From 19af8d591a224cb104996a50935a8f4b1643a3a1 Mon Sep 17 00:00:00 2001 From: Bryan McNulty Date: Tue, 6 May 2025 17:14:13 -0500 Subject: Bug fixes, +`dcom shellwindows` +`dcom shellbrowserwindow` (#17) * Negotiate (not force) highest SMB dialect * Fixed some issues with SMB client * `dcom`: new method: `shellwindows` * Update gitignore * TODO: new feature ideas, check ShellWindows * `dcom`: new method: `shellbrowserwindow` * update README.md with DCOM ShellWindows & ShellBrowserWindow modules. * Tweaks to shellbrowserwindow.go * Bumped adauth to v0.3.0 + other deps --- cmd/args.go | 190 +++++++++++++++++++++++++++------------------------ cmd/dcom.go | 222 ++++++++++++++++++++++++++++++++++++++++++++---------------- 2 files changed, 266 insertions(+), 146 deletions(-) (limited to 'cmd') diff --git a/cmd/args.go b/cmd/args.go index 40b9701..f33cc5b 100644 --- a/cmd/args.go +++ b/cmd/args.go @@ -1,32 +1,33 @@ package cmd import ( - "context" - "errors" - "fmt" - "github.com/spf13/cobra" - "github.com/spf13/pflag" - "os" + "context" + "encoding/json" + "errors" + "fmt" + "github.com/spf13/cobra" + "github.com/spf13/pflag" + "os" ) func registerLoggingFlags(fs *pflag.FlagSet) { - fs.SortFlags = false - fs.BoolVarP(&logDebug, "debug", "D", false, "Enable debug logging") - fs.StringVarP(&logOutput, "log-file", "O", "", "Write JSON logging output to `file`") - fs.BoolVarP(&logJson, "json", "j", false, "Write logging output in JSON lines") - fs.BoolVarP(&logQuiet, "quiet", "q", false, "Disable info logging") + fs.SortFlags = false + fs.BoolVarP(&logDebug, "debug", "D", false, "Enable debug logging") + fs.StringVarP(&logOutput, "log-file", "O", "", "Write JSON logging output to `file`") + fs.BoolVarP(&logJson, "json", "j", false, "Write logging output in JSON lines") + fs.BoolVarP(&logQuiet, "quiet", "q", false, "Disable info logging") } func registerNetworkFlags(fs *pflag.FlagSet) { - fs.StringVarP(&proxy, "proxy", "x", "", "Proxy `URI`") - fs.StringVarP(&rpcClient.Filter, "epm-filter", "F", "", "String binding to filter endpoints returned by the RPC endpoint mapper (EPM)") - fs.StringVar(&rpcClient.Endpoint, "endpoint", "", "Explicit RPC endpoint definition") - fs.BoolVar(&rpcClient.NoEpm, "no-epm", false, "Do not use EPM to automatically detect RPC endpoints") - fs.BoolVar(&rpcClient.NoSign, "no-sign", false, "Disable signing on DCERPC messages") - fs.BoolVar(&rpcClient.NoSeal, "no-seal", false, "Disable packet stub encryption on DCERPC messages") - - //cmd.MarkFlagsMutuallyExclusive("endpoint", "epm-filter") - //cmd.MarkFlagsMutuallyExclusive("no-epm", "epm-filter") + fs.StringVarP(&proxy, "proxy", "x", "", "Proxy `URI`") + fs.StringVarP(&rpcClient.Filter, "epm-filter", "F", "", "String binding to filter endpoints returned by the RPC endpoint mapper (EPM)") + fs.StringVar(&rpcClient.Endpoint, "endpoint", "", "Explicit RPC endpoint definition") + fs.BoolVar(&rpcClient.NoEpm, "no-epm", false, "Do not use EPM to automatically detect RPC endpoints") + fs.BoolVar(&rpcClient.NoSign, "no-sign", false, "Disable signing on DCERPC messages") + fs.BoolVar(&rpcClient.NoSeal, "no-seal", false, "Disable packet stub encryption on DCERPC messages") + + //cmd.MarkFlagsMutuallyExclusive("endpoint", "epm-filter") + //cmd.MarkFlagsMutuallyExclusive("no-epm", "epm-filter") } // FUTURE: automatically stage & execute file @@ -38,105 +39,120 @@ func registerStageFlags(fs *pflag.FlagSet) { */ func registerExecutionFlags(fs *pflag.FlagSet) { - fs.StringVarP(&exec.Input.Executable, "exec", "e", "", "Remote