aboutsummaryrefslogtreecommitdiff
path: root/pkg
diff options
context:
space:
mode:
Diffstat (limited to 'pkg')
-rw-r--r--pkg/goexec/dcom/dcom.go5
-rw-r--r--pkg/goexec/dcom/mmc.go69
-rw-r--r--pkg/goexec/dcom/module.go10
-rw-r--r--pkg/goexec/dcom/shellbrowserwindow.go52
-rw-r--r--pkg/goexec/dcom/shellwindows.go73
-rw-r--r--pkg/goexec/dcom/util.go7
6 files changed, 171 insertions, 45 deletions
diff --git a/pkg/goexec/dcom/dcom.go b/pkg/goexec/dcom/dcom.go
index a504e1a..362c3ba 100644
--- a/pkg/goexec/dcom/dcom.go
+++ b/pkg/goexec/dcom/dcom.go
@@ -12,8 +12,9 @@ const (
)
var (
- //ShellWindowsUuid = uuid.MustParse("9BA05972-F6A8-11CF-A442-00A0C90A8F39")
- //Mmc20Uuid = uuid.MustParse("49B2791A-B1AE-4C90-9B8E-E860BA07F889")
+ ShellBrowserWindowUuid = uuid.MustParse("C08AFD90-F2A1-11D1-8455-00A0C91F3880")
+ ShellWindowsUuid = uuid.MustParse("9BA05972-F6A8-11CF-A442-00A0C90A8F39")
+ Mmc20Uuid = uuid.MustParse("49B2791A-B1AE-4C90-9B8E-E860BA07F889")
RandCid = dcom.CID(*dtyp.GUIDFromUUID(uuid.MustParse(googleUUID.NewString())))
IDispatchIID = &dcom.IID{
diff --git a/pkg/goexec/dcom/mmc.go b/pkg/goexec/dcom/mmc.go
index 993d1bb..e06ce13 100644
--- a/pkg/goexec/dcom/mmc.go
+++ b/pkg/goexec/dcom/mmc.go
@@ -1,51 +1,52 @@
package dcomexec
import (
- "context"
- "fmt"
- "github.com/FalconOpsLLC/goexec/pkg/goexec"
- "github.com/rs/zerolog"
+ "context"
+ "fmt"
+ "github.com/FalconOpsLLC/goexec/pkg/goexec"
+ "github.com/rs/zerolog"
)
const (
- MethodMmc = "MMC" // MMC20.Application::Document.ActiveView.ExecuteShellCommand
+ MethodMmc = "MMC" // MMC20.Application::Document.ActiveView.ExecuteShellCommand
)
type DcomMmc struct {
- Dcom
+ Dcom
- IO goexec.ExecutionIO
+ IO goexec.ExecutionIO
- WorkingDirectory string
- WindowState string
+ WorkingDirectory string
+ WindowState string
}
// Execute will perform command execution via the MMC20.Application DCOM object.
func (m *DcomMmc) Execute(ctx context.Context, execIO *goexec.ExecutionIO) (err error) {
- log := zerolog.Ctx(ctx).With().
- Str("module", ModuleName).
- Str("method", MethodMmc).
- Logger()
-
- method := "Document.ActiveView.ExecuteShellCommand"
-
- cmdline := execIO.CommandLine()
- proc := cmdline[0]
- args := cmdline[1]
-
- // Arguments must be passed in reverse order
- if _, err := callComMethod(ctx,
- m.dispatchClient,
- method,
- stringToVariant(m.WindowState),
- stringToVariant(args),
- stringToVariant(m.WorkingDirectory),
- stringToVariant(proc)); err != nil {
-
- log.Error().Err(err).Msg("Failed to call method")
- return fmt.Errorf("call %q: %w", method, err)
- }
- log.Info().Msg("Method call successful")
- return
+ log := zerolog.Ctx(ctx).With().
+ Str("module", ModuleName).
+ Str("method", MethodMmc).
