Bug fixes, +`dcom shellwindows` +`dcom shellbrowserwindow` (#17)HEAD main

* Negotiate (not force) highest SMB dialect * Fixed some issues with SMB client * `dcom`: new method: `shellwindows` * Update gitignore * TODO: new feature ideas, check ShellWindows * `dcom`: new method: `shellbrowserwindow` * update README.md with DCOM ShellWindows & ShellBrowserWindow modules. * Tweaks to shellbrowserwindow.go * Bumped adauth to v0.3.0 + other deps
author: Bryan McNulty <bryan@falconops.com> 2025-05-06 17:14:13 -0500
committer: GitHub <noreply@github.com> 2025-05-06 17:14:13 -0500
commit: 19af8d591a224cb104996a50935a8f4b1643a3a1 (patch)
tree: efadc3b5c58820e686b74f49dd01bd9993baf3af /pkg
parent: 10eee0ed28ecf5f22967a935e3596000e75cd63e (diff)
download: goexec-19af8d591a224cb104996a50935a8f4b1643a3a1.tar.gz
goexec-19af8d591a224cb104996a50935a8f4b1643a3a1.zip
6 files changed, 171 insertions, 45 deletions
diff --git a/pkg/goexec/dcom/dcom.go b/pkg/goexec/dcom/dcom.go
index a504e1a..362c3ba 100644
--- a/pkg/goexec/dcom/dcom.go
+++ b/pkg/goexec/dcom/dcom.go
@@ -12,8 +12,9 @@ const (
 )
 
 var (
-	//ShellWindowsUuid = uuid.MustParse("9BA05972-F6A8-11CF-A442-00A0C90A8F39")
-	//Mmc20Uuid        = uuid.MustParse("49B2791A-B1AE-4C90-9B8E-E860BA07F889")
+	ShellBrowserWindowUuid = uuid.MustParse("C08AFD90-F2A1-11D1-8455-00A0C91F3880")
+	ShellWindowsUuid       = uuid.MustParse("9BA05972-F6A8-11CF-A442-00A0C90A8F39")
+	Mmc20Uuid              = uuid.MustParse("49B2791A-B1AE-4C90-9B8E-E860BA07F889")
 
 	RandCid      = dcom.CID(*dtyp.GUIDFromUUID(uuid.MustParse(googleUUID.NewString())))
 	IDispatchIID = &dcom.IID{
diff --git a/pkg/goexec/dcom/mmc.go b/pkg/goexec/dcom/mmc.go
index 993d1bb..e06ce13 100644
--- a/pkg/goexec/dcom/mmc.go
+++ b/pkg/goexec/dcom/mmc.go
@@ -1,51 +1,52 @@
 package dcomexec
 
 import (
-  "context"
-  "fmt"
-  "github.com/FalconOpsLLC/goexec/pkg/goexec"
-  "github.com/rs/zerolog"
+	"context"
+	"fmt"
+	"github.com/FalconOpsLLC/goexec/pkg/goexec"
+	"github.com/rs/zerolog"
 )
 
 const (
-  MethodMmc = "MMC" // MMC20.Application::Document.ActiveView.ExecuteShellCommand
+	MethodMmc = "MMC" // MMC20.Application::Document.ActiveView.ExecuteShellCommand
 )
 
 type DcomMmc struct {
-  Dcom
+	Dcom
 
-  IO goexec.ExecutionIO
+	IO goexec.ExecutionIO
 
-  WorkingDirectory string
-  WindowState      string
+	WorkingDirectory string
+	WindowState      string
 }
 
 // Execute will perform command execution via the MMC20.Application DCOM object.
 func (m *DcomMmc) Execute(ctx context.Context, execIO *goexec.ExecutionIO) (err error) {
 
