From 59512108fbc859a77b34063b8e2752ae046ef669 Mon Sep 17 00:00:00 2001
From: Bryan McNulty <bryanmcnulty@protonmail.com>
Date: Sat, 26 Apr 2025 16:18:38 -0500
Subject: WMI: use exclusively ncacn_ip_tcp endpoints from remote activation
 response

---
 pkg/goexec/wmi/module.go | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/pkg/goexec/wmi/module.go b/pkg/goexec/wmi/module.go
index 3ae98cc..b21c3e3 100644
--- a/pkg/goexec/wmi/module.go
+++ b/pkg/goexec/wmi/module.go
@@ -81,8 +81,11 @@ func (m *Wmi) Init(ctx context.Context) (err error) {
 			log.Debug().Err(err).Msg("Failed to parse string binding")
 			continue
 		}
-		stringBinding.NetworkAddress = m.Client.Target.AddressWithoutPort()
-		newOpts = append(newOpts, dcerpc.WithEndpoint(stringBinding.String()))
+		// Only consider ncacn_ip_tcp endpoints
+		if stringBinding.ProtocolSequence == dcerpc.ProtocolSequenceIPTCP {
+			stringBinding.NetworkAddress = m.Client.Target.AddressWithoutPort()
+			newOpts = append(newOpts, dcerpc.WithEndpoint(stringBinding.String()))
+		}
 	}
 
 	if err = m.Client.Reconnect(ctx, newOpts...); err != nil {
-- 
cgit v1.2.3