Skip to content

2 Fuzzing - Invoke-RpcFuzzer.md

Latest commit

 

History

History
117 lines (102 loc) · 5.68 KB

2 Fuzzing - Invoke-RpcFuzzer.md

File metadata and controls

117 lines (102 loc) · 5.68 KB

Invoke-RpcFuzzer

Invokes the fuzzing process, will need the rpcServerData.json file as input, which was generated by Get-RpcServerData.

Usage

NAME
    Invoke-RpcFuzzer

SYNTAX
    Invoke-RpcFuzzer [[-DataFile] <String>] [[-Mode] <String>] [[-iterations] <String>] [[-remote_host] <String>]
    [[-canary] <String>] [[-OutPath] <String>] [[-StringInput] <String>] [[-intInput] <Int32>] [[-guidInput] <Guid>]
    [[-inputParameters] <Object>] [[-minStrLen] <Object>] [[-maxStrLen] <Object>] [[-minIntSize] <Object>]
    [[-maxIntSize] <Object>] [[-minByteArrLen] <Object>] [[-maxByteArrLen] <Object>] [[-Procedure] <Object>]
    [[-Blacklist] <Object>] [[-FuzzerType] <String>] [[-DbgHelpPath] <String>] [-NoSpecialChars]
    [[-Sleep] <Int32>] [<CommonParameters>]

OPTIONS
    -DataFile               The path to rpcServerData.json (path can also be piped)
    -Mode                   Remote or Local (default local)
    -Iterations             Number of iterations to generate random input for a specific RPC call and invoke it (default 1)
    -Remote_host            If -Mode remote is specified, here specify the IPv4 of a listening host
    -Canary                 A unique string to trace RPC calls back (can be applied as filter in ProcMon)
    -OutPath                Path to export fuzzing data to
    -InputParameters        Parse complex type parameters to the fuzzer (see examples below)
    -StringInput            Parse your own value for string parameters (for example a existing file)
    -NoSpecialChars         Do not include special characters in random strings (prevent NAME INVALID)
    -intInput               Parse your own int32 value for integer values
    -guidInput              Parse your own guid value for guid values
    -minStrLen              The minimal length for a string when generating fuzz data (default 5)
    -maxStrLen              The maximal length for a string when generating fuzz data (default 20)
    -minIntSize             The minimal integer size when generating fuzz data (default 10)
    -maxIntSize             The maixmal integer size when generating fuzz data (default 100)
    -minByteArrLen          The minimal Byte Array length when generating fuzz data (default 100)
    -maxByteArrLen          The maximal Byte Array length when generating fuzz data (default 1000)
    -Procedure              Specify a specific procedure to fuzz
    -Blacklist              Specify blacklisted procedures (fuzzer will not invoke these procedures)
    -FuzzerType             Choose between default and sorted
    -DbgHelpPath            The path to dbghelp.dll for symbols
    -Sleep                  Time in seconds to wait before invoking the next RPC call

Examples

Fuzzing with no options:

'.\rpcServerData.json' | Invoke-RpcFuzzer -OutPath .\output\
[+] dbghelp.dll successfully initialized
[+] Starting fuzzer...
[+] Completed fuzzing
[+] To load data into Neo4j use: '.\output\Allowed.json' | Import-DatatoNeo4j -Neo4jHost '127.0.0.1:7474' -Neo4jUsername 'neo4j'

Fuzzing with the "sorted" fuzzer type:

'.\rpcServerData.json' | Invoke-RpcFuzzer --OutPath .\output\ -FuzzerType sorted
[+] dbghelp.dll successfully initialized
[+] Starting fuzzer...
[+] Completed fuzzing
[+] To load data into Neo4j use: '.\output\Allowed.json' | Import-DatatoNeo4j -Neo4jHost '127.0.0.1:7474' -Neo4jUsername 'neo4j'

Remote mode with Remote host IPv4 specified:

'.\rpcServerData.json' | Invoke-RpcFuzzer -OutPath .\output\ -Mode remote -remote_host 172.22.13.110
[+] dbghelp.dll successfully initialized
[+] Starting fuzzer...
[+] Completed fuzzing
[+] To load data into Neo4j use: '.\output\Allowed.json' | Import-DatatoNeo4j -Neo4jHost '127.0.0.1:7474' -Neo4jUsername 'neo4j'

Specify length for Strings:

'.\rpcServerData.json' | Invoke-RpcFuzzer -OutPath .\output\ -minStrLen 100 -maxStrLen 200

Specify size for Integers:

'.\rpcServerData.json' | Invoke-RpcFuzzer -OutPath .\output\ -minIntSize 10 -maxIntSize 20

Fuzzing with a procedure blacklist

'.\rpcServerData.json' | Invoke-RpcFuzzer --OutPath .\output\ -Blacklist ./blacklist.txt
[+] dbghelp.dll successfully initialized
[+] Starting fuzzer...
[+] Completed fuzzing
[+] To load data into Neo4j use: '.\output\Allowed.json' | Import-DatatoNeo4j -Neo4jHost '127.0.0.1:7474' -Neo4jUsername 'neo4j'

Parse a complex parameter type (output from another RPC call)

# Get complex output parameter for RPC call
$retval = $client.RpcOpenPrinter("\\127.0.0.1", '', $complex, 0x00020002)

# Use complex output parameter as fuzz input
'.\rpcServerData.json' | Invoke-RpcFuzzer -OutPath .\output\ -inputParameters $retval

Specify your own string value. This can be useful to see what a RPC procedure does with an existing file

'.\output\rpcServerData.json' | Invoke-RpcFuzzer -OutPath .\output\ -StringInput "C:\Users\testuser\Documents\test.txt"

Specify a specific procedure to fuzz with minimal and maximal string lengths

PS '.\output\rpcServerData.json' | Invoke-RpcFuzzer -outpath .\output\ -Procedure EdpRpcRmsDecontainerizeFile -minStrLen 100 -maxStrLen 1000

Specify your own integer and guid as parameters for fuzzing input

$myguid = New-Guid
PS '.\output\rpcServerData.json' | Invoke-RpcFuzzer -outpath .\output\ -Procedure EdpRpcRmsDecontainerizeFile -intInput 1337 -guidInput $myguid

Sometimes, string input without special characters can help to get more results. For example when you see NAME INVALID within Process Monitor for CreateFile operations. To prevent this, we can use the -NoSpecialChars switch.

'.\output\rpcServerData.json' | Invoke-RpcFuzzer -OutPath .\output\ -NoSpecialChars