googleprojectzero / sandbox-attacksurface-analysis-tools

Set of tools to analyze Windows sandboxes for exposed attack surface.
Apache License 2.0
2.07k stars 433 forks source link

System.AccessViolationException using RpcEndpointMapper against Windows Server 2022 Host #55

Open jameswestgate opened 2 years ago

jameswestgate commented 2 years ago

Code to Reproduce:

foreach (var computer in computers)
{
    var potentialString = $"ncacn_ip_tcp:{computer}";
    var results = RpcEndpointMapper.QueryEndpoints(potentialString);

    foreach (var result in results)
    {
        if (result.ProtocolSequence == "ncacn_ip_tcp")
        {
            Console.WriteLine($"Got result: {result}");
        }
    }
}

Result:

Multiple results are returned but fails when pinvoking RpcMgmtEpEltInqNext. authlogics02.authlogics.com is running Windows Server 2022, we don't see this behavior on other machines.

Got result: [50abc2a4-574d-40b3-9d66-ee4fd5fba076, 5.0] ncacn_ip_tcp:authlogics02.authlogics.com[58522] Got result: [6bffd098-a112-3610-9833-46c3f874532d, 1.0] ncacn_ip_tcp:authlogics02.authlogics.com[58502] Got result: [5b821720-f63b-11d0-aad2-00c04fc324db, 1.0] ncacn_ip_tcp:authlogics02.authlogics.com[58502] Got result: [897e2e5f-93f3-4376-9c9c-fd2277495c27, 1.0] ncacn_ip_tcp:authlogics02.authlogics.com[58483] Got result: [367abb81-9844-35f1-ad32-98f038001003, 2.0] ncacn_ip_tcp:authlogics02.authlogics.com[58464] Got result: [12345678-1234-abcd-ef00-0123456789ab, 1.0] ncacn_ip_tcp:authlogics02.authlogics.com[49676] Got result: [0b6edbfa-4a24-4fc6-8a23-942b1eca65d1, 1.0] ncacn_ip_tcp:authlogics02.authlogics.com[49676] Got result: [ae33069b-a2a8-46ee-a235-ddfd339be281, 1.0] ncacn_ip_tcp:authlogics02.authlogics.com[49676] Got result: [4a452661-8290-4b36-8fbe-7f4093a94978, 1.0] ncacn_ip_tcp:authlogics02.authlogics.com[49676] Got result: [76f03f96-cdfd-44fc-a22c-64950a001209, 1.0] ncacn_ip_tcp:authlogics02.authlogics.com[49676] Got result: [29770a8f-829b-4158-90a2-78cd488501f7, 1.0] ncacn_ip_tcp:authlogics02.authlogics.com[49671] Got result: [86d35949-83c9-4044-b424-db363231fd0c, 1.0] ncacn_ip_tcp:authlogics02.authlogics.com[49668] Got result: [3a9ef155-691d-4449-8d05-09ad57031823, 1.0] ncacn_ip_tcp:authlogics02.authlogics.com[49668] Got result: [f6beaff7-1e19-4fbb-9f8f-b89e2018337c, 1.0] ncacn_ip_tcp:authlogics02.authlogics.com[49666]

Unhandled Exception: System.AccessViolationException: Attempted to read or write protected memory. This is often an indication that other memory is corrupt. at NtApiDotNet.Win32.Win32NativeMethods.RpcMgmtEpEltInqNext(SafeRpcInquiryHandle InquiryContext, RPC_IF_ID IfId, SafeRpcBindingHandle& Binding, UUID ObjectUuid, SafeRpcStringHandle& Annotation) at NtApiDotNet.Win32.RpcEndpointMapper.d__0.MoveNext() in D:\Github\sandbox-attacksurface-analysis-tools\NtApiDotNet\Win32\RpcEndpointMapper.cs:line 88

leechristensen commented 2 years ago

I've had this happen sporadically as well (I have not been able to dive into the cause). In my experience, it's not limited to NtObjectManager either. Both Seatbelt's RPCMappedEndpoints and a trimmed down C application I wrote to isolate/test the issue were failing.