Abusing Exported Functions and Exposed DCOM Interfaces for Pass-Thru Command Execution and Lateral Movement

Last Wednesday, I found myself with some free time, so I decided to delve into System32 to see if I could uncover anything intriguing. I came across several DLL files, one of which had a noteworthy export function named OpenURL. Eager for a quick win, I wanted to determine if I could execute something with minimal effort. To my surprise, url.dll permitted the execution of an HTML application (.hta) using the following commands: rundll32.exe url.dll,OpenURL "local\path\to\harmless.hta" and rundll32.exe url.dll,OpenURLA "local\path\to\harmless.hta". After performing a few additional functional tests across different platforms, I (perhaps prematurely) shared my findings on Twitter. The initial responses were incredibly swift, informative, and humbling. On one hand, I realize I should have conducted more thorough tests to fully grasp the underlying mechanics before sharing. On the other hand, it was remarkable to witness the immediate engagement from some of the leading experts in the field who helped analyze this within what felt like minutes. A big thank you to @subTee, @r0wdy_, and @Hexacorn for their prompt insights! In summary, the HTA was invoked using the OpenURL function, which facilitated command execution and lateral movement.