Locating Vulnerabilities in Microsoft RPC: An Offline and Runtime Reversing Approach
This course will be an insightful look at Immunity Inc.'s methodologies to find local and remote bugs in Microsoft's Windows OS. Following is a brief listing of the topics we will be covering during this 2 day course event:
1- Microsoft RPC a. Locating the running interfaces b. Understanding Named Pipe permissions c. Null sessions (what can still be possible with XP SP2) d. What process runs, what service ? e. Tricks to evade RPC default named pipe permissions (Immunity's secret trick!) f. Old school MS RPC vs. DCOM g. Context handles 2- Reversing Microsoft RPC using Immunity Debugger a. Retrieving symbols for service executables and DLLs b. Static Analysis with Immunity Debugger c. Locating the interfaces and the dispatch tables in the disassembly d. Looking at each procedure for potential vulnerabilities e. Extending code coverage (Immunity's secret trick!) f. Generating IDL files with muddle and fixing them to work! g. Core RPC client skeleton h. Sending requests to procedures 3- Runtime Reversing Microsoft RPC (Debugger) a. Attaching, breakpoints, watchpoints etc. b. Sending RPC requests and runtime tracing c. Correlating Runtime findings with the static analysis session (structure decompilation, better coverage and understanding etc. etc.) d. Modifying RPC requests for profit PREREQUISITES: 1- A laptop with a Windows OS of choice (XP or Vista). Linux with Windows as a guest is also fine. 2- Microsoft Visual Studio (the free Express Edition is fine) (For compiling up the IDL clients) 3- Immunity Debugger (Freely Available) 5- Sysinternals tools: Process Explorer, WinObj, DebugView, Regmon, Filemon, Tokenmon, TcpView (Free downloads from http://www.sysinternals.com/ntw2k/utilities.shtml ) 6- Vmware (Create 2 OS images: one Windows 2kSP4 and one Windows XP. Available from: http://www.vmware.com. There is a free trial version available for 30 days) 7- Download of Windows XP Service Pack 2