{"id":30761593,"url":"https://github.com/warpnet/ms-rpc-fuzzer","last_synced_at":"2025-09-04T14:14:27.047Z","repository":{"id":312694346,"uuid":"996319376","full_name":"warpnet/MS-RPC-Fuzzer","owner":"warpnet","description":"Gain insights into MS-RPC implementations that may be vulnerable using an automated approach and make it easy to visualize the data. By following this approach, a security researcher will hopefully identify interesting RPC services in such a time that would take a manual approach significantly more.","archived":false,"fork":false,"pushed_at":"2025-09-01T11:02:37.000Z","size":2506,"stargazers_count":288,"open_issues_count":0,"forks_count":35,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-09-01T13:24:20.743Z","etag":null,"topics":["exploit","internals","research","rpc","security","vulnerability","windows"],"latest_commit_sha":null,"homepage":"https://www.incendium.rocks/posts/Automating-MS-RPC-Vulnerability-Research/","language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/warpnet.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-06-04T19:23:36.000Z","updated_at":"2025-09-01T13:00:46.000Z","dependencies_parsed_at":"2025-09-01T13:24:27.208Z","dependency_job_id":"96deb2f1-a29b-4c82-8d96-f65d3220d957","html_url":"https://github.com/warpnet/MS-RPC-Fuzzer","commit_stats":null,"previous_names":["warpnet/ms-rpc-fuzzer"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/warpnet/MS-RPC-Fuzzer","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/warpnet%2FMS-RPC-Fuzzer","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/warpnet%2FMS-RPC-Fuzzer/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/warpnet%2FMS-RPC-Fuzzer/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/warpnet%2FMS-RPC-Fuzzer/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/warpnet","download_url":"https://codeload.github.com/warpnet/MS-RPC-Fuzzer/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/warpnet%2FMS-RPC-Fuzzer/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":273619763,"owners_count":25138249,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-04T02:00:08.968Z","response_time":61,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["exploit","internals","research","rpc","security","vulnerability","windows"],"created_at":"2025-09-04T14:14:25.706Z","updated_at":"2025-09-04T14:14:27.032Z","avatar_url":"https://github.com/warpnet.png","language":"C#","funding_links":[],"categories":[],"sub_categories":[],"readme":"# MS-RPC Fuzzer\n\nIn the past few years, several high and critical severity vulnerabilities have been discovered in MS-RPC (Microsoft Remote Procedure Call). One functionality is that RPC allows clients to call functions on remote hosts. This opens the doors to potential vulnerabilities that could be exploited remotely. For these reasons, RPC is an interesting area of research.\n\nIt can be very time-consuming to manually research a specific RPC interface, let alone hundreds. Other than that, it was found that visualization for researching MS-RPC can get messy, which may result in missing potential security issues.\n\nThere are already some great tools out there that focus on MS-RPC vulnerability research. Some examples are [RpcView](https://github.com/silverf0x/RpcView), [RpcMon](https://github.com/cyberark/RPCMon) and [Rpcinvestigator](https://github.com/trailofbits/RpcInvestigator). These tools provide some insights into running RPC services in real-time. However, none of these tools allow further research to for example, connect to an endpoint and invoke RPC calls. This is where the PowerShell module [NtObjectManager](https://www.powershellgallery.com/packages/NtObjectManager) out stands. NtObjectManager allows dynamically building an RPC client from the parsed `NtApiDotNet.Win32.RpcServer`. This led to the idea of creating a fuzzer that can use these clients to fuzz the RPC-procedures their method's using random inputs. This fuzzer is heavily based on the NtObjectManager module.