Finding vulnerabilities in Windows with context aware fuzzing MS-RPC
Microsoft’s Remote Procedure Call (MS-RPC) protocol exposes a vast, often undocumented attack surface that’s ripe for exploration (and exploitation 😉). In this talk, we dive deep into automated, context-aware fuzzing of MS-RPC interfaces using the open-source MS-RPC-Fuzzer PowerShell module. Building on the foundation laid by NtObjectManager, this tool enables large-scale, coverage-guided fuzzing of Windows RPC endpoints without ever writing a line of IDL. We’ll walk through how to dynamically extract and inventory every MS-RPC interface from a target binary or the entire Windows system32 directory. Then we’ll show how the fuzzer generates client stubs, mutates inputs across a wide range of values, and automatically feeds context handles from one procedure to another, increasing the number of reachable code paths. We’ll also discuss real-world results, common failures, and how to avoid bringing down your own box during testing (hint: use snapshots). Whether you’re a vulnerability researcher, red teamer, or simply curious about under-the-hood Windows internals, this talk will equip you with practical tools and techniques to discover new bugs in Windows over RPC.