Codebase list spike / master src / README.msrpcfuzz
master

Tree @master (Download .tar.gz)

README.msrpcfuzz @masterraw · history · blame 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
How to fuzz msrpc by dave: 

First, find out what program you're fuzzing - generate a list of
programs with dcedump and then use ifids on that port to see what
interfaces are there. Then just blindly fuzz with msrpcfuzz, and see
what program is using CPU with the taskmanager. Then attach to that
service with Ollydbg, and ignore all the exceptions that get caused
(there are exceptions for all sorts of "can't demarshal" and "bad
packet" conditions in the MSRPC stack). None of those are
interesting. Only c0005 is usually interesting, but you might want to
breakpoint on createprocessa or createfilea if you feel like it.

Ok, on to finding a bug: 

You can blindly shove stuff at it until it generates a c0000005
(Access Violation) or you can go into it and break on each
ndrdemarshall routine and see if you are passing it properly (e.g. not
generating an exception and getting booted out) , and if you are not,
then figure out why.

How to figure out why:

ndrdemarshall routines take 2 pointers as arguments. the second
argument is a pointer to a set of 4 pointers. The second of THOSE
pointers is a pointer to the current place in your buffer they are
decoding. You can watch this advance through your buffer to see how
much of your buffer got eaten up by the decoding process. As you go
through, you can see if you start on the correct boundries, what's
getting parsed, what's NOT getting parsed, etc.

How to find a bug:

Pass it the correct structures, make sure any strings that you get
through are large enough to cause damage. That's it! Have fun! If you
find a set of bytes that fits through a particular demarshalling
routine, add that to the list in msrpcfuzz.c!