Windows executable to invoke") - fs.StringVarP(&exec.Input.Arguments, "args", "a", "", "Process command line arguments") - fs.StringVarP(&exec.Input.Command, "command", "c", "", "Windows process command line (executable & arguments)") + fs.StringVarP(&exec.Input.Executable, "exec", "e", "", "Remote Windows executable to invoke") + fs.StringVarP(&exec.Input.Arguments, "args", "a", "", "Process command line arguments") + fs.StringVarP(&exec.Input.Command, "command", "c", "", "Windows process command line (executable & arguments)") - //cmd.MarkFlagsOneRequired("executable", "command") - //cmd.MarkFlagsMutuallyExclusive("executable", "command") + //cmd.MarkFlagsOneRequired("executable", "command") + //cmd.MarkFlagsMutuallyExclusive("executable", "command") } func registerExecutionOutputFlags(fs *pflag.FlagSet) { - fs.StringVarP(&outputPath, "out", "o", "", `Fetch execution output to file or "-" for standard output`) - fs.StringVarP(&outputMethod, "out-method", "m", "smb", "Method to fetch execution output") - //fs.StringVar(&exec.Output.RemotePath, "out-remote", "", "Location to temporarily store output on remote filesystem") - fs.BoolVar(&exec.Output.NoDelete, "no-delete-out", false, "Preserve output file on remote filesystem") + fs.StringVarP(&outputPath, "out", "o", "", `Fetch execution output to file or "-" for standard output`) + fs.StringVarP(&outputMethod, "out-method", "m", "smb", "Method to fetch execution output") + //fs.StringVar(&exec.Output.RemotePath, "out-remote", "", "Location to temporarily store output on remote filesystem") + fs.BoolVar(&exec.Output.NoDelete, "no-delete-out", false, "Preserve output file on remote filesystem") } func args(reqs ...func(*cobra.Command, []string) error) (fn func(*cobra.Command, []string) error) { - return func(cmd *cobra.Command, args []string) (err error) { - - for _, req := range reqs { - if err = req(cmd, args); err != nil { - return - } - } - return - } + return func(cmd *cobra.Command, args []string) (err error) { + + for _, req := range reqs { + if err = req(cmd, args); err != nil { + return + } + } + return + } +} + +func argsAcceptValues(name string, in *string, valid ...string) func(*cobra.Command, []string) error { + return func(*cobra.Command, []string) error { + for _, v := range valid { + if *in == v { + return nil + } + } + if j, err := json.Marshal(valid); err == nil { + return fmt.Errorf("parse %s: %q doesn't match any accepted values: %s", name, *in, string(j)) + } else { + return err + } + } } func argsTarget(proto string) func(cmd *cobra.Command, args []string) error { - return func(cmd *cobra.Command, args []string) (err error) { + return func(cmd *cobra.Command, args []string) (err error) { - if len(args) != 1 { - return errors.New("command require exactly one positional argument: [target]") - } + if len(args) != 1 { + return errors.New("command require exactly one positional argument: [target]") + } - if credential, target, err = adAuthOpts.WithTarget(context.TODO(), proto, args[0]); err != nil { - return fmt.Errorf("failed to parse target: %w", err) - } + if credential, target, err = adAuthOpts.WithTarget(context.TODO(), proto, args[0]); err != nil { + return fmt.Errorf("failed to parse target: %w", err) + } - if credential == nil { - return errors.New("no credentials supplied") - } - if target == nil { - return errors.New("no target supplied") - } - return - } + if credential == nil { + return errors.New("no credentials supplied") + } + if target == nil { + return errors.New("no target supplied") + } + return + } } func argsSmbClient() func(cmd *cobra.Command, args []string) error { - return args( - argsTarget("cifs"), + return args( + argsTarget("cifs"), - func(_ *cobra.Command, _ []string) error { + func(_ *cobra.Command, _ []string) error { - smbClient.Credential = credential - smbClient.Target = target - smbClient.Proxy = proxy + smbClient.Credential = credential + smbClient.Target = target + smbClient.Proxy = proxy - return smbClient.Parse(context.TODO()) - }, - ) + return smbClient.Parse(context.TODO()) + }, + ) } func argsRpcClient(proto string) func(cmd *cobra.Command, args []string) error { - return args( - argsTarget(proto), + return args( + argsTarget(proto), - func(cmd *cobra.Command, args []string) (err error) { + func(cmd *cobra.Command, args []string) (err error) { - rpcClient.Target = target - rpcClient.Credential = credential - rpcClient.Proxy = proxy + rpcClient.Target = target + rpcClient.Credential = credential + rpcClient.Proxy = proxy - return rpcClient.Parse(context.TODO()) - }, - ) + return rpcClient.Parse(context.TODO()) + }, + ) } func argsOutput(methods ...string) func(cmd *cobra.Command, args []string) error { - var as []func(*cobra.Command, []string) error + var as []func(*cobra.Command, []string) error - for _, method := range methods { - if method == "smb" { - as = append(as, argsSmbClient()) - } - } + for _, method := range methods { + if method == "smb" { + as = append(as, argsSmbClient()) + } + } - return args(append(as, func(*cobra.Command, []string) (err error) { + return args(append(as, func(*cobra.Command, []string) (err error) { - if outputPath != "" { - if outputPath == "-" { - exec.Output.Writer = os.Stdout + if outputPath != "" { + if outputPath == "-" { + exec.Output.Writer = os.Stdout - } else if exec.Output.Writer, err = os.OpenFile(outputPath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0644); err != nil { - log.Fatal().Err(err).Msg("Failed to open output file") - } - } - return - })...) + } else if exec.Output.Writer, err = os.OpenFile(outputPath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0644); err != nil { + log.Fatal().Err(err).Msg("Failed to open output file") + } + } + return + })...) } diff --git a/cmd/dcom.go b/cmd/dcom.go index 1a8d031..30c32bc 100644 --- a/cmd/dcom.go +++ b/cmd/dcom.go @@ -1,80 +1,184 @@ package cmd import ( - "context" - "github.com/FalconOpsLLC/goexec/pkg/goexec" - dcomexec "github.com/FalconOpsLLC/goexec/pkg/goexec/dcom" - "github.com/oiweiwei/go-msrpc/ssp/gssapi" - "github.com/spf13/cobra" + "context" + "github.com/FalconOpsLLC/goexec/pkg/goexec" + dcomexec "github.com/FalconOpsLLC/goexec/pkg/goexec/dcom" + "github.com/oiweiwei/go-msrpc/ssp/gssapi" + "github.com/spf13/cobra" ) func dcomCmdInit() { - cmdFlags[dcomCmd] = []*flagSet{ - defaultAuthFlags, - defaultLogFlags, - defaultNetRpcFlags, - } - dcomMmcCmdInit() - - dcomCmd.PersistentFlags().AddFlagSet(defaultAuthFlags.Flags) - dcomCmd.PersistentFlags().AddFlagSet(defaultLogFlags.Flags) - dcomCmd.PersistentFlags().AddFlagSet(defaultNetRpcFlags.Flags) - dcomCmd.AddCommand(dcomMmcCmd) + cmdFlags[dcomCmd] = []*flagSet{ + defaultAuthFlags, + defaultLogFlags, + defaultNetRpcFlags, + } + dcomMmcCmdInit() + dcomShellWindowsCmdInit() + dcomShellBrowserWindowCmdInit() + + dcomCmd.PersistentFlags().AddFlagSet(defaultAuthFlags.Flags) + dcomCmd.PersistentFlags().AddFlagSet(defaultLogFlags.Flags) + dcomCmd.PersistentFlags().AddFlagSet(defaultNetRpcFlags.Flags) + dcomCmd.AddCommand(dcomMmcCmd, dcomShellWindowsCmd, dcomShellBrowserWindowCmd) } func