From f284a0a6e860d1a848424368038985b432ee7946 Mon Sep 17 00:00:00 2001
From: Bryan McNulty <bryanmcnulty@protonmail.com>
Date: Mon, 28 Apr 2025 18:54:12 -0500
Subject: `dcom`: new method: `shellbrowserwindow`

---
 pkg/goexec/dcom/shellbrowserwindow.go | 52 +++++++++++++++++++++++++++++++++++
 pkg/goexec/dcom/shellwindows.go       |  4 +--
 2 files changed, 54 insertions(+), 2 deletions(-)
 create mode 100644 pkg/goexec/dcom/shellbrowserwindow.go

(limited to 'pkg')

diff --git a/pkg/goexec/dcom/shellbrowserwindow.go b/pkg/goexec/dcom/shellbrowserwindow.go
new file mode 100644
index 0000000..0825250
--- /dev/null
+++ b/pkg/goexec/dcom/shellbrowserwindow.go
@@ -0,0 +1,52 @@
+package dcomexec
+
+import (
+	"context"
+	"fmt"
+	"github.com/FalconOpsLLC/goexec/pkg/goexec"
+	"github.com/rs/zerolog"
+)
+
+const (
+	MethodShellBrowserWindow = "ShellBrowserWindow" // MMC20.Application::Document.ActiveView.ExecuteShellCommand
+)
+
+type DcomShellBrowserWindow struct {
+	Dcom
+
+	IO goexec.ExecutionIO
+
+	WorkingDirectory string
+	WindowState      string
+}
+
+// Execute will perform command execution via the ShellBrowserWindow object. See https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/
+func (m *DcomShellBrowserWindow) Execute(ctx context.Context, execIO *goexec.ExecutionIO) (err error) {
+
+	log := zerolog.Ctx(ctx).With().
+		Str("module", ModuleName).
+		Str("method", MethodShellBrowserWindow).
+		Logger()
+
+	method := "Document.Application.ShellExecute"
+
+	cmdline := execIO.CommandLine()
+	proc := cmdline[0]
+	args := cmdline[1]
+
+	// Arguments must be passed in reverse order
+	if _, err := callComMethod(ctx, m.dispatchClient,
+		nil,
+		method,
+		stringToVariant(m.WindowState),
+		stringToVariant(""), // FUTURE?
+		stringToVariant(m.WorkingDirectory),
+		stringToVariant(args),
+		stringToVariant(proc)); err != nil {
+
+		log.Error().Err(err).Msg("Failed to call method")
+		return fmt.Errorf("call %q: %w", method, err)
+	}
+	log.Info().Msg("Method call successful")
+	return
+}
diff --git a/pkg/goexec/dcom/shellwindows.go b/pkg/goexec/dcom/shellwindows.go
index b137d66..67537ec 100644
--- a/pkg/goexec/dcom/shellwindows.go
+++ b/pkg/goexec/dcom/shellwindows.go
@@ -10,7 +10,7 @@ import (
 )
 
 const (
-	MethodShellWindows = "ShellWindows" // MMC20.Application::Document.ActiveView.ExecuteShellCommand
+	MethodShellWindows = "ShellWindows" // ShellWindows::Item().Document.Application.ShellExecute
 )
 
 type DcomShellWindows struct {
@@ -27,7 +27,7 @@ func (m *DcomShellWindows) Execute(ctx context.Context, execIO *goexec.Execution
 
 	log := zerolog.Ctx(ctx).With().
 		Str("module", ModuleName).
-		Str("method", MethodMmc).
+		Str("method", MethodShellWindows).
 		Logger()
 
 	method := "Item"
-- 
cgit v1.2.3