aboutsummaryrefslogtreecommitdiff
path: root/cmd/dcom.go
blob: 5bcec783bf6afb73212f18df1dd5ab2ee9fb9d9b (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79

package cmd

import (
  "context"
  dcomexec "github.com/FalconOpsLLC/goexec/pkg/goexec/dcom"
  "github.com/oiweiwei/go-msrpc/ssp/gssapi"
  "github.com/spf13/cobra"
)

func dcomCmdInit() {
  registerRpcFlags(dcomCmd)
  dcomMmcCmdInit()
  dcomCmd.AddCommand(dcomMmcCmd)
}

func dcomMmcCmdInit() {
  dcomMmcCmd.Flags().StringVarP(&dcomMmc.WorkingDirectory, "directory", "d", `C:\`, "Working directory")
  dcomMmcCmd.Flags().StringVar(&dcomMmc.WindowState, "window", "Minimized", "Window state")

  registerProcessExecutionArgs(dcomMmcCmd)
}

var (
  dcomMmc dcomexec.DcomMmc

  dcomCmd = &cobra.Command{
    Use:   "dcom",
    Short: "Establish execution via DCOM",
    Args:  cobra.NoArgs,
  }
  dcomMmcCmd = &cobra.Command{
    Use:   "mmc [target]",
    Short: "Establish execution via the DCOM MMC20.Application object",
    Long: `Description:
  The mmc method uses the exposed MMC20.Application object to call Document.ActiveView.ShellExec,
  and ultimately execute system commands.

References:
  https://www.scorpiones.io/articles/lateral-movement-using-dcom-objects
  https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
  https://github.com/fortra/impacket/blob/master/examples/dcomexec.py
  https://learn.microsoft.com/en-us/previous-versions/windows/desktop/mmc/view-executeshellcommand
`,
    Args: argsRpcClient("host"),
    Run: func(cmd *cobra.Command, args []string) {
      var err error

      ctx := gssapi.NewSecurityContext(context.Background())

      ctx = log.With().
        Str("module", "dcom").
        Str("method", "mmc").
        Logger().
        WithContext(ctx)

      if err = rpcClient.Connect(ctx); err != nil {
        log.Fatal().Err(err).Msg("Connection failed")
      }

      defer func() {
        closeErr := rpcClient.Close(ctx)
        if closeErr != nil {
          log.Error().Err(closeErr).Msg("Failed to close connection")
        }
      }()

      if err = dcomMmc.Init(ctx, &rpcClient); err != nil {
        log.Error().Err(err).Msg("Module initialization failed")
        returnCode = 1
        return
      }

      if err = dcomMmc.Execute(ctx, exec.Input); err != nil {
        log.Error().Err(err).Msg("Execution failed")
        returnCode = 1
      }
    },
  }
)
generated by cgit v1.2.3 (git 2.39.1) at 2025-05-26 03:15:45 +0000