Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.Sign up
Added Relaying to RPC support #857
This PR implements Relaying to RPC attack which currently allows RCE in any MS Exchange via Exchange Trusted Subsystem group (All exchange systems have Administrator rights to each other via this or similar group) and printerbug.py.
BloodHound queries to find vulnerable machines
The supported functions:
Also I've tested relaying connections to MMC20 object, but relaying to DCOM will gave you only the relayed user permissions, in my PoC it required 2 connections from the target, and there is no way to launch a DCOM object via only 445/tcp. So, the full PoC for DCOM has not been developed. Relaying to WMI is not possible as WMI requires signing.
As you already know, Compass Security company has already published the description of this attack (https://twitter.com/compasssecurity/status/1260898906629529602), but as I know from MS, the patch is not fully developed yet. May be it because of IPC$ and MMC20 examples I sent via MSRC.
For @CompassSecurity, it will be interesting to see your RPC Server and ways to get an incoming RPC connection