-  log := zerolog.Ctx(ctx).With().
-    Str("module", ModuleName).
-    Str("method", MethodMmc).
-    Logger()
-
-  method := "Document.ActiveView.ExecuteShellCommand"
-
-  cmdline := execIO.CommandLine()
-  proc := cmdline[0]
-  args := cmdline[1]
-
-  // Arguments must be passed in reverse order
-  if _, err := callComMethod(ctx,
-    m.dispatchClient,
-    method,
-    stringToVariant(m.WindowState),
-    stringToVariant(args),
-    stringToVariant(m.WorkingDirectory),
-    stringToVariant(proc)); err != nil {
-
-    log.Error().Err(err).Msg("Failed to call method")
-    return fmt.Errorf("call %q: %w", method, err)
-  }
-  log.Info().Msg("Method call successful")
-  return
+	log := zerolog.Ctx(ctx).With().
+		Str("module", ModuleName).
+		Str("method", MethodMmc).
+		Logger()
+
+	method := "Document.ActiveView.ExecuteShellCommand"
+
+	cmdline := execIO.CommandLine()
+	proc := cmdline[0]
+	args := cmdline[1]
+
+	// Arguments must be passed in reverse order
+	if _, err := callComMethod(ctx,
+		m.dispatchClient,
+		nil,
+		method,
+		stringToVariant(m.WindowState),
+		stringToVariant(args),
+		stringToVariant(m.WorkingDirectory),
+		stringToVariant(proc)); err != nil {
+
+		log.Error().Err(err).Msg("Failed to call method")
+		return fmt.Errorf("call %q: %w", method, err)
+	}
+	log.Info().Msg("Method call successful")
+	return
 }
diff --git a/pkg/goexec/dcom/module.go b/pkg/goexec/dcom/module.go
index b6fc4d4..d26f3b8 100644
--- a/pkg/goexec/dcom/module.go
+++ b/pkg/goexec/dcom/module.go
@@ -27,7 +27,7 @@ type Dcom struct {
 	goexec.Executor
 
 	Client  *dce.Client
-	ClassID string
+	ClassID *uuid.UUID
 
 	dispatchClient idispatch.DispatchClient
 }
@@ -49,9 +49,11 @@ func (m *Dcom) Init(ctx context.Context) (err error) {
 		return errors.New("DCE connection not initialized")
 	}
 
-	m.ClassID = "49B2791A-B1AE-4C90-9B8E-E860BA07F889"
-	//m.ClassID = "9BA05972-F6A8-11CF-A442-00A0C90A8F39"
-	class := dcom.ClassID(*dtyp.GUIDFromUUID(uuid.MustParse(m.ClassID)))
+	if m.ClassID == nil {
+		return errors.New("CLSID not specified")
+	}
+
+	class := dcom.ClassID(*dtyp.GUIDFromUUID(m.ClassID))
 