+ Logger()
+
+ method := "Document.ActiveView.ExecuteShellCommand"
+
+ cmdline := execIO.CommandLine()
+ proc := cmdline[0]
+ args := cmdline[1]
+
+ // Arguments must be passed in reverse order
+ if _, err := callComMethod(ctx,
+ m.dispatchClient,
+ nil,
+ method,
+ stringToVariant(m.WindowState),
+ stringToVariant(args),
+ stringToVariant(m.WorkingDirectory),
+ stringToVariant(proc)); err != nil {
+
+ log.Error().Err(err).Msg("Failed to call method")
+ return fmt.Errorf("call %q: %w", method, err)
+ }
+ log.Info().Msg("Method call successful")
+ return
}
diff --git a/pkg/goexec/dcom/module.go b/pkg/goexec/dcom/module.go
index b6fc4d4..d26f3b8 100644
--- a/pkg/goexec/dcom/module.go
+++ b/pkg/goexec/dcom/module.go
@@ -27,7 +27,7 @@ type Dcom struct {
goexec.Executor
Client *dce.Client
- ClassID string
+ ClassID *uuid.UUID
dispatchClient idispatch.DispatchClient
}
@@ -49,9 +49,11 @@ func (m *Dcom) Init(ctx context.Context) (err error) {
return errors.New("DCE connection not initialized")
}
- m.ClassID = "49B2791A-B1AE-4C90-9B8E-E860BA07F889"
- //m.ClassID = "9BA05972-F6A8-11CF-A442-00A0C90A8F39"
- class := dcom.ClassID(*dtyp.GUIDFromUUID(uuid.MustParse(m.ClassID)))
+ if m.ClassID == nil {
+ return errors.New("CLSID not specified")
+ }
+
+ class := dcom.ClassID(*dtyp.GUIDFromUUID(m.ClassID))
if class.GUID() == nil {
return fmt.Errorf("invalid class ID: %s", m.ClassID)
diff --git a/pkg/goexec/dcom/shellbrowserwindow.go b/pkg/goexec/dcom/shellbrowserwindow.go
new file mode 100644
index 0000000..4d1bcf7
--- /dev/null
+++ b/pkg/goexec/dcom/shellbrowserwindow.go
@@ -0,0 +1,52 @@
+package dcomexec
+
+import (
+ "context"
+ "fmt"
+ "github.com/FalconOpsLLC/goexec/pkg/goexec"
+ "github.com/rs/zerolog"
+)
+
+const (
+ MethodShellBrowserWindow = "ShellBrowserWindow" // ShellBrowserWindow::Document.Application.ShellExecute
+)
+
+type DcomShellBrowserWindow struct {
+ Dcom
+
+ IO goexec.ExecutionIO
+
+ WorkingDirectory string
+ WindowState string
+}
+
+// Execute will perform command execution via the ShellBrowserWindow object. See https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/
+func (m *DcomShellBrowserWindow) Execute(ctx context.Context, execIO *goexec.ExecutionIO) (err error) {
+
+ log := zerolog.Ctx(ctx).With().
+ Str("module", ModuleName).
+ Str("method", MethodShellBrowserWindow).
+ Logger()
+
+ method := "Document.Application.ShellExecute"
+
+ cmdline := execIO.CommandLine()
+ proc := cmdline[0]
+ args := cmdline[1]
+
+ // Arguments must be passed in reverse order
+ if _, err := callComMethod(ctx, m.dispatchClient,
+ nil,
+ method,
+ stringToVariant(m.WindowState),
+ stringToVariant(""), // FUTURE?