\n\nThe whole idea is to gain insights into MS-RPC implementations *that may be vulnerable* using an automated approach and make it easy to visualize the data. By following this approach, a security researcher will hopefully identify interesting RPC services in such a time that would take a manual approach significantly more.\n\n\u003e [!CAUTION]  \n\u003e This fuzzer almost certainly will break stuff in your OS (even from a low user), so please run it in a isolated and controlled environment and with permission!\n\n\u003e [!NOTE]\n\u003e The owner of this repository is not responsible for any damage of the usage made using these tools. These are for legal purposes only. Use at your own risks.\n\n## Table of Contents\n- [Requirements](#requirements)\n- [Usage](#usage)\n- [Results](#results-so-far)\n- [Roadmap](#to-do-roadmap)\n- [Known bugs](#known-bugs)\n\n## Requirements\n- [PowerShell 7](https://learn.microsoft.com/en-us/powershell/scripting/install/installing-powershell-on-windows)\n\n## Usage\nFirst, import the MS-RPC-Fuzzer module. This loads all cmdlets for both this fuzzer and NtObjectManager. \n```powershell\nImport-Module .\\MS-RPC-Fuzzer.psm1\n```\n\nThe tool consists of three main phases. The first phase is where the RPC interfaces, endpoints and procedures are inventarized for the specified target and exported to a JSON file. The second phase is where the exported JSON file from the previous phase can be used to fuzz. The third and last phase is analysis. Phase two, fuzzing, exports json files containing the fuzzing results. A user can use these json files as they like. However, a custom wrapper can be used to import the json files into a Neo4j database.\n\n```mermaid\ngraph TD\n    User([User])\n\n    %% Input and output styling\n    classDef input fill:#d4fcd4,stroke:#2b8a3e,stroke-width:2px,color:#000;\n    classDef output fill:#fff3cd,stroke:#ffbf00,stroke-width:2px,color:#000;\n\n    %% Phase 1: Gather RPC Interfaces\n    User --\u003e A1[Get-RpcServerData]\n    A1 --\u003e A2[Target Specified or Default]\n    A2 --\u003e A3[rpcServerData.json]\n    A3 --\u003e B1[Invoke-RpcFuzzer]\n\n    %% Phase 2: Fuzzing\n    B1 --\u003e B2[log.txt Call History]\n    B1 --\u003e B3[allowed.json]\n    B1 --\u003e B4[denied.json]\n    B1 --\u003e B5[error.json]\n\n    %% All fuzzer outputs used in Phase 3\n    B3 --\u003e C1[Import-DataToNeo4j]\n    B4 --\u003e C1\n    B5 --\u003e C1\n\n    %% Phase 3: Analysis\n    C1 --\u003e C2[Neo4j Database]\n    C2 --\u003e C3[Graph Visualization \u0026 Querying]\n\n    %% Apply styling\n    class A3 input;\n    class B3,B4,B5,B2 output;\n\n    %% Labels for clarity\n    subgraph Phase1 [Phase 1: Gather RPC Interfaces]\n        A1\n        A2\n        A3\n    end\n\n    subgraph Phase2 [Phase 2: Fuzzing]\n        B1\n        B2\n        B3\n        B4\n        B5\n    end\n\n    subgraph Phase3 [Phase 3: Analysis]\n        C1\n        C2\n        C3\n    end\n```\n\n### Phase 1: Gather RPC interfaces and Endpoints\nFirst, specify target and get RPC interfaces and RPC endpoints for the target. You can specify a filepath or a `NtCoreLib.Win32.Rpc.Server.RpcServer` object (which NtObjectManager gives you with `Get-RpcServer`). This will output a .json file \"rpcServerData.json\", which you can parse to the fuzzer. If there is not target specified, it will default to all .exe and .dll in `%systemdrive%\\Windows\\System32\\`.\n\n```powershell\n# Example\nGet-RpcServerData -target \"C:\\Windows\\System32\\efssvc.dll\" -OutPath .\\output\n```\n\nFor more information on this phase, check [Get-RpcServerData](/docs/1%20Inventarize%20-%20Get-RpcServerData.md)\n\n### Phase 2: Fuzzing\n\nThe fuzzer takes the exported JSON file by [Get-RpcServerData](/docs/1%20Inventarize%20-%20Get-RpcServerData.md) as required input. \n\nThere are currently two types of fuzzers.\n\n* **Default fuzzer**: Will statically create parameter values and create a default instance for complex parameter types.\n* **Sorted fuzzer**: Dynamically sort procedures for the interface based on input and output parameters. For information see [the design](./docs/Procedure%20dependency%20design.md).