-micro-tippingpoint-security-tippingpoint.jpg)