+ stringToVariant(m.WorkingDirectory),
+ stringToVariant(args),
+ stringToVariant(proc)); err != nil {
+
+ log.Error().Err(err).Msg("Failed to call method")
+ return fmt.Errorf("call %q: %w", method, err)
+ }
+ log.Info().Msg("Method call successful")
+ return
+}
diff --git a/pkg/goexec/dcom/shellwindows.go b/pkg/goexec/dcom/shellwindows.go
new file mode 100644
index 0000000..67537ec
--- /dev/null
+++ b/pkg/goexec/dcom/shellwindows.go
@@ -0,0 +1,73 @@
+package dcomexec
+
+import (
+ "context"
+ "errors"
+ "fmt"
+ "github.com/FalconOpsLLC/goexec/pkg/goexec"
+ "github.com/oiweiwei/go-msrpc/msrpc/dcom/oaut"
+ "github.com/rs/zerolog"
+)
+
+const (
+ MethodShellWindows = "ShellWindows" // ShellWindows::Item().Document.Application.ShellExecute
+)
+
+type DcomShellWindows struct {
+ Dcom
+
+ IO goexec.ExecutionIO
+
+ WorkingDirectory string
+ WindowState string
+}
+
+// Execute will perform command execution via the ShellWindows object. See https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/
+func (m *DcomShellWindows) Execute(ctx context.Context, execIO *goexec.ExecutionIO) (err error) {
+
+ log := zerolog.Ctx(ctx).With().
+ Str("module", ModuleName).
+ Str("method", MethodShellWindows).
+ Logger()
+
+ method := "Item"
+
+ cmdline := execIO.CommandLine()
+ proc := cmdline[0]
+ args := cmdline[1]
+
+ iv, err := callComMethod(ctx,
+ m.dispatchClient,
+ nil,
+ "Item")
+
+ if err != nil {
+ log.Error().Err(err).Msg("Failed to call method")
+ return fmt.Errorf("call method %q: %w", method, err)
+ }
+
+ item, ok := iv.VarResult.VarUnion.GetValue().(*oaut.Dispatch)
+ if !ok {
+ return errors.New("failed to get dispatch from ShellWindows::Item()")
+ }
+
+ method = "Document.Application.ShellExecute"
+
+ // Arguments must be passed in reverse order
+ if _, err := callComMethod(ctx, m.dispatchClient,
+ item.InterfacePointer().
+ GetStandardObjectReference().
+ Std.IPID,
+ method,
+ stringToVariant(m.WindowState),
+ stringToVariant(""), // FUTURE?
+ stringToVariant(m.WorkingDirectory),
+ stringToVariant(args),
+ stringToVariant(proc)); err != nil {
+
+ log.Error().Err(err).Msg("Failed to call method")
+ return fmt.Errorf("call %q: %w", method, err)
+ }
+ log.Info().Msg("Method call successful")
+ return
+}
diff --git a/pkg/goexec/dcom/util.go b/pkg/goexec/dcom/util.go
index 9d7850d..8389a73 100644
--- a/pkg/goexec/dcom/util.go
+++ b/pkg/goexec/dcom/util.go
@@ -13,13 +13,10 @@ import (
_ "github.com/oiweiwei/go-msrpc/msrpc/erref/win32"
)
-func callComMethod(ctx context.Context, dc idispatch.DispatchClient, method string, args ...*oaut.Variant) (ir *idispatch.InvokeResponse, err error) {
+func callComMethod(ctx context.Context, dc idispatch.DispatchClient, id *dcom.IPID, method string, args ...*oaut.Variant) (ir *idispatch.InvokeResponse, err error) {
parts := strings.Split(method, ".")
- var id *dcom.IPID
- var gr *idispatch.GetIDsOfNamesResponse
-
for i, obj := range parts {
var opts []dcerpc.CallOption
@@ -28,7 +25,7 @@ func callComMethod(ctx context.Context, dc idispatch.DispatchClient, method stri
opts = append(opts, dcom.WithIPID(id))
}
- gr, err = dc.GetIDsOfNames(ctx, &idispatch.GetIDsOfNamesRequest{
+ gr, err := dc.GetIDsOfNames(ctx, &idispatch.GetIDsOfNamesRequest{
This: ORPCThis,
IID: &dcom.IID{},
LocaleID: LcEnglishUs,
generated by cgit v1.2.3 (git 2.39.1) at 2025-05-25 21:25:10 +0000