1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
|
package cmd
import (
"github.com/FalconOpsLLC/goexec/internal/exec"
dcomexec "github.com/FalconOpsLLC/goexec/internal/exec/dcom"
"github.com/spf13/cobra"
)
func dcomCmdInit() {
registerRpcFlags(dcomCmd)
dcomMmcCmdInit()
dcomCmd.AddCommand(dcomMmcCmd)
}
func dcomMmcCmdInit() {
dcomMmcCmd.Flags().StringVarP(&executable, "executable", "e", "", "Remote Windows executable to invoke")
dcomMmcCmd.Flags().StringVarP(&workingDirectory, "directory", "d", `C:\`, "Working directory")
dcomMmcCmd.Flags().StringVarP(&executableArgs, "args", "a", "", "Process command line")
dcomMmcCmd.Flags().StringVar(&windowState, "window", "Minimized", "Window state")
dcomMmcCmd.Flags().StringVarP(&command, "command", "c", ``, "Windows executable & arguments to run")
dcomMmcCmd.MarkFlagsOneRequired("executable", "command")
dcomMmcCmd.MarkFlagsMutuallyExclusive("executable", "command")
}
var (
dcomCmd = &cobra.Command{
Use: "dcom",
Short: "Establish execution via DCOM",
Args: cobra.NoArgs,
}
dcomMmcCmd = &cobra.Command{
Use: "mmc [target]",
Short: "Establish execution via the DCOM MMC20.Application object",
Long: `Description:
The mmc method uses the exposed MMC20.Application object to call Document.ActiveView.ShellExec,
and ultimately execute system commands.
References:
https://www.scorpiones.io/articles/lateral-movement-using-dcom-objects
https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
https://github.com/fortra/impacket/blob/master/examples/dcomexec.py
https://learn.microsoft.com/en-us/previous-versions/windows/desktop/mmc/view-executeshellcommand
`,
Args: needsRpcTarget("host"),
Run: func(cmd *cobra.Command, args []string) {
ctx = log.With().
Str("module", "dcom").
Str("method", "mmc").
Logger().WithContext(ctx)
module := dcomexec.Module{}
connCfg := &exec.ConnectionConfig{
ConnectionMethod: exec.ConnectionMethodDCE,
ConnectionMethodConfig: dceConfig,
}
execCfg := &exec.ExecutionConfig{
ExecutableName: executable,
ExecutableArgs: executableArgs,
ExecutionMethod: dcomexec.MethodMmc,
ExecutionMethodConfig: dcomexec.MethodMmcConfig{
WorkingDirectory: workingDirectory,
WindowState: windowState,
},
}
if err := module.Connect(ctx, creds, target, connCfg); err != nil {
log.Fatal().Err(err).Msg("Connection failed")
} else if err = module.Exec(ctx, execCfg); err != nil {
log.Fatal().Err(err).Msg("Execution failed")
}
},
}
)
|