Pentesting Tools

DCOMUploadExec : A Tool For Lateral Movement Exploits Using IMsiServer

DCOMUploadExec is a proof-of-concept (PoC) tool designed to exploit the Distributed Component Object Model (DCOM) for lateral movement within a network.

By leveraging the IMsiServer interface, this tool demonstrates how attackers can abuse Windows Installer’s COM functionality to execute payloads on remote systems. Below is an overview of its functionality, usage, and limitations.

Overview Of DCOMUploadExec

DCOMUploadExec consists of two key components:

  1. DCOMUploadExec (C++ Project): This hosts the main attack code responsible for uploading and executing payloads on remote systems.
  2. AssemblyPayload (.NET DLL): A default payload that pops up a MessageBox when executed. It serves as a template for custom payloads.

This tool bypasses traditional methods like PsExec by exploiting the IMsiServer interface in msiexec.exe, enabling attackers to upload and execute DLLs remotely.

Features And Basic Usage

Core Functionality

  • Uploads a strong-named .NET DLL payload to the target machine.
  • Loads the DLL into a remote msiexec.exe process.
  • Executes an export function (InitializeEmbeddedUI) from the DLL.
  • Receives execution results from the target system.
  1. Compile the Solution: Build both projects (DCOMUploadExec and AssemblyPayload).
  2. Run the Tool:
  • For domain-based attacks:
    DCOMUploadExec.exe [domain]$$user]:[password]@[address]
  • For local testing (requires admin privileges):
    DCOMUploadExec.exe LOCALHOST

Payload Configuration

To customize the payload:

  1. Create a strong-named .NET assembly with an exported function named InitializeEmbeddedUI.
  2. Update PayloadConfig.h with details of your custom payload:
  • PAYLOAD_ASSEMBLY_PATH: Path to your DLL.
  • ASSEMBLY_NAME: Name of your assembly.
  • ASSEMBLY_BITNESS: Specify “64” (x64) or “32” (x86).
  • ASSEMBLY_VERSION: Version obtained via tools like sigcheck.exe.
  • ASSEMBLY_PUBLIC_KEY: Public key generated using sn.exe.

Recompile DCOMUploadExec to use this custom payload.

  • Both attacker and victim machines must be in the same domain or forest.
  • The DCOM Hardening patch must be consistent on both systems (either applied or absent).
  • The payload must be a strong-named .NET assembly and architecture-specific (x86 or x64).

DCOMUploadExec highlights how attackers can exploit lesser-known COM interfaces like IMsiServer for lateral movement.

While it serves as a PoC, it underscores the importance of securing DCOM configurations, applying patches, and monitoring suspicious activity in enterprise environments.

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Leave a Comment
Share
Published by
Varshini
Tags: cybersecurityDCOMUploadExecinformationsecuritykalilinuxkalilinuxtools
7 months ago

Recent Posts

Pystinger : Bypass Firewall For Traffic Forwarding Using Webshell

Pystinger is a Python-based tool that enables SOCKS4 proxying and port mapping through webshells. It…

7 days ago

CVE-Search : A Tool To Perform Local Searches For Known Vulnerabilities

Introduction When it comes to cybersecurity, speed and privacy are critical. Public vulnerability databases like…

7 days ago

CVE-Search : A Tool To Perform Local Searches For Known Vulnerabilities

Introduction When it comes to cybersecurity, speed and privacy are critical. Public vulnerability databases like…

1 week ago

How to Bash Append to File: A Simple Guide for Beginners

If you are working with Linux or writing bash scripts, one of the most common…

1 week ago

Mastering the Bash Case Statement with Simple Examples

What is a bash case statement? A bash case statement is a way to control…

1 week ago

How to Check if a File Exists in Bash – Simply Explained

Why Do We Check Files in Bash? When writing a Bash script, you often work…

1 week ago