Meeting: 2006.11.29 0x0003

Our fourth technical meeting was held Nov. 29th, 2006, at Spiderhouse Cafe. Spiderhouse Cafe is located at 2908 Fruth St., Austin, TX 78705 (map)

Food and drinks were available for purchase from Spiderhouse Cafe.

Speaker Notes

Aaron Portnoy

I presented on two entirely different things: RPC enumeration and some unrelated 0day

Firstly, some RPC tools that allow a researcher to quickly discover all RPC servers present on a system. The rpc_search.py script will perform the following:

1. Walk a given directory looking for EXEs and DLLs
2. Parse each file using pefile (http://dkbza.org/pefile.html)
3. Cycle through the import table looking for rpcrt4.dll
4. Search imported functions for RpcServer*
5. Run IDA Pro in batch mode for any files containing RpcServers, generating an IDB file, IDL file (using http://cgi.tenablesecurity.com/tenable/mida.php), and a PIDA file (using a modified pida_dump.py from PAIMEI)

The end goal for this tool is to be able to then parse the idl files to create Impacket scripts so that a researcher can "talk" to the discovered RPC endpoints. This tool is useful to blindly run on a newly installed product to enumerate possible RPC audit targets.

Here's an example run:

aportnoy@aportnoy /cygdrive/c/code/pyrpc
$ python rpc_search.py "C:\Program Files\Common Files\InstallShield"
[*] Searching recursively for RPC servers in C:\Program Files\Common Files\InstallShield ...
[+] RpcServerRegisterIf in C:\Program Files\Common Files\InstallShield\Driver\10\Intel 32\IDriver.exe
[+] RpcServerUnregisterIf in C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriver.exe
[+] RpcServerUseProtseqEpA in C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriver.exe
[+] RpcServerRegisterIf in C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriver.exe
[+] RpcServerListen in C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriver.exe
[+] RpcServerUnregisterIf in C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriver2.exe
[+] RpcServerUseProtseqEpA in C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriver2.exe
[+] RpcServerRegisterIf in C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriver2.exe
[+] RpcServerListen in C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriver2.exe
[+] RpcServerRegisterIf in C:\Program Files\Common Files\InstallShield\Driver\9\Intel 32\IDriver.exe
[+] RpcServerUseProtseqEpA in C:\Program Files\Common Files\InstallShield\Driver\9\Intel 32\IDriver.exe
[+] RpcServerUnregisterIf in C:\Program Files\Common Files\InstallShield\Driver\9\Intel 32\IDriver.exe
[+] RpcServerListen in C:\Program Files\Common Files\InstallShield\Driver\9\Intel 32\IDriver.exe
[+] RpcServerRegisterIf in C:\Program Files\Common Files\InstallShield\Driver\9\Intel 32\IDriver2.exe
[+] RpcServerUseProtseqEpA in C:\Program Files\Common Files\InstallShield\Driver\9\Intel 32\IDriver2.exe
[+] RpcServerUnregisterIf in C:\Program Files\Common Files\InstallShield\Driver\9\Intel 32\IDriver2.exe
[+] RpcServerListen in C:\Program Files\Common Files\InstallShield\Driver\9\Intel 32\IDriver2.exe
[*] Found a total of 16 RPC server functions in 54 files.
---
[*] Attempting to generate PIDA files ...
[+] Processing C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriver.exe ...

At this point idaw.exe is run in batch mode, generating all the needed files. (screenshots not posted, because its a pain to capture 'em that quickly).

And now (2 minutes later) you can see that all the files have been generated:

aportnoy@aportnoy /cygdrive/c/code/pyrpc
$ ls -l IDBdb/ IDLdb/ PIDAdb/

IDBdb/:
total 32608
-rwx------+ 1 aportnoy aportnoy 8429724 Nov 30 11:57 IDriver.exe-1164909361.idb
-rwx------+ 1 aportnoy aportnoy 8265884 Nov 30 12:00 IDriver.exe-1164909577.idb
-rwx------+ 1 aportnoy aportnoy 8405148 Nov 30 11:59 IDriver2.exe-1164909480.idb
-rwx------+ 1 aportnoy aportnoy 8274076 Nov 30 12:02 IDriver2.exe-1164909658.idb

IDLdb/:
total 16
-rwx------+ 1 aportnoy aportnoy 760 Nov 30 11:57 IDriver.exe-1164909361.idl
-rwx------+ 1 aportnoy aportnoy 760 Nov 30 12:00 IDriver.exe-1164909577.idl
-rwx------+ 1 aportnoy aportnoy 760 Nov 30 11:59 IDriver2.exe-1164909480.idl
-rwx------+ 1 aportnoy aportnoy 760 Nov 30 12:02 IDriver2.exe-1164909658.idl

PIDAdb/:
total 20984
-rwx------+ 1 aportnoy aportnoy 5431387 Nov 30 11:57 IDriver.exe-1164909456.pida
-rwx------+ 1 aportnoy aportnoy 5306675 Nov 30 12:00 IDriver.exe-1164909610.pida
-rwx------+ 1 aportnoy aportnoy 5431386 Nov 30 11:59 IDriver2.exe-1164909554.pida
-rwx------+ 1 aportnoy aportnoy 5306578 Nov 30 12:02 IDriver2.exe-1164909688.pida

aportnoy@aportnoy /cygdrive/c/code/pyrpc
$ cat IDLdb/IDriver2.exe-1164909480.idl
/*
 * IDL code generated by mIDA v1.0.7
 * Copyright (C) 2006, Tenable Network Security
 * http://cgi.tenablesecurity.com/tenable/mida.php
 *
 *
 * Decompilation information:
 * RPC stub type: inline
 */

[
 uuid(bdbca496-038e-11d5-ab96-00b0d02332eb),
 version(1.0)
]

interface mIDA_interface
{

/* opcode: 0x00, address: 0x00459CBD */

long   sub_459CBD (
 [in] handle_t  arg_1,
 [in][string] char * arg_2
);

/* opcode: 0x01, address: 0x00459E23 */

long   sub_459E23 (
 [in][string] char * arg_1,
 [out] long * arg_2,
 [out][string] char ** arg_3,
 [out][string] char ** arg_4,
 [out][string] char ** arg_5,
 [out][string] char ** arg_6
);

unknown sub_45A0CB (
);

}

aportnoy@aportnoy /cygdrive/c/code/pyrpc
$

Ok.. the second thing I presented on wasn't really a presentation. Just dropped a few 0day. One remote root heap overflow in some popular server software and a DoS on another symantec server product. For AHA-eyes only.

H D Moore

I presented on the 802.11 exploit modules recently added to the Metasploit Framework.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-Share Alike 2.5 License.