Abusing Exported Functions and Exposed DCOM Interfaces for Pass-Thru Command Execution and Lateral Movement Logo

Abusing Exported Functions and Exposed DCOM Interfaces for Pass-Thru Command Execution and Lateral Movement

0
Free
Visit Website

Last Wednesday, I had some down time so I decided to hunt around in System32 to see if I could find anything of potential interest. I located a few DLL files that shared an interesting export function called OpenURL: While looking for a quick win, I wanted to see if anything could be invoked without much effort. Sure enough, url.dll allowed for the execution an HTML application (.hta) using these commands: rundll32.exe url.dll,OpenURL "local\path\to\harmless.hta" rundll32.exe url.dll,OpenURLA "local\path\to\harmless.hta" After a few more functional tests across platforms, I (prematurely) posted this on Twitter, and the initial feedback was incredibly fast, educational, and humbling. On one hand, I should have went through a few more test routines to understand what was actually happening under the hood prior to posting. Conversely, it was incredible to see the instant reaction from some of the best practitioners in the field who helped triage this in what seemed like a matter of minutes. Big thanks to @subTee, @r0wdy_, and @Hexacorn for their rapid analysis! In short, the HTA was invoked using the OpenURL function, allowing for pass-thru command execution and lateral movement.

FEATURES

ALTERNATIVES

Repository of tools for testing iPhone messaging by Project Zero

A free, safe, and legal training ground for ethical hackers to test and expand their skills

A document that helps inform red team planning by contrasting against the very specific red team style described in Red Teams.

CrossC2 enables generation of cross-platform payloads for CobaltStrike, enhancing operational flexibility.

Using Apache mod_rewrite rules to rewrite incident responder or security appliance requests to an innocuous website or the target's real website.

Self-hosted Fuzzing-As-A-Service platform for continuous developer-driven fuzzing.

XAHICO Web Platform is a cloud-based solution for vulnerability detection, penetration testing, and adversary simulation, accessible through web browsers and suitable for various user levels.

A Python utility to takeover domains vulnerable to AWS NS Takeover

PINNED