This repository is a research repository where you can find all the resources for PhantomRPC research that allows local privilege escalation.
More about the research can be found here:
https://securelist.com/phantomrpc-rpc-vulnerability/119428/
| Directory | Description |
|---|---|
| POCs | Research proof-of-concept code |
| toolset | Files used for collecting vulnerable processes |
Set of POCs written in C that mimic different RPC servers exposed by system services.
Each one implements a function for a specific interface of an RDP server, in addition to a specific endpoint.
midl ExampleInterface.idl /app_config
cl.exe server.c ExampleInterface_s.c| POC | Description |
|---|---|
| TERM | Terminal Service RPC server |
| DHCP | DHCP Client Service RPC server |
| TIME | Windows Time Service RPC server |
Note:
These codes are meant to be simple POCs for research purposes only.
They will spawncmd.exewith elevated privileges.
Use them for testing only. Do NOT use in production environments.
I am not responsible for any illegal usage.
Set of files that can be used for collecting vulnerable processes in Windows systems that try to connect to non-existing RPC servers.
logman create trace "NameOfTheTrace" -p "{6ad52b32-d609-4be9-ae07-ce8dae937e39}" 0xFFFFFFFFFFFFFFFF 4 -o "YourOutputPath"
logman start "NameOfTheTrace"Generate events as described in the whitepaper (link above).
Tool repository: https://github.com/microsoft/ETW2JSON
Etw2Json.exe "YourEtlFile" --output="YourJsonOutput"python enricher.py "JsonInputFile"| File | Description |
|---|---|
| enricher.py | Python tool for filtering and mapping ETW JSON files |
| interfaces.json | Windows interfaces database from https://github.com/cyberark/RPCMon/blob/main/DB/RPC_UUID_Map_Windows10_1909_18363.1977.rpcdb.json |
Haidar Kabibo
Kaspersky Security Services
X (Twitter): https://x.com/haider_kabibo
This software is provided under the MIT Software License.
