Jump to content
Sign in to follow this  

RPC Forge

Recommended Posts

RPC Forge

RPC Forge is a local Python fuzzer of Windows RPC interfaces available over ALPC.

The fuzzer parses the interfaces definitions and automatically performs valid calls on the RPC methods.

This is more a PoC than a real fuzzer. Its aim was to be able to forge a valid serialized stream reaching RPC methods code without being rejected by the Windows RPC Runtime (because of bad arguments type leading to error: RPC_X_BAD_STUB_DATA).

Thus, it doesn't contain any instrumentation in the server side to improve code coverage.

RPC Forge was part of our work on Windows RPC and was introduced at PacSec 2017: A view into ALPC-RPC.

Internal working

  1. Select one random interface
  2. Connect and bind to it through epmapper RPC service or fixed ALPC endpoint name (see Usage)
  3. Randomly choose one method
  4. Generate valid call arguments according to the method parameters types based on Sulley Generator
  5. Save the logs (call information) in a local file (depends on config.py)
  6. Perform the call with marshaled (NDR) generated arguments
  7. Extract any context_handle from the returned stream (to forge calls expecting a valid context_handle)
  8. Loop (Step 1 or Step 3)


PythonForWindows providing a Python implementation to play with ALPC and RPC.


Sursa: https://github.com/sogeti-esec-lab/RPCForge

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this