Skip to content

2 Fuzzing - Invoke-RpcFuzzer.md

Latest commit

 

History

History
109 lines (95 loc) · 5.13 KB

2 Fuzzing - Invoke-RpcFuzzer.md

File metadata and controls

109 lines (95 loc) · 5.13 KB

Invoke-RpcFuzzer

Invokes the fuzzing process, will need the rpcServerData.json file as input, which was generated by Get-RpcServerData.

Usage

NAME
    Invoke-RpcFuzzer

SYNTAX
    Invoke-RpcFuzzer [[-DataFile] <String>] [[-Mode] <String>] [[-iterations] <String>] [[-remote_host] <String>]
    [[-canary] <String>] [[-OutPath] <String>] [[-StringInput] <String>] [[-intInput] <Int32>] [[-guidInput] <Guid>]
    [[-inputParameters] <Object>] [[-minStrLen] <Object>] [[-maxStrLen] <Object>] [[-minIntSize] <Object>]
    [[-maxIntSize] <Object>] [[-minByteArrLen] <Object>] [[-maxByteArrLen] <Object>] [[-Procedure] <Object>]
    [[-Blacklist] <Object>] [[-FuzzerType] <String>] [[-DbgHelpPath] <String>] [<CommonParameters>]

OPTIONS
    -DataFile               The path to rpcServerData.json (path can also be piped)
    -Mode                   Remote or Local (default local)
    -Iterations             Number of iterations to generate random input for a specific RPC call and invoke it (default 1)
    -Remote_host            If -Mode remote is specified, here specify the IPv4 of a listening host
    -Canary                 A unique string to trace RPC calls back (can be applied as filter in ProcMon)
    -OutPath                Path to export fuzzing data to
    -InputParameters        Parse complex type parameters to the fuzzer (see examples below)
    -StringInput            Parse your own value for string parameters (for example a existing file)
    -intInput               Parse your own int32 value for integer values
    -guidInput              Parse your own guid value for guid values
    -minStrLen              The minimal length for a string when generating fuzz data (default 5)
    -maxStrLen              The maximal length for a string when generating fuzz data (default 20)
    -minIntSize             The minimal integer size when generating fuzz data (default 10)
    -maxIntSize             The maixmal integer size when generating fuzz data (default 100)
    -minByteArrLen          The minimal Byte Array length when generating fuzz data (default 100)
    -maxByteArrLen          The maximal Byte Array length when generating fuzz data (default 1000)
    -Procedure              Specify a specific procedure to fuzz
    -Blacklist              Specify blacklisted procedures (fuzzer will not invoke these procedures)
    -FuzzerType             Choose between default and sorted
    -DbgHelpPath            The path to dbghelp.dll for symbols

Examples

Fuzzing with no options:

'.\rpcServerData.json' | Invoke-RpcFuzzer -OutPath .\output\
[+] dbghelp.dll successfully initialized
[+] Starting fuzzer...
[+] Completed fuzzing
[+] To load data into Neo4j use: '.\output\Allowed.json' | Import-DatatoNeo4j -Neo4jHost '127.0.0.1:7474' -Neo4jUsername 'neo4j'

Fuzzing with the "sorted" fuzzer type:

'.\rpcServerData.json' | Invoke-RpcFuzzer --OutPath .\output\ -FuzzerType sorted
[+] dbghelp.dll successfully initialized
[+] Starting fuzzer...
[+] Completed fuzzing
[+] To load data into Neo4j use: '.\output\Allowed.json' | Import-DatatoNeo4j -Neo4jHost '127.0.0.1:7474' -Neo4jUsername 'neo4j'

Remote mode with Remote host IPv4 specified:

'.\rpcServerData.json' | Invoke-RpcFuzzer -OutPath .\output\ -Mode remote -remote_host 172.22.13.110
[+] dbghelp.dll successfully initialized
[+] Starting fuzzer...
[+] Completed fuzzing
[+] To load data into Neo4j use: '.\output\Allowed.json' | Import-DatatoNeo4j -Neo4jHost '127.0.0.1:7474' -Neo4jUsername 'neo4j'

Specify length for Strings:

'.\rpcServerData.json' | Invoke-RpcFuzzer -OutPath .\output\ -minStrLen 100 -maxStrLen 200

Specify size for Integers:

'.\rpcServerData.json' | Invoke-RpcFuzzer -OutPath .\output\ -minIntSize 10 -maxIntSize 20

Fuzzing with a procedure blacklist

'.\rpcServerData.json' | Invoke-RpcFuzzer --OutPath .\output\ -Blacklist ./blacklist.txt
[+] dbghelp.dll successfully initialized
[+] Starting fuzzer...
[+] Completed fuzzing
[+] To load data into Neo4j use: '.\output\Allowed.json' | Import-DatatoNeo4j -Neo4jHost '127.0.0.1:7474' -Neo4jUsername 'neo4j'

Parse a complex parameter type (output from another RPC call)

# Get complex output parameter for RPC call
$retval = $client.RpcOpenPrinter("\\127.0.0.1", '', $complex, 0x00020002)

# Use complex output parameter as fuzz input
'.\rpcServerData.json' | Invoke-RpcFuzzer -OutPath .\output\ -inputParameters $retval

Specify your own string value. This can be useful to see what a RPC procedure does with an existing file

'.\output\rpcServerData.json' | Invoke-RpcFuzzer -OutPath .\output\ -StringInput "C:\Users\testuser\Documents\test.txt"

Specify a specific procedure to fuzz with minimal and maximal string lengths

PS '.\output\rpcServerData.json' | Invoke-RpcFuzzer -outpath .\output\ -Procedure EdpRpcRmsDecontainerizeFile -minStrLen 100 -maxStrLen 1000

Specify your own integer and guid as parameters for fuzzing input

$myguid = New-Guid
PS '.\output\rpcServerData.json' | Invoke-RpcFuzzer -outpath .\output\ -Procedure EdpRpcRmsDecontainerizeFile -intInput 1337 -guidInput $myguid