\n\nThe fuzzer will output maximal 3 json files and one logfile. It will write the RPC calls before invoking them to log.txt, this way if there is a crash (BSOD), you will know which call was responsible (last line)\n\nIt will separate the fuzz results into 3 json files:\n- Allowed fuzzed inputs\n- Fuzzed inputs that lead to a Access Denied\n- Fuzzed inputs that lead to a Error\n\n```powershell\n# Example (all procedures)\n'.\\output\\rpcServerData.json' | Invoke-RpcFuzzer -outpath .\\output\\ -minStrLen 100 -maxStrLen 1000 -minIntSize 9999 -maxIntSize 99999\n```\n\nFor more information on this phase, check [Invoke-RpcFuzzer](/docs/2%20Fuzzing%20-%20Invoke-RpcFuzzer.md)\n\n### Phase 3: Analysis\nYou can use these JSON files for analysis as you like. However, the fuzzer has a option to import them into your Neo4j instance. The fuzzer has a data mapper that makes relations for the data.\n\n```powershell\n# Example (Import data)\n'.\\output\\Allowed.json' | Import-DatatoNeo4j -Neo4jHost 192.168.178.89:7474 -Neo4jUsername neo4j\n```\n\nFor more information on this phase, check [Import-DataToNeo4j](/docs/3%20Analysis%20-%20Import-DataToNeo4j.md), [Neo4j](/docs/3.1%20Analysis%20-%20Neo4j.md) and [Process Monitor](/docs/3.2%20Analysis%20-%20Process%20Monitor.md)\n\n## Results (so far)\n\u003e [!NOTE]\n\u003e Not all vulnerabilities were publicly disclosed, so some lack details.\n\n| Number | Vulnerability type | Severity (by Microsoft) |                                                                Reference (if disclosed) |\n| :----- | :----------------- | ----------------------: | --------------------------------------------------------------------------------------: |\n| 1      | Coerce             |                Moderate |                                                          BSides Groningen, May 2nd 2025 |\n| 2      | Coerce             |                Moderate |                                                                                    N.A. |\n| 3      | Coerce             |                Moderate |                                                                                    N.A. |\n| 4      | Coerce             |                Moderate |                                                                                    N.A. |\n| 5      | Service crash      |               Important | [CVE-2025-26651](https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2025-26651) |\n| 6      | System crash       |                Moderate |                     [Blog](https://www.incendium.rocks/posts/Unplugging-Power-Service/) |\n| 7      | System crash       |                Moderate |                     [Blog](https://www.incendium.rocks/posts/Unplugging-Power-Service/) |\n| 8      | System crash       |                Moderate |                                                                                    N.A. |\n| 9      | Other DoS          |                Moderate |                                                                                    N.A. |\n| 10     | Other DoS          |                Moderate |                                                                                    N.A. |\n\n\u003e [!TIP]\n\u003e Found a possible new vulnerability? Congrats! Report it to Microsoft (MSRC): https://msrc.microsoft.com/report/vulnerability\n\n## To do (roadmap)\n- For each endpoint map the ACL\n- Sometimes, a RPC call takes very long/hangs, we should implement a timeout for this.\n- Comparison features between data\n- Fully implement ETW diagnostics to log system calls (instead of using process monitor)\n\n## Known bugs\n- None at the moment\n\n## Acknowledgement\nThis tool is heavily built upon [NtObjectManager](https://www.powershellgallery.com/packages/NtObjectManager) by [James Forshaw](https://x.com/tiraniddo) with [Google Project Zero](https://googleprojectzero.blogspot.com/). This tool uses the NtObjectManager module to do most tasks.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwarpnet%2Fms-rpc-fuzzer","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fwarpnet%2Fms-rpc-fuzzer","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwarpnet%2Fms-rpc-fuzzer/lists"}