+method: dcom vs-dte

Author: bryanmcnulty

cmd/dcom.go

@@ -24,6 +24,7 @@ func dcomCmdInit() {
   dcomShellBrowserWindowCmdInit()
   dcomHtafileCmdInit()
   dcomExcelXlmCmdInit()
+  dcomVsDteCmdInit()
 
   dcomCmd.PersistentFlags().AddFlagSet(defaultAuthFlags.Flags)
   dcomCmd.PersistentFlags().AddFlagSet(defaultLogFlags.Flags)
@@ -34,6 +35,7 @@ func dcomCmdInit() {
     dcomShellBrowserWindowCmd,
     dcomHtafileCmd,
     dcomExcelXlmCmd,
+    dcomVsDteCmd,
   )
 }
 
@@ -134,12 +136,34 @@ func dcomExcelXlmCmdInit() {
   dcomExcelXlmCmd.MarkFlagsMutuallyExclusive("macro", "macro-file", "out")
 }
 
+func dcomVsDteCmdInit() {
+  dcomVsDteExecFlags := newFlagSet("Execution")
+  dcomVsDteExecFlags.Flags.StringVar(&dcomVisualStudioDte.CommandName, "vs-command", "", "Visual Studio DTE command to execute")
+  dcomVsDteExecFlags.Flags.StringVar(&dcomVisualStudioDte.CommandArgs, "vs-args", "", "Visual Studio DTE command arguments")
+  registerExecutionFlags(dcomVsDteExecFlags.Flags)
+  registerExecutionOutputFlags(dcomVsDteExecFlags.Flags)
+
+  cmdFlags[dcomVsDteCmd] = []*flagSet{
+    dcomVsDteExecFlags,
+    defaultAuthFlags,
+    defaultLogFlags,
+    defaultNetRpcFlags,
+  }
+  dcomVsDteCmd.Flags().AddFlagSet(dcomVsDteExecFlags.Flags)
+
+  // Constraints
+  dcomVsDteCmd.MarkFlagsOneRequired("command", "exec", "vs-command")
+  dcomVsDteCmd.MarkFlagsMutuallyExclusive("command", "exec", "vs-command")
+  dcomVsDteCmd.MarkFlagsMutuallyExclusive("vs-command", "out")
+}
+
 var (
   dcomMmc                = dcomexec.DcomMmc{}
   dcomShellWindows       = dcomexec.DcomShellWindows{}
   dcomShellBrowserWindow = dcomexec.DcomShellBrowserWindow{}
   dcomHtafile            = dcomexec.DcomHtafile{}
   dcomExcelXlm           = dcomexec.DcomExcelXlm{}
+  dcomVisualStudioDte    = dcomexec.DcomVisualStudioDte{}
 
   dcomCmd = &cobra.Command{
     Use:   "dcom",
@@ -243,7 +267,7 @@ var (
     Short: "Execute with the Excel.Application DCOM object using XLM macros",
     Long: `Description:
   The excel-xlm method uses the exposed Excel.Application DCOM object to call ExecuteExcel4Macro, thus executing
-  XLM macros at will.`,
+  XLM macros at will. This method requires that the remote host has Microsoft Excel installed.`,
     Args: args(argsRpcClient("host", ""), argsOutput("smb"),
       func(*cobra.Command, []string) error {
         if dcomExcelXlm.MacroFile != "" {
@@ -261,7 +285,7 @@ var (
         return nil
       },
     ),
-    Run: func(cmd *cobra.Command, args []string) {
+    Run: func(*cobra.Command, []string) {
       dcomExcelXlm.Client = &rpcClient
       ctx := log.With().Str("module", dcomexec.ModuleName).Str("method", dcomexec.MethodExcelXlm).
         Logger().WithContext(gssapi.NewSecurityContext(context.Background()))
@@ -271,4 +295,22 @@ var (
       }
     },
   }
+
+  dcomVsDteCmd = &cobra.Command{
+    Use:   "vs-dte [target]",
+    Short: "Execute with the VisualStudio.DTE object",
+    Long: `Description:
+  The vs-dte method uses the exposed VisualStudio.DTE object to spawn a process via the ExecuteCommand method.
+  This method requires that the remote host has Microsoft Visual Studio installed.`,
+    Args: args(argsRpcClient("host", ""), argsOutput("smb")),
+    Run: func(*cobra.Command, []string) {
+      dcomVisualStudioDte.Client = &rpcClient
+      ctx := log.With().Str("module", dcomexec.ModuleName).Str("method", dcomexec.MethodVisualStudioDTE).
+        Logger().WithContext(gssapi.NewSecurityContext(context.Background()))
+
+      if err := goexec.ExecuteCleanMethod(ctx, &dcomVisualStudioDte, &exec); err != nil {
+        log.Fatal().Err(err).Msg("Operation failed")
+      }
+    },
+  }
 )

pkg/goexec/dcom/visualstudio.go

@@ -0,0 +1,63 @@
+package dcomexec
+
+import "github.com/rs/zerolog"
+
+/*
+See https://learn.microsoft.com/en-us/dotnet/api/envdte._dte.executecommand
+*/
+
+import (
+  "context"
+
+  "github.com/FalconOpsLLC/goexec/pkg/goexec"
+  "github.com/oiweiwei/go-msrpc/midl/uuid"
+
+  _ "github.com/oiweiwei/go-msrpc/msrpc/erref/hresult"
+  _ "github.com/oiweiwei/go-msrpc/msrpc/erref/ntstatus"
+  _ "github.com/oiweiwei/go-msrpc/msrpc/erref/win32"
+)
+
+const (
+  MethodVisualStudioDTE = "VisualStudio.DTE:ExecuteCommand"
+  VisualStudioDteUuid   = "33ABD590-0400-4FEF-AF98-5F5A8A99CFC3"
+)
+
+type DcomVisualStudioDte struct {
+  Dispatch
+  // CommandName is the name of the DTE command to invoke
+  CommandName string
+  // CommandArgs are the arguments to pass to the command
+  CommandArgs string
+}
+
+func (m *DcomVisualStudioDte) Init(ctx context.Context) (err error) {
+  if err = m.Dcom.Init(ctx); err == nil {
+    return m.getDispatch(ctx, uuid.MustParse(VisualStudioDteUuid))
+  }
+  return
+}
+
+func (m *DcomVisualStudioDte) Execute(ctx context.Context, execIO *goexec.ExecutionIO) (err error) {
+  log := zerolog.Ctx(ctx)
+  dteCmd := m.CommandName
+  dteArgs := m.CommandArgs
+  if dteCmd == "" {
+    dteCmd = "tools.shell"
+    dteArgs = execIO.String()
+  }
+  defer func() {
+    // Terminate devenv.exe
+    q, err := m.callComMethod(ctx, nil, "Quit")
+    if err != nil {
+      log.Warn().Err(err).Msg("Call to Quit() failed")
+      err = nil
+    }
+    zerolog.Ctx(ctx).Info().Int32("return", q.Return).Msg("Quit called")
+  }()
+  log.Info().Str("command", dteCmd).Str("args", dteArgs).Msg("Executing DTE command")
+  ir, err := m.callComMethod(ctx, nil, "ExecuteCommand", stringToVariant(dteArgs), stringToVariant(dteCmd))
+  if err == nil {
+    log.Info().Int32("return", ir.Return).Msg("ExecuteCommand called")
+  }
+  return
+}