Microsoft Office is a common application that is deployed in every organisation. This wide usage transforms office into a tool that can be utilized to perform attacks that would allow the red team to gather domain hashes or execute arbitrary code.

Historically execution of code in Microsoft office was performed through the use of Macros. However SensePost discovered another method of executing arbitrary code by using the DDE (Dynamic Data Exchange) protocol. There are various places inside products of office that execution of code is accepted via DDE and this article will demonstrate the majority of these attack vectors. The article DDE Payloads can be used in conjunction with this post for the production of payloads.

Word

In Microsoft Word the easiest method is to insert a field code as it has been described in the original post by SensePost and embed the payload inside the formula.

Insert-> Quick Parts-> Field
Word - DDE via Field Code
Word – DDE via Field Code

Adding the following payload inside the brackets will produce some dialog box the next time that the file is opened. If the user chooses the Yes option the payload will be executed.

{DDEAUTO c:\\windows\\system32\\cmd.exe "/k calc.exe"}
Word - DDE Payload
Word – DDE Payload

Alternatively it is possible to use a Macro to insert a payload into a field code as it was described by Paul Ritchie in his blog.

''' Programmatically inserts a new field code into a word document at the current selection index.
''' This is of type "wdFieldDDEAuto" which is a field code which executes Dynamic Data Exchange (DDE)
''' When the document is opened. This includes an example PoC which launches calc.exe
Public Sub FieldCodeFun()
' Payload String
Dim payload As String
payload = """c:\\windows\\system32\\calc.exe"" ""/c calc.exe"""
' Insert our payload as a field code
Selection.Collapse Direction:=wdCollapseEnd
ActiveDocument.Fields.Add Range:=Selection.Range, _
Type:=wdFieldDDEAuto, Text:=payload
End Sub
Word - DDE via Macro
Word – DDE via Macro

The payload will just execute calculator but it can be modified to contain any other payload.

Mike Czumak did a great discovery which has been discussed in his blog regarding loading the malicious DDE from another Word document which is externally hosted. The INCLUDE field code can be used with this attack vector combined with the external URL.

Word - Load DDE Payload from another document
Word – Load DDE Payload from Another Document

Excel

In Microsoft Excel DDE payloads can be utilized through the use of formulas. The following two formulas wiill execute code (calculator in this case) with the second formula to obfuscate the dialog box message to make it more legitimate.

=cmd|'/c calc.exe'!A1
=MSEXCEL|'\..\..\..\Windows\System32\cmd.exe /c calc.exe'!''
Excel - DDE Command
Excel – DDE Command

The following dialog box will appear when the user opens the malicious Excel spreadsheet.

Excel - DDE Dialog Box
Excel – DDE Dialog Box

The second formula will still execute code but the message in the dialog box will be modified and instead of asking the user to start CMD.EXE it will ask him to start MSEXCEL.exe.

Excel - DDE 2nd Command
Excel – DDE 2nd Command

Outlook

In Outlook there are various locations that execution of DDE payloads can happen. Depending on the situation every method could be useful. For example if domain credentials have been obtained it might be easier to weaponise an email message and to send to multiple other users in order to obtain more shells inside the organisation.

Message

Sending an outlook message that contains a DDE can also execute code automatically. The same applies and for email messages that are sent as attachments.

Outlook Message - DDE Payload
Outlook Message – DDE Payload

However the email message needs to be sent as Rich Text Format (RTF) and delivered as RTF since some mail services convert all emails to HTML which will make the DDE payload to not work.

Outlook Message - DDE in Rich Text
Outlook Message – DDE and RTF

When the message arrive in the inbox of the user the DDE will execute upon browsing in that message.

Outlook Message - RTF Email Message
Outlook Message – RTF Email Message

Contact

Creation of a new contact or modification of an existing one and placing the DDE payload into the notes area can lead to execution of code.

Outlook - DDE Payload in Contact Notes
Outlook – DDE Payload in Contact Notes

The contact needs to be sent to the target user.

Outlook - Foward Contact with DDE
Outlook – Forward Contact with DDE

When the user opens the contact it will execute the embedded DDE payload.

Outlook - DDE Execution
Outlook – DDE Execution

Calendar Invite

The same concept applies and via calendar invitations. Sending a meeting invitation with a DDE payload will result in code execution if the user interacts with that invite (open or cancel).

Outlook - DDE via Calendar Invitations
Outlook – DDE via Calendar Invitations

References

10 Comments

    1. It is working on Word 2016 for sure. It has been tested and verified. In excel it is true that this is happening. However you can use Word or Outlook as alternative methods during assessments.

      1. Well I followed every step and nothing happened. Word shows me the warning about external references but it dont execute calc.

      2. In that case check if your version of office is patched. The following registry needs to have the value 2 which means enable. Computer\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Security\AllowDDE

Leave a Reply to Proph Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s