Abusing Exported Functions and Exposed DCOM Interfaces for Pass-Thru Command Execution and Lateral Movement Logo

Abusing Exported Functions and Exposed DCOM Interfaces for Pass-Thru Command Execution and Lateral Movement

0
Free
Visit Website

Last Wednesday, I had some down time so I decided to hunt around in System32 to see if I could find anything of potential interest. I located a few DLL files that shared an interesting export function called OpenURL: While looking for a quick win, I wanted to see if anything could be invoked without much effort. Sure enough, url.dll allowed for the execution an HTML application (.hta) using these commands: rundll32.exe url.dll,OpenURL "local\path\to\harmless.hta" rundll32.exe url.dll,OpenURLA "local\path\to\harmless.hta" After a few more functional tests across platforms, I (prematurely) posted this on Twitter, and the initial feedback was incredibly fast, educational, and humbling. On one hand, I should have went through a few more test routines to understand what was actually happening under the hood prior to posting. Conversely, it was incredible to see the instant reaction from some of the best practitioners in the field who helped triage this in what seemed like a matter of minutes. Big thanks to @subTee, @r0wdy_, and @Hexacorn for their rapid analysis! In short, the HTA was invoked using the OpenURL function, allowing for pass-thru command execution and lateral movement.

FEATURES

ALTERNATIVES

A powerful tool for hiding the true location of your Teamserver, evading detection from Incident Response, redirecting users, blocking specific IP addresses, and managing Malleable C2 traffic in Red Team engagements.

A collection of tips and tricks for container and container orchestration hacking

Comprehensive host-survey tool for security checks in C#.

An AI-powered penetration testing platform that autonomously discovers, exploits, and documents vulnerabilities while generating NIST-compliant reports.

ISF (Industrial Exploitation Framework) - An exploitation framework for industrial systems with various ICS protocol clients and exploit modules.

RTA provides a framework of scripts for blue teams to test detection capabilities against malicious tradecraft, modeled after MITRE ATT&CK.

A tool for recursively querying webservers

A tool for mining URLs from dark corners of Web Archives for bug hunting/fuzzing/further probing

PINNED