 	if class.GUID() == nil {
 		return fmt.Errorf("invalid class ID: %s", m.ClassID)
diff --git a/pkg/goexec/dcom/shellbrowserwindow.go b/pkg/goexec/dcom/shellbrowserwindow.go
new file mode 100644
index 0000000..4d1bcf7
--- /dev/null
+++ b/pkg/goexec/dcom/shellbrowserwindow.go
@@ -0,0 +1,52 @@
+package dcomexec
+
+import (
+	"context"
+	"fmt"
+	"github.com/FalconOpsLLC/goexec/pkg/goexec"
+	"github.com/rs/zerolog"
+)
+
+const (
+	MethodShellBrowserWindow = "ShellBrowserWindow" // ShellBrowserWindow::Document.Application.ShellExecute
+)
+
+type DcomShellBrowserWindow struct {
+	Dcom
+
+	IO goexec.ExecutionIO
+
+	WorkingDirectory string
+	WindowState      string
+}
+
+// Execute will perform command execution via the ShellBrowserWindow object. See https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/
+func (m *DcomShellBrowserWindow) Execute(ctx context.Context, execIO *goexec.ExecutionIO) (err error) {
+
+	log := zerolog.Ctx(ctx).With().
+		Str("module", ModuleName).
+		Str("method", MethodShellBrowserWindow).
+		Logger()
+
+	method := "Document.Application.ShellExecute"
+
+	cmdline := execIO.CommandLine()
+	proc := cmdline[0]
+	args := cmdline[1]
+
+	// Arguments must be passed in reverse order
+	if _, err := callComMethod(ctx, m.dispatchClient,
+		nil,
+		method,
+		stringToVariant(m.WindowState),
+		stringToVariant(""), // FUTURE?
+		stringToVariant(m.WorkingDirectory),
+		stringToVariant(args),
+		stringToVariant(proc)); err != nil {
+
+		log.Error().Err(err).Msg("Failed to call method")
+		return fmt.Errorf("call %q: %w", method, err)
+	}
+	log.Info().Msg("Method call successful")
+	return
+}
diff --git a/pkg/goexec/dcom/shellwindows.go b/pkg/goexec/dcom/shellwindows.go
new file mode 100644
index 0000000..67537ec
--- /dev/null
+++ b/pkg/goexec/dcom/shellwindows.go
@@ -0,0 +1,73 @@
+package dcomexec
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"github.com/FalconOpsLLC/goexec/pkg/goexec"
+	"github.com/oiweiwei/go-msrpc/msrpc/dcom/oaut"
+	"github.com/rs/zerolog"
+)
+
+const (
+	MethodShellWindows = "ShellWindows" // ShellWindows::Item().Document.Application.ShellExecute
+)
+
+type DcomShellWindows struct {
+	Dcom
+
+	IO goexec.ExecutionIO
+
+	WorkingDirectory string
+	WindowState      string
+}
+
+// Execute will perform command execution via the ShellWindows object. See https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/
+func (m *DcomShellWindows) Execute(ctx context.Context, execIO *goexec.ExecutionIO) (err error) {
+
+	log := zerolog.Ctx(ctx).With().
+		Str("module", ModuleName).
+		Str("method", MethodShellWindows).
+		Logger()
+
+	method := "Item"
+
+	cmdline := execIO.CommandLine()
+	proc := cmdline[0]
+	args := cmdline[1]
+
+	iv, err := callComMethod(ctx,
+		m.dispatchClient,
+		nil,
+		"Item")
+
+	if err != nil {
+		log.Error().Err(err).Msg("Failed to call method")
+		return fmt.Errorf("call method %q: %w", method, err)
+	}
+
+	item, ok := iv.VarResult.VarUnion.GetValue().(*oaut.Dispatch)
+	if !ok {
+		return errors.New("failed to get dispatch from ShellWindows::Item()")
+	}
+
+	method = "Document.Application.ShellExecute"
+
+	// Arguments must be passed in reverse order
+	if _, err := callComMethod(ctx, m.dispatchClient,
+		item.InterfacePointer().
+			GetStandardObjectReference().
+			Std.IPID,
+		method,
+		stringToVariant(m.WindowState),
+		stringToVariant(""), // FUTURE?
+		stringToVariant(m.WorkingDirectory),
+		stringToVariant(args),
+		stringToVariant(proc)); err != nil {
+
+		log.Error().Err(err).Msg("Failed to call method")
+		return fmt.Errorf("call %q: %w", method, err)
+	}
+	log.Info().Msg("Method call successful")
+	return
+}
diff --git a/pkg/goexec/dcom/util.go b/pkg/goexec/dcom/util.go
index 9d7850d..8389a73 100644
--- a/pkg/goexec/dcom/util.go
+++ b/pkg/goexec/dcom/util.go
@@ -13,13 +13,10 @@ import (
 	_ "github.com/oiweiwei/go-msrpc/msrpc/erref/win32"
 )
 
-func callComMethod(ctx context.Context, dc idispatch.DispatchClient, method string, args ...*oaut.Variant) (ir *idispatch.InvokeResponse, err error) {
+func callComMethod(ctx context.Context, dc idispatch.DispatchClient, id *dcom.IPID, method string, args ...*oaut.Variant) (ir *idispatch.InvokeResponse, err error) {
 
 	parts := strings.Split(method, ".")
 
-	var id *dcom.IPID
-	var gr *idispatch.GetIDsOfNamesResponse
-
 	for i, obj := range parts {
 
 		var opts []dcerpc.CallOption
@@ -28,7 +25,7 @@ func callComMethod(ctx context.Context, dc idispatch.DispatchClient, method stri
 			opts = append(opts, dcom.WithIPID(id))
 		}
 
-		gr, err = dc.GetIDsOfNames(ctx, &idispatch.GetIDsOfNamesRequest{
+		gr, err := dc.GetIDsOfNames(ctx, &idispatch.GetIDsOfNamesRequest{
 			This:     ORPCThis,
 			IID:      &dcom.IID{},
 			LocaleID: LcEnglishUs,
author	Bryan McNulty <bryan@falconops.com>	2025-05-06 17:14:13 -0500
committer	GitHub <noreply@github.com>	2025-05-06 17:14:13 -0500
commit	19af8d591a224cb104996a50935a8f4b1643a3a1 (patch)
tree	efadc3b5c58820e686b74f49dd01bd9993baf3af /pkg
parent	10eee0ed28ecf5f22967a935e3596000e75cd63e (diff)
download	goexec-19af8d591a224cb104996a50935a8f4b1643a3a1.tar.gz goexec-19af8d591a224cb104996a50935a8f4b1643a3a1.zip