Execution Hangs in Remote Host using dcomexe.py

[sud0Ru]

Configuration

impacket version: v0.11.0
Python version: 3.11.6
Target OS: Windows 10.0.19045

Debug Output With Command String

python3 ./dcomexec.py Administrator:P@$$w0rd@192.168.177.164 -debug
Impacket v0.11.0 - Copyright 2023 Fortra

[+] Impacket Library Installation Path: /usr/lib/python3/dist-packages/impacket
[*] SMBv3.0 dialect used
[+] Target system is 192.168.177.164 and isFQDN is False
[+] StringBinding: DESKTOP[59394]
[+] StringBinding: 192.168.177.164[59394]
[+] StringBinding chosen: ncacn_ip_tcp:192.168.177.164[59394]
[+] Target system is 192.168.177.164 and isFQDN is False
[+] StringBinding: DESKTOP[59394]
[+] StringBinding: 192.168.177.164[59394]
[+] StringBinding chosen: ncacn_ip_tcp:192.168.177.164[59394]
[+] Executing: /Q /c cd \ 1> \\127.0.0.1\ADMIN$\__17027 2>&1

Additional context

1. Issue:
When attempting to utilize dcomexe.py to execute a command on a remote host, the execution hangs after the cd command. Upon debugging and analyzing network traffic, it is evident that the ShellExecute function is called successfully. However, the issue appears when SMB client attempts to retrieve the command output file.

2. The cause of the issue:
It appears that the ShellWindows and ShellBrowserWindow COM objects in Windows 10 lack write permissions in the ADMIN$ or C$ shares.

3. Temporary solution:
As a quick and viable solution, modify the OUTPUT_FILENAME variable in dcomexec.py on line 62 to redirect the output to the Temp folder under the Admin$ share.
OUTPUT_FILENAME = 'Temp\\__' + str(time.time())[:5]