dcomMmcCmdInit() { - dcomMmcExecFlags := newFlagSet("Execution") + dcomMmcExecFlags := newFlagSet("Execution") + + registerExecutionFlags(dcomMmcExecFlags.Flags) + registerExecutionOutputFlags(dcomMmcExecFlags.Flags) + + dcomMmcExecFlags.Flags.StringVar(&dcomMmc.WorkingDirectory, "directory", `C:\`, "Working `directory`") + dcomMmcExecFlags.Flags.StringVar(&dcomMmc.WindowState, "window", "Minimized", "Window state") + + cmdFlags[dcomMmcCmd] = []*flagSet{ + dcomMmcExecFlags, + defaultAuthFlags, + defaultLogFlags, + defaultNetRpcFlags, + } + dcomMmcCmd.Flags().AddFlagSet(dcomMmcExecFlags.Flags) + + // Constraints + dcomMmcCmd.MarkFlagsOneRequired("command", "exec") +} + +func dcomShellWindowsCmdInit() { + dcomShellWindowsExecFlags := newFlagSet("Execution") + + registerExecutionFlags(dcomShellWindowsExecFlags.Flags) + registerExecutionOutputFlags(dcomShellWindowsExecFlags.Flags) + + dcomShellWindowsExecFlags.Flags.StringVar(&dcomShellWindows.WorkingDirectory, "directory", `C:\`, "Working `directory`") + dcomShellWindowsExecFlags.Flags.StringVar(&dcomShellWindows.WindowState, "app-window", "0", "Application window state `ID`") + + cmdFlags[dcomShellWindowsCmd] = []*flagSet{ + dcomShellWindowsExecFlags, + defaultAuthFlags, + defaultLogFlags, + defaultNetRpcFlags, + } + dcomShellWindowsCmd.Flags().AddFlagSet(dcomShellWindowsExecFlags.Flags) + + // Constraints + dcomShellWindowsCmd.MarkFlagsOneRequired("command", "exec") +} + +func dcomShellBrowserWindowCmdInit() { + dcomShellBrowserWindowExecFlags := newFlagSet("Execution") - registerExecutionFlags(dcomMmcExecFlags.Flags) - registerExecutionOutputFlags(dcomMmcExecFlags.Flags) + registerExecutionFlags(dcomShellBrowserWindowExecFlags.Flags) + registerExecutionOutputFlags(dcomShellBrowserWindowExecFlags.Flags) - dcomMmcExecFlags.Flags.StringVar(&dcomMmc.WorkingDirectory, "directory", `C:\`, "Working `directory`") - dcomMmcExecFlags.Flags.StringVar(&dcomMmc.WindowState, "window", "Minimized", "Window state") + dcomShellBrowserWindowExecFlags.Flags.StringVar(&dcomShellBrowserWindow.WorkingDirectory, "directory", `C:\`, "Working `directory`") + dcomShellBrowserWindowExecFlags.Flags.StringVar(&dcomShellBrowserWindow.WindowState, "app-window", "0", "Application window state `ID`") - cmdFlags[dcomMmcCmd] = []*flagSet{ - dcomMmcExecFlags, - defaultAuthFlags, - defaultLogFlags, - defaultNetRpcFlags, - } + cmdFlags[dcomShellBrowserWindowCmd] = []*flagSet{ + dcomShellBrowserWindowExecFlags, + defaultAuthFlags, + defaultLogFlags, + defaultNetRpcFlags, + } + dcomShellBrowserWindowCmd.Flags().AddFlagSet(dcomShellBrowserWindowExecFlags.Flags) - dcomMmcCmd.Flags().AddFlagSet(dcomMmcExecFlags.Flags) + // Constraints + dcomShellBrowserWindowCmd.MarkFlagsOneRequired("command", "exec") } var ( - dcomMmc dcomexec.DcomMmc + dcomMmc dcomexec.DcomMmc + dcomShellWindows dcomexec.DcomShellWindows + dcomShellBrowserWindow dcomexec.DcomShellBrowserWindow - dcomCmd = &cobra.Command{ - Use: "dcom", - Short: "Execute with Distributed Component Object Model (MS-DCOM)", - Long: `Description: + dcomCmd = &cobra.Command{ + Use: "dcom", + Short: "Execute with Distributed Component Object Model (MS-DCOM)", + Long: `Description: The dcom module uses exposed Distributed Component Object Model (DCOM) objects to spawn processes.`, - GroupID: "module", - Args: cobra.NoArgs, - } - - dcomMmcCmd = &cobra.Command{ - Use: "mmc [target]", - Short: "Execute with the DCOM MMC20.Application object", - Long: `Description: + GroupID: "module", + Args: cobra.NoArgs, + } + + dcomMmcCmd = &cobra.Command{ + Use: "mmc [target]", + Short: "Execute with the MMC20.Application DCOM object", + Long: `Description: The mmc method uses the exposed MMC20.Application object to call Document.ActiveView.ShellExec, and ultimately spawn a process on the remote host.`, - Args: args( - argsRpcClient("host"), - argsOutput("smb"), - ), - Run: func(cmd *cobra.Command, args []string) { - dcomMmc.Client = &rpcClient - dcomMmc.IO = exec - - ctx := log.With(). - Str("module", "dcom"). - Str("method", "mmc"). - Logger().WithContext(gssapi.NewSecurityContext(context.Background())) - - if err := goexec.ExecuteCleanMethod(ctx, &dcomMmc, &exec); err != nil { - log.Fatal().Err(err).Msg("Operation failed") - } - }, - } + Args: args( + argsRpcClient("host"), + argsOutput("smb"), + argsAcceptValues("window", &dcomMmc.WindowState, "Minimized", "Maximized", "Restored"), + ), + Run: func(cmd *cobra.Command, args []string) { + dcomMmc.Client = &rpcClient + dcomMmc.IO = exec + dcomMmc.ClassID = dcomexec.Mmc20Uuid + + ctx := log.With(). + Str("module", dcomexec.ModuleName). + Str("method", dcomexec.MethodMmc). + Logger().WithContext(gssapi.NewSecurityContext(context.Background())) + + if err := goexec.ExecuteCleanMethod(ctx, &dcomMmc, &exec); err != nil { + log.Fatal().Err(err).Msg("Operation failed") + } + }, + } + + dcomShellWindowsCmd = &cobra.Command{ + Use: "shellwindows [target]", + Short: "Execute with the ShellWindows DCOM object", + Long: `Description: + The shellwindows method uses the exposed ShellWindows DCOM object on older Windows installations + to call Item().Document.Application.ShellExecute, and spawn the provided process.`, + Args: args( + argsRpcClient("host"), + argsOutput("smb"), + argsAcceptValues("app-window", &dcomShellWindows.WindowState, "0", "1", "2", "3", "4", "5", "7", "10"), + ), + Run: func(cmd *cobra.Command, args []string) { + dcomShellWindows.Client = &rpcClient + dcomShellWindows.IO = exec + dcomShellWindows.ClassID = dcomexec.ShellWindowsUuid + + ctx := log.With(). + Str("module", dcomexec.ModuleName). + Str("method", dcomexec.MethodShellWindows). + Logger().WithContext(gssapi.NewSecurityContext(context.Background())) + + if err := goexec.ExecuteCleanMethod(ctx, &dcomShellWindows, &exec); err != nil { + log.Fatal().Err(err).Msg("Operation failed") + } + }, + } + + dcomShellBrowserWindowCmd = &cobra.Command{ + Use: "shellbrowserwindow [target]", + Short: "Execute with the ShellBrowserWindow DCOM object", + Long: `Description: + The shellbrowserwindow method uses the exposed ShellBrowserWindow DCOM object on older Windows installations + to call Document.Application.ShellExecute, and spawn the provided process.`, + Args: args( + argsRpcClient("host"), + argsOutput("smb"), + argsAcceptValues("app-window", &dcomShellBrowserWindow.WindowState, "0", "1", "2", "3", "4", "5", "7", "10"), + ), + Run: func(cmd *cobra.Command, args []string) { + dcomShellBrowserWindow.Client = &rpcClient + dcomShellBrowserWindow.IO = exec + dcomShellBrowserWindow.ClassID = dcomexec.ShellBrowserWindowUuid + + ctx := log.With(). + Str("module", dcomexec.ModuleName). + Str("method", dcomexec.MethodShellBrowserWindow). + Logger().WithContext(gssapi.NewSecurityContext(context.Background())) + + if err := goexec.ExecuteCleanMethod(ctx, &dcomShellBrowserWindow, &exec); err != nil { + log.Fatal().Err(err).Msg("Operation failed") + } + }, + } ) -- cgit v1.2.3