Locating Vulnerabilities in Microsoft RPC: An Offline and Runtime Reversing Approach



This course will be an insightful look at Immunity Inc.'s methodologies to find local and remote bugs in Microsoft's Windows OS. Following is a brief listing of the topics we will be covering during this 2 day course event: 

1- Microsoft RPC
	a. Locating the running interfaces
	b. Understanding Named Pipe permissions
	c. Null sessions (what can still be possible with XP SP2)
	d. What process runs, what service ?
	e. Tricks to evade RPC default named pipe permissions (Immunity's secret trick!)
	f. Old school MS RPC vs. DCOM
	g. Context handles
	

2- Reversing Microsoft RPC (IDA)
	a. Retrieving symbols for service executables and DLLs
	b. Reversing with IDA
	c. Locating the interfaces and the dispatch tables in the disassembly
	d. Looking at each procedure for potential vulnerabilities
	e. Extending code coverage (Immunity's secret trick!)
	f. Generating IDL files with muddle and fixing them to work!
	g. Core RPC client skeleton
	h. Sending requests to procedures
	

3- Runtime Reversing Microsoft RPC (Debugger)
	a. Attaching, breakpoints, watchpoints etc.
	b. Sending RPC requests and runtime tracing
	c. Correlating Runtime findings with the IDA session 
	(structure decompilation, better coverage and understanding etc. etc.)
 	d. Modifying RPC requests for profit
	

4- Binary Diffing
	a. Use Zynamics GmbH's excellent tool: BinDIFF to locate changes in binaries
	b. Case study: Identify NetDDE RPC service fix

PREREQUISITES:

1- A laptop with a Windows OS of choice (XP or 2K).
2- Microsoft Visual Studio 6.0
3- Windbg (Microsoft's Win32 Debugger, free download from
http://www.microsoft.com/whdc/devtools/debugging/installx86.mspx ) 
(install this on all VM's)

4- IDA (Interactive Disassembler, avaliable from 
http://www.datarescue.com IDA
pro standard is 399.00$. This software is essential to class work.)

5- Sysinternals tools: Process Explorer, WinObj, DebugView, Regmon,
Filemon, Tokenmon, TcpView (Free downloads from 
http://www.sysinternals.com/ntw2k/utilities.shtml )

6- Vmware (Create 2 OS images: one Windows 2kSP4 and one Windows XP. 
Available from: http://www.vmware.com. There is a free trial version 
available for 30 days)

7- Download of Windows XP Service Pack 2


Contact    |    Privacy Policy    |    Usage Policy

Copyright © 2002-2004 - Immunity, Inc. All Rights